Adult sites at a risk of Malsmoked

Shady attracts shady! Lately, cybercriminals have been found manipulating adult website visitors and redirecting victims to malicious websites serving up malware.

What & Why

Researchers discovered an Malsmoke campaign that appears to have begun mid-October.

  • The threat actors, who have been active throughout 2020, are pushing adult site users to download a fake Java update in their malvertising attacks.
  • Sites such as bravoporn[.]com and xhamster[.]com with hundreds of millions of users are, reportedly, at the risk of downloading Zloader, a banking malware.
  • The reason to go after high traffic adult portals can be set straight; the more the visitors higher the number of infected systems.

How does it work?

The new campaign works across all major web browsers, including Google Chrome.

  • When a user clicks to play a video clip, a new browser containing a grainy video pops up. 
  • In the background, however, victims are redirected to malicious pages such as landingmonster[.]online until they land on a “decoy” porn site.
  • The movies play for a few seconds and suddenly an overlay message surfaces saying the Java Plug-in 8.0 was not found.
  • The fake Java update is, in fact, a digitally signed Microsoft installer, loaded with a number of libraries and executables—that final payload is Zloader.

Activity review of malsmoke actors

The name malsmoke campaign came from Smoke Loader malware that the group drops via the Fallout exploit kit.

  • Since the beginning of the year, malsmoke operators have been running successful exploit kit campaigns, until they decided to pick a new trick involving social engineering.
  • The hacker group launched attacks on the systems of porn surfers running older versions of Adobe Flash Player and Internet Explorer, infecting most of the adult networks with malware on the web.

Stay safe

Atmost care at your own risk

Cicada 🐞Chinese sponsered

The hackers, most likely from a well-known group that’s funded by the Chinese government, are outfitted with both off-the-shelf and custom-made tools. One such tool exploits Zerologon,that can give attackers instant administrator privileges on vulnerable systems. Cicada , which is widely believed to be funded by the Chinese government and also carries the monikers of APT10, Stone Panda

Japan-linked organizations need to be on alert as it is clear they are a key target of this sophisticated and well-resourced group, with the automotive industry seemingly a key target in this attack campaign.

The attacks make extensive use of DLL side-loading, a technique that occurs when attackers replace a legitimate Windows dynamic-link library file with a malicious one. Attackers use DLL side-loading to inject malware into legitimate processes so they can keep the hack from being detected by security software.

Microsoft patched the critical privilege-escalation vulnerability in August, but since then attackers have been using it to compromise organizations that have yet to install the update. .

Threat Vector

Third-stage DLL has an export named “FuckYouAnti”

Third-stage DLL uses CppHostCLR technique to inject and execute the .NET loader assembly

.NET Loader is obfuscated with ConfuserEx v1.0.0

Final payload is QuasarRAT—an open source backdoor used by Cicada in the past

It’s difficult to say how..when..where.. you get attacked and compromised across geographies… Stay safe and secure

Capcom unfazed a breach and it’s serious

Capcom, home to many iconic franchises such as Street Fighter,Resident Evil and Monster Hunter, is the latest victim of a cyber attack.  Report claims that Capcom was the victim of a ransomeware attack by a program called Ragnar Locker. Ragnar Locker is a specific Ransom that attacks vulnerable systems by peppering them with small scale attacks until it finally breaks through.

Capcom stated that the attack occurred in the early hours of November 2 and affected access to certain systems, including email and file servers. Capcom has confirmed a third party was responsible for the attack. As a result of the attack, Capcom says it has halted some operations of its internal networks

“Capcom expressed its deepest regret for any inconvenience this may cause to its various stakeholders,” Capcom wrote. “Further, it stated that at present there is no indication that any customer information was breached. This incident has not affected connections for playing the company’s games online or access to its various websites.

Ransomware has been on the rise lately and is the latest cyber security threat that big organizations need to be wary of. As the name suggests, once the information is stolen, those responsible for the attack hold the information hostage until demands are met. The trade-away being that the attackers promise to delete the information once their payment has been received. Although as ransomware attacks continue, this is becoming increasingly less common.

The attackers claim to have stolen 1 TB of unencrypted files from the corporate networks in Japan, USA, and Canada. This includes all kinds of private and sensitive corporate data ranging from financial reports, intellectual property information, and even company emails and messenger conversations.

But Capcom claimed no data has been stolen and all are intact. Working on restoring the systems

Torisma 🌀

A sophisticated cyber espionage campaign aimed at aerospace and defense sectors in Australia, Israel, Russia, and defense contractors based in Russia and India , whic will install data gathering implants on victims’ machines for purposes of surveillance and data exfilteration spyware known to be Torisma

Tracked as code name operation north star has the TTP related to Hidden Cobra a state sponsered group

The development continues the trend of North Korea, a heavily sanctioned country, leveraging its arsenal of threat actors to support and fund its nuclear weapons program by perpetrating malicious attacks on US defense and aerospace contractors.

Operation North Star

While the initial analysis suggested the implants were intended to gather basic victim information so as to assess their value, the latest investigation into Operation North Star exhibits a “degree of technical innovation” designed to remain hidden on compromised systems.

Not only did the campaign use legitimate job recruitment content from popular US defense contractor websites to lure targeted victims into opening malicious spear-phishing email attachments, the attackers compromised and used genuine websites in the US and Italy to host their command-and-control (C2) capabilities.

The first-stage implant embedded in the Word documents would go on to evaluate the victim system data by cross-checking with a predetermined list of target IP addresses to install a second implant called Torisma, all the while minimizing the risk of detection and discovery afterwards will install shell code by which the victim gets infiltrated