Aggregator

HackerNews 编译，转载请注明出处： 网络安全研究人员发现了一种名为ResolverRAT的新型复杂远程访问木马，该木马已被观察到针对医疗保健和制药行业发起攻击。 “攻击者利用通过网络钓鱼电子邮件发送的基于恐惧的诱饵，旨在迫使收件人点击恶意链接，”Morphisec实验室研究员Nadav Lorber表示，“一旦访问，该链接会引导用户下载并打开一个触发ResolverRAT执行链的文件。” 最近一次观察到的活动是在2025年3月10日，其与去年思科Talos和Check Point记录的传播信息窃取恶意软件（如Lumma和Rhadamanthys）的网络钓鱼活动存在基础设施和传递机制的重叠。此次行动的一个显著特点是使用本地化的网络钓鱼诱饵，电子邮件以目标国家主要使用的语言撰写，包括印地语、意大利语、捷克语、土耳其语、葡萄牙语和印尼语，这表明攻击者试图通过针对特定地区的攻击来扩大攻击范围，以最大限度地提高感染率。 电子邮件内容涉及法律调查或版权侵权等主题，旨在制造虚假的紧迫感，增加用户互动的可能性。 感染链的特征是使用DLL侧加载技术来启动进程。第一阶段是一个内存加载器，它解密并执行主要有效载荷，同时还采用多种技巧来逃避检测。ResolverRAT有效载荷不仅使用加密和压缩，而且一旦解码，它只存在于内存中。 “ResolverRAT的初始化序列揭示了一个复杂、多阶段的引导过程，旨在实现隐蔽性和弹性，”Lorber说，并补充说它通过Windows注册表和在文件系统中安装在不同位置作为备用机制，实现了多种冗余持久化方法。 一旦启动，该恶意软件在与命令与控制（C2）服务器建立联系之前使用定制的证书认证，从而绕过机器的根证书颁发机构。它还实施了一个IP轮换系统，如果主C2服务器不可用或被关闭，它将连接到备用C2服务器。 此外，ResolverRAT配备了通过证书固定、源代码混淆和不规则信标模式向C2服务器发送信号来逃避检测的能力。 “这种先进的C2基础设施展示了攻击者的高级能力，结合了安全通信、备用机制和旨在维持持久访问同时逃避安全监控系统检测的逃避技术，”Morphisec表示。 该恶意软件的最终目标是处理C2服务器发出的命令，并将响应数据传回，将超过1MB大小的数据分解为16KB的块，以最大限度地减少被检测到的可能性。 尽管此次行动尚未被归因于特定的组织或国家，但诱饵主题的相似性和与之前观察到的网络钓鱼攻击中使用的DLL侧加载的使用暗示了可能的联系。 “这种对齐表明攻击者基础设施或行动手册可能存在重叠，可能指向相关威胁组织之间的共同附属模式或协调活动，”该公司表示。 随着CYFIRMA详细描述了另一种名为海王星RAT的远程访问木马，该木马采用模块化、基于插件的方法来窃取信息、在主机上保持持久性、索要500美元的赎金，甚至覆盖主引导记录（MBR）以扰乱Windows系统的正常运行，这一发展也随之而来。 它通过GitHub、Telegram和YouTube免费传播。尽管如此，与该恶意软件相关的GitHub个人资料（称为MasonGroup，即FREEMASONRY）目前已无法访问。 “海王星RAT结合了先进的反分析技术和持久性方法，以在受害者的系统上长期保持存在，并配备了危险的功能，”该公司在上周发布的分析中指出。 它包括“加密剪贴板、能够窃取270多个不同应用程序凭证的密码窃取器、勒索软件功能以及实时桌面监控，使其成为一个极其严重的威胁。”     消息来源：thehackernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络；   转载请注明“转自 HackerNews.cc”并附上原文

A new sophisticated attack campaign where cybercriminals are exploiting Microsoft Teams to deliver malware and maintain persistent access to corporate networks. The attacks, which represent an evolution in social engineering tactics, specifically target Windows systems through a novel technique that security experts are calling a significant threat to enterprise security. In March 2025, ReliaQuest discovered […]

The post Hackers Leveraging Teams Messages to Execute Malware on Windows Systems appeared first on Cyber Security News.

A vulnerability was found in Contest Gallery Plugin and Contest Gallery Pro Plugin 19.1.5 on WordPress. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file export-images-data.php of the component GET Parameter Handler. The manipulation of the argument option_id leads to sql injection. This vulnerability is known as CVE-2022-4151. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in php-mod curl up to 2.3.1. It has been classified as problematic. Affected is an unknown function of the file post_file_path_upload.php. The manipulation of the argument key leads to cross site scripting. This vulnerability is traded as CVE-2021-30134. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in FasterXML jackson-databind up to 2.9.10.4. It has been classified as critical. This affects an unknown part of the component ignite-jta/quartz-core. The manipulation leads to deserialization. This vulnerability is uniquely identified as CVE-2020-10650. The attack needs to be initiated within the local network. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability classified as problematic was found in Citrix ADC and Gateway. Affected by this vulnerability is an unknown functionality of the component SSL VPN Endpoint. The manipulation leads to information disclosure. This vulnerability is known as CVE-2019-18177. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, was found in HashiCorp Nomad up to 0.9.4. This affects an unknown part of the component Environment Variable Handler. The manipulation leads to information disclosure. This vulnerability is uniquely identified as CVE-2019-14802. The attack needs to be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Realtek Audio Driver on Windows and classified as critical. This vulnerability affects unknown code. The manipulation leads to uncontrolled search path. This vulnerability was named CVE-2019-19705. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic has been found in Sierra Wireless MGOS up to 3.15.1/4.2. This affects an unknown part. The manipulation leads to direct request. This vulnerability is uniquely identified as CVE-2019-13988. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic was found in Pilz PMC Programming Tool up to 3.5.16. This vulnerability affects unknown code. The manipulation leads to information disclosure. This vulnerability was named CVE-2019-9011. The attack needs to be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, has been found in Sierra Wireless AirLink Mobility Manager up to 2.16. This issue affects some unknown processing. The manipulation leads to manage user sessions. The identification of this vulnerability is CVE-2020-11101. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in Pilz PMC Programming Tool up to 3.5.16. Affected is an unknown function. The manipulation leads to improper access controls. This vulnerability is traded as CVE-2020-12067. Access to the local network is required for this attack. There is no exploit available. It is recommended to upgrade the affected component.

CTF

CTF