#AxisOfEasy 297: NexusGuard Researchers Discover New InfoStealer Malware Being Circulated via Facebook Ads


Weekly Axis Of Easy #297


Last Week’s Quote was “Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws,” was by Plato.  We got three correct guesses, but Joe got it first!  Congrats Joe.  

This Week’s Quote:   “Whenever you find yourself on the side of the majority, it is time to pause and reflect.”    By ???

THE RULES:  No searching up the answer, must be posted at the bottom of this post, in the comments section.

The Prize: First person to post the correct answer gets their next domain or hosting renewal on us.


This is your easyDNS #AxisOfEasy Briefing for the week of May 8th, 2023 our Technology Correspondent Joann L Barnes and easyCEO Mark E. Jeftovic send out a short briefing on the state of the ‘net and how it affects your business, security and privacy.
 
For more commentary and insight into last week’s top issues, tune in to Joey Tweets, and Len the Legend for the AxisOfEasy the podcast edition.

In this issue:
  • NexusGuard Researchers Discover New InfoStealer Malware Being Circulated via Facebook Ads
  • Meta Receives Third FTC Warning Over Allegedly Failing to Protect Underage Users’ Privacy
  • Twitter CEO Elon Musk Opposes New Attempts at Irish Hate Speech Legislation
  • Huge Online Cyber Spy Operations Throughout South Asia Discovered by Meta
  • LNK Switch-Up Allows North Korean APT to Avoid Macro-Blocking
Elsewhere online
  • Eurocontrol was the target of a cyberattack by hackers from Russia
  • Drone goggles maker fears an attack on devices
  • Microsoft fixes Critical Azure Cloud Safety Potential vulnerabilities
  • Hackers Steal Email Addresses and DMs from Hookup Websites by Scrambling Stolen Passwords
  • 5-year-old Vulnerability in TBK DVR Devices is Subjected to Hacking Attempts

NexusGuard Researchers Discover New InfoStealer Malware Being Circulated via Facebook Ads

On February 18, 2023, researchers at the computer security company NexusGuard stumbled upon a sponsored Facebook ad that claimed to be introducing the Windows PC downloadable version of ChatGPT. The ad redirected the user to a fake ChatGPT website which seemed identical to the official website. Here the user was presented with a download link that directed users to the URL shortener:

hxxps\[:\]//rebrand\[.\]ly/qaltfnuOpenAI. URL shorteners are a common way for threat actors to bypass social media filters or simply hide the original link. Expansion of the URL produced a gzip archive with the filename ChatGPT-OpenAI-Pro-Full-134676745403.gz, which contained the executable file ChatGPT-OpenAI-Pro-Full-134676745403.exe.

To determine whether or not the URL was malicious, the executable file was uploaded to and run through VirusTotal by the NexusGuard team. Surprisingly, only 1 out of 68 vendors detected it as being malicious. However, when the file was executed, it spawned the subprocesses Conhost.exe and reg.exe, adding an entry to HKU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run for persistency, and performed a DNS query on the domain cloudimagesv.top. The malware also tried to steal browser-sensitive information, eventually sending data to 45.80.128.71 on port 443.

This behavior is all reminiscent of the RedLine Stealer malware, which harvests information from browsers, such as saved credentials, autocomplete data, and credit card information. This NexusGuard study highlights how cyber attackers have started to leverage social engineering techniques to exploit users’ trust in popular social networking services. With cybercriminals becoming increasingly sophisticated in their tactics, users must remain vigilant and take proactive measures to safeguard their personal information and online identity.

Read: https://blog.nexusguard.com/the-propagation-of-infostealer-malware-through-fake-chatgpt-facebook-ads


Elon Musk has taken issue with Ireland’s new proposed hate speech legislation, calling it a “massive attack on freedom of speech” on Twitter. Ireland’s new legislation passed through the Dáil last week and is now up for scrutiny by the Seanad before it can pass into law later this year. The Twitter CEO’s tweet came in response to a series of tweets posted by Free Speech Ireland, which claimed that this new legislation signified that the Irish government was voting against human rights and that it had “quite literally (advocated) for thought crime legislation.”

The new legislation attempts to clearly define what constitutes a hate crime and hate speech to make such crimes easier to prosecute in the future. According to many Irish minority groups, existing legislation makes it nearly impossible to prosecute for hate speech and/or hate crime. Nevertheless, there are increasing concerns that these new laws may restrict Irish citizens’ right to freedom of expression, something Ireland’s Department of Justice has clearly denied.

The hate crime legislation was opposed by two divergent parts of the Dáil last week, with both the People Before Profit and Rural Independents groups opposed to the proposed laws. Sinn Féin, the Labour Party, the Social Democrats, and other assorted Independent TDs, however, all currently back the legislation.

Read: https://www.msn.com/en-ie/news/other/elon-musk-irish-hate-laws-attack-on-free-speech/ar-AA1azHhE

 

Huge Online Cyber Spy Operations Throughout South Asia Discovered by Meta

As part of various campaigns, three separate threat actors used hundreds of intricate fictional personas on Facebook and Instagram to harm people in South Asia. Guy Rosen, Meta’s chief information security officer, stated that “each of these APTs heavily relied on social engineering to trick people into clicking on inappropriate links, downloading malware, or sharing personal information across the internet.

One of the organizations that caught Meta’s attention is a Pakistan-based advanced persistent threat (APT) group that used rogue websites and apps, a network of 120 Facebook and Instagram accounts, and GravityRAT to infect military personnel in Pakistan and India under the guise of cloud storage and entertainment apps.

The activities intended to support Palestinian resistance, incite trouble in Bahrain, and thwart the normalization of Arab-Israeli relations. They have singled out Israel and the U.S. as reprisal for allegedly sowing turmoil in the country.

Read: https://thehackernews.com/2023/05/meta-uncovers-massive-social-media.html

 

LNK Switch-Up Allows North Korean APT to Avoid Macro-Blocking

Following Microsoft’s decision to restrict macros by default last year to stop malware delivery via Office documents, the North Korean threat group APT37 is now presenting new proof of how attackers have switched to employing LNK, or shortcut files, to distribute harmful payloads.

According to Check Point researchers, a PowerShell script that extracted a document from the LNK file dropped it on disc, and opened it was found to be executed in both cases when a user clicked the LNK file. The file was a ruse that led victims to believe they had opened a valid PDF or a South Korean document using the Hangul Word Processor (HWP).

However, according to Shykevich, some aspects of LNK files make them perfect for attackers. He says, “the effectiveness of LNK is primarily due to the attacker’s ability to make the LNK file look like virtually any other type of file.” He cites PDF and Doc files as examples. According to Shykevich, “it also enables the attacker to easily run various types of scripts \[such as\] BAT scripts in APT37’s case.

Read: https://www.darkreading.com/attacks-breaches/north-korean-apt-gets-around-macro-blocking-with-lnk-switch-up


Elsewhere online:

Eurocontrol was the target of a cyberattack by hackers from Russia
Read: https://www.cpomagazine.com/cyber-security/russian-hackers-killnet-executed-a-cyber-attack-on-european-air-traffic-control-agency-eurocontrol/


Drone goggles maker fears an attack on devices

Read: https://www.bleepingcomputer.com/news/technology/drone-goggles-maker-claims-firmware-sabotaged-to-brick-devices/


Microsoft fixes Critical Azure Cloud Safety Potential vulnerabilities
Read: https://www.darkreading.com/cloud/microsoft-patches-serious-azure-cloud-security-flaws


Hackers Steal Email Addresses and DMs from Hookup Websites by Scrambling Stolen Passwords
Read: https://techcrunch.com/2023/04/27/hackers-steal-emails-private-messages-from-hookup-websites/


5-year-old Vulnerability in TBK DVR Devices is Subjected to Hacking Attempts
Read: https://thehackernews.com/2023/05/hackers-exploiting-5-year-old-unpatched.html


8 thoughts on “#AxisOfEasy 297: NexusGuard Researchers Discover New InfoStealer Malware Being Circulated via Facebook Ads

  1. keep getting my comment submission rejected with ‘Duplicate comment detected; it looks as though you’ve already said that!’

  2. aha – wouldn’t a ‘your comment is awaiting moderation’ be a somewhat friendlier and more accurate pop-up response than ‘duplicate comment detected’ the FIRST time I clicked the [post comment] box?

Leave a Reply to Mike Cancel reply

Your email address will not be published. Required fields are marked *