Popular Posts
-
Website World Awarded Best Web Hosting Company on CrowdReviews.com SOURCE: CrowdReviews.com July 21, ...
-
Introduction I am writing this article as a result of my learning for deploying ASP.NET Core web applications on Linux boxes. There is a ...
-
I say this every year, but it's really hard for me to believe 2016 is almost over! They say time flies when you're having fun, ...
-
Since its launch in 2003, WordPress constantly grew and it evolved from a simple blogging platform into a powerful and yet accessib...
-
Whether you have a personal blog, run an e-commerce site, or have a company website, reliable web hosting is a must. A service with ...
-
2017-12-17 Music of Sun, 17 Dec 20170 M.anifest to host fifth edition of Manifestivities on December 22 The annual musical conce...
-
HOSTIO is a readymade web hosting WordPress theme for immediate use — created as straight forward as it can be. It's built with mode...
-
Adjumani, 19 December 2017 – "We need our community to transform and change to a peaceful community where there should be no violent ...
-
If you're a beginner just starting a WordPress blog, then there's no need to get VPS hosting. A shared hosting plan will provide a...
-
1/5 (1) For any online business eyeing a huge online engagement, web hosting holds the utmost importance. Many quality website parameters ...
Blog Archive
- December (19)
- November (25)
- October (28)
- September (26)
- August (28)
- July (31)
- June (26)
- May (27)
- April (28)
- March (30)
- February (28)
- January (31)
- December (31)
- November (30)
- October (31)
- September (29)
- August (44)
- July (56)
- June (53)
- May (54)
- April (48)
- March (55)
- February (44)
- January (3)
- December (5)
- November (5)
- October (26)
- September (25)
- August (29)
- July (26)
- June (18)
- September (1)
About Me
Total Pageviews
BAIJIU malware abused Japanese web hosting service
Cylance researchers spotted a phishing campaign dubbed "BAIJIU" that looks to capitalize on those curious about the hermit kingdom of North Korea.
While the goal of the campaign is unclear, researchers said the group behind the attacks has been linked to long-term espionage activities in the past, according to a May 12 blog post.
The victims are lured with an email offering insight about a natural disaster that caused massive flooding in 2016 playing upon interest in news from North Korea. The email is used to deploy a set of cyberespionage tools through a downloader dubbed "TYPHOON" and a set of backdoors dubbed "LIONROCK."
Researchers said the unusual complexity of the attack, the appropriation of the GeoCities web hosting service, and the use of multiple methods of obfuscation drew their attention to the campaign which they say has evaded nearly every legacy AV and NextGen AV solution on the market.
Geocities is a free service owned by Yahoo which does not require users to identify themselves beyond providing a Yahoo email address making it an attractive service for threat actors.
The malware takes advantage of Geocities JP for free high-bandwidth unattributable hosting and uses simple tricks to defeat emulation and automated analysis, making the malware unique, Cylance Director of Threat Intelligence Jon Gross told SC Media.
"The infection vector is complicated and used to deliver payloads with pinpoint accuracy while making it more difficult for researchers and unintended targets to receive the final payloads," Gross said.
The malware uses a custom obfuscation method that appears to have not been picked out by heuristics.
"Obfuscated strings can end with an arbitrary number of @'s and an arbitrary amount of junk characters can be inserted into the beginning of the strings as well," Gross said "In addition simple 1byte XOR with variable length byte shifts have also been observed."
He added that the malware has been successful because it the AntiVirus detection methods haven't seen the activity and threat patterns before.
Researchers said the CYPHOON/LIONROCK's provenance is likely Chinese, and that it probably evolved from the Egobot codebase and is subsequently connected to the larger Dark Hotel Operation.
"BAIJIU's circuitous route from LNK file to LIONROCK backdoor through multiple DLL files and PowerShell scripts – and its ability to obfuscate itself through each stage while doing so – makes this attack stand out," the post said. "BAIJIU attackers likely employed this strategy to throw researchers and investigators off their track, and ensure only the targeted victims received the payloads."
Source: BAIJIU malware abused Japanese web hosting service
0 comments:
Post a Comment