AutoHotkey (AHK) is an open-source scripting language used for Microsoft Windows to provide easy macro-creation hotkeys and software automation that allow users to automate repetitive tasks within Windows apps.

According to Trend Micro researchers, a recent campaign that distributed a credential stealer was discovered that is written in AHK and tracking the campaign, shows that its activity has been ongoing since early 2020.

While threat actors have generally employed scripting language that has no built-in compiler within victims' operating system, and so can’t be executed without its compiler; such as Python, AutoIT, and AutoHotkey (AHK) scripting language. Albeit, AHK allows the creation of a “compiled” .EXE with users code in it.

How AutoHotkey is used as Password Stealer to Target US and Canadian Banking Users?

The full attack chain depicted below tracked the malware’s command-and-control (C&C) servers to determined the actual location, as these come from the US, the Netherlands, and Sweden. Also, they are targeting financial institutions in the US and Canada.

The downloader client script is responsible for the persistence, profiling of victims, and downloading additional AHK scripts from the command-and-control (C&C) servers which are located in the US, the Netherlands, and Sweden. With the multi-stage infection chain leveraging on a malware-laced Excel file that's embedded in a Visual Basic for Applications (VBA) AutoOpen macro, which subsequently is used to drop and execute the downloader client script ("adb.ahk") through a legitimate portable AHK script compiler executable ("adb.exe").

And the downloader client also creates an autorun link for adb.exe in the startup folder, which portable compiler is used to compile and execute the AHK script. This executable by default (with no passing parameter), executes an AHK script with the same name in the same directory which is in this case adb.ahk.

The script keep track of each user by generating a unique ID for the victims based on the serial number of the C drive, which the malware then goes through an infinite loop and starts to forward an HTTP GET request with the generated ID every five seconds. The ID serves as the path to its C&C server to retrieve and execute the AHK script on an infected system.

Final steps that the stealer takes to collect and decrypt credentials

The steps the stealer takes to collects and decrypts credentials from browsers and exfiltrates the data to its C&C server happens in plaintext via an HTTP POST request.

And the malware components are "well organized at the code level," which makes the researchers to suggest that the inclusion of instructions written in Russian language could mean a "hack-for-hire" group is actually behind the attack chain and it's offering it as a service. This malware is quite different in that instead of getting commands directly from the command-and-control (C&C) server, it goes on to download and execute AHK scripts in order to accomplish its tasks.

Hackers leveraged on AutoHotkey (AHK) scripting language to steal credentials

If you mention entertainment to children, video games must be on the list, but be careful to choose wisely to get the real benefits. According to when kids moderately play the games, they can improve problem-solving skills, imagination, creativity, and many other educational amenities.

Here are the 5 best video games for children in 2020.

1. The Lego Movie 2

LEGO games have provided parents and kids with many franchises like Jurassic Park, Lord of the Rings, and Star Wars. The latest is the Lego Movie 2 game that got released together with the film and follows the movie's plot. Players can play as many as 100 characters to solve a problem and come up with objects or build them.

Many people appreciate the game because it is a starting point to hook children in games as it is easy to control the characters, make them run around, and collect coins. Younger children have the option to run around and collect coins while simultaneously helping older players get solutions. The game instills creativity in players, and they use the building skills to get through obstacles.

Age: 7+ Format: PS4, Nintendo Switch, Xbox One

2. Paw Patrol

It is an extension of the show on TV, specifically for gamers. Players are introduced into the Adventure bay and start on 16 adventures that span over eight locations. You collect treats for pup and game as Ryder as well as the other eight characters.

Kids get typically enchanted through the experience of getting into the world of Paw and go beyond what they usually see on their TV screens. It is a one-player game. It is a family game and can hold children's attention for quite some time and keep them happy and smiling.

Age: 3-6 Format: PS4, Nintendo Switch, Xbox One

3. Dragons: Dawn of New Riders

It is an action-packed adventure game set in the universe of How to Train Your Dragon. It has a ton of new characters and locations that are from the movie. Players get expected to solve puzzles, get to new islands, and also get over obstacles.

The visuals of the game are stunning, and it has received good reviews for that reason. The movie fans agree that the game is excellent and striking at the same time. It has the fiery representations of the sceneries from the movie together with the flow of the story. And younger players can find the game a bit tricky, and they may need help from guardians or parents.

Age: 5-12 Format: PS4, Nintendo Switch, Xbox One

4. Crayola Scoot

It is a game much more like extreme sports that links the children to love children's and messing around. You will create your character and do tricks. You will also splat your friends as you play along in the game.

The game is brightly colored, and it is instead a strange combination. Players enjoyed the mastering tricks and the bonus of painting surfaces. The young players get attracted by the vibrance the game has got to offer. Children will love playing this video game at any time of the day. All you have to do is press the play button and sit back to let them enjoy.

Age: 7-15 Format: PS4, Nintendo Switch, Xbox One

5. Splatoon 2

In Splatoon 2, the squid kids called Inklings are back to splat more ink and claim more turf in this colorful and chaotic 4-on-4 action shooter.

You should also expect a fresh wave of fashion, not to mention new weapons and gear. Dual wield the new Splat Dualies or stick to mainstays like chargers and rollers, which have been remixed with new strategic possibilities.

As always, Turf War is the favored sport among Inklings, but they also dig ranked battles, taking down Octarians in a robust single-player campaign, and battling enemy Salmonids in one dangerous part-time job! No matter which way you play, splat at home or on-the-go with Nintendo Switch. Staying fresh never felt so good.

Top 5 Video Games for the Young Kids in 2020

Operation Nova is a coordinated effort of law enforcement agencies from the US, Switzerland, France, Germany, and the Netherlands, with Europol's European Cybercrime Centre (EC3) to tackle cybercriminals.

The operation has announced the successful takedown of Safe-Inet, the popular VPN (virtual private network) service used by cybercriminals to facilitate their activities, which domains include —,, and, and other related infrastructure taken down as part of the joint operation called "Operation Nova."

The services offered Bulletproof hosting (BPH), which is different from the regular web hosting services in that it allows more leniency in the data that can be hosted on the servers, making it ideal for cybercriminals to easily to evade law enforcement.

How Operation Nova succeeded in Thwarting Safe-Inet

Safe-Inet for over a decade was used by cybercriminals, such as ransomware operators, E-skimming actors and others running nefarious activities related to cybercrime.

Operation Nova were able to identify about 250 companies worldwide which were being targeted by the criminals using the VPN service to both spy and track their activities. These companies haven subsequently been warned of an imminent attack against their systems, enabled them to take effective measures to protect their infrastructues against such attacks.

And with the support of Europol’s European Cybercrime Centre (EC3), they commenced investigation to bring together all the involved countries to establish joint strategy and organise the exchange of information and evidence needed to prepare them for the final phase of the Safe-Inet takedown.

Turning the table against Cybercriminals

The shutdown of Safe-Inet, along with all its infrastructures in Germany, the Netherlands, Switzerland, France and the United States, was made possible following the coordinated takedown carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).

Further investigations are still ongoing in a number of other countries to identify and take action against some users of Safe-Inet’s services.

Operation Nova takedown of Bulletproof VPN Service used by Cybercriminals

Kwort Linux is a lightweight and fast operating system based on CRUX, an x86-64-optimized Linux distribution targeted at experienced users, featuring a highly-configurable Openbox window manager and Kwort’s package manager.

Now, the Kwort Linux team has released a new stable version, Kwort Linux 4.3.5. It includes pulseaudio which now is very stable, with the last stable relase almost a year old, and upgraded toolchains such as GCC 10.2.0, Glibc 2.32, and Binutils 2.35.1.

Albeit, the most significant change in Kwort 4.3.5 is the upgraded kernel from the previous version 4.19.46 to the new LTS (long-term support) version 5.10.1.

What's New in Kwort Linux 4.3.5 Release?

Aside from the kernel update, Kwort Linux 4.3.5 has also upgraded other toolchains and compiler, including LLVM 11.0.0, Glibc 2.32, GCC 10.2.0, and Binutils 2.35.1.

The previous version 4.3.4 removed Kwort-choosers package, replacing it with kwort-tools and the new kwort-mixer; the kwort-tools now allow encryption via /etc/rc.d/encryption using /etc/etab. And the kwort-mixer has also received some improvements which makes it more stable.

But the Kwort’s kpkg package manager remains same version 130, even though Kwort 4.3.5 included mirror kdb files in the installation to solve issues with the earlier releases. With the latest browser versions including: Google Chrome: 87.0.4280.88 and Mozilla Firefox 84.0, which are all available in the mirror.

How to Download or Upgrade to Kwort Linux 4.3.5

If you are a new user and want to give the latest Kwort Linux a spin, you can download the ISO image from here. But note that the minimum system requirement is x86_64 processor, 1.4GB of disk space and 512MB RAM.

You can check out the official page for installation guide on how to install Kwort Linux 4.3.5 using the regular OS management tools.

Kwort Linux 4.3.5 Release: CRUX-based lightweight and fast operating system

The latest version Visual Studio Code, v1.52 brings an extension bisect feature, for troubleshooting extensions that are causing issues in the editor.

While the free source-code editor developed by Microsoft, Visual Studio Code is available for Windows, Linux and macOS, with features including support for syntax highlighting, debugging, intelligent code completion, code refactoring, snippets, and embedded Git.

Before now, developers are required to disable all extensions and then re-enable them one after the other in order to find a problem with an extension.

What's New in Visual Studio Code 1.52?

The highlight feature remains the extension bisect that uses a binary search algorithm to identify issues with extensions, albeit, the feature disable almost half of suspected extensions and require that developers should recheck for the issue in question.

If perhaps, the issue is gone, then it means the bad extension have been removed in the list of disabled extensions, which process is repeated until there is no more issue with the extensions left. Other new changes in Visual Studio Code 1.52 include:

  • Undo and Redo for all file operations now supported in File Explorer
  • Word wrapping supported with side-by-side and inline views in the diff editor
  • New setting, editor.stickyTabStops, allows Visual Studio Code to treat cursor movements similar to tabs in leading spaces
  • Terminal settings can now be modified by selecting Configure Terminal Settings in the terminal dropdown menu
  • IntelliSense word-based suggestions improvements, means Visual Studio Code can now be configured to auto suggest words from other open files.
  • Keyboard Shortcuts editor improvements, you can now configure keybinding for a command from the Command Pallette through the Configure Keybinding button.

Additionally, there are several Git commands added to the Command Palette, which includes for picking a specific commit like the Cherry Pick, Rename for renaming an active file, Checkout to (Detached) for performing a checkout in detached mode and Push Tags to push local tags to the remote.

How to Get Started with Visual Studio Code 1.51

Visual Studio Code 1.51 is now available and can be downloaded from the official website, with supported platforms including Windows 7/8/10, Ubuntu (Debian) and macOS 10.10 and above.

But if you want to experience new features sooner, then you might consider getting the Insiders build instead.

Visual Studio Code 1.52 Brings Extension bisect feature

UBports has announced the release of Ubuntu Touch OTA-15, which is the fifteenth stable Over-The-Air (OTA) update of the privacy-focused mobile operating system.

The previous Ubuntu Touch releases, OTA-13, brought a lot of new features and support for many more mobile devices, the latest Ubuntu Touch OTA-15 extends the support to F(x)tec Pro1/Pro1-X, Google Pixel 3a, OnePlus Two, Xiaomi Redmi Note 7, and Samsung Galaxy Note 4.

While F(x)tec is notable for its Pro 1 slider phone that brought slider phones into existence again, haven partnered with XDA in launching the next iteration of the phone, known as the Pro1-X.

What’s New in Ubuntu Touch OTA-15?

Besides the additional support for more phones, there is also improvement in support for Android 9 devices, with OTA-15 haven fixed some bugs such as popping or dropping of audio frequently, the front camera picture rotation issue with Volla Phones, and probelm in sending USSD codes.

And the Morph web browser gets a shiny new icon which brings refinements to its user interface, along with a redesigned tab switching interface, allowing users to swipe up to switch tabs from the bottom of the screen.

Ubuntu Touch OTA-15 also includes support for Bluetooth devices dialling calls, Nuntium MMS error reporting, among other bug fixes.

How to Download or Upgrade to Ubuntu Touch OTA-15

For those already using Ubuntu Touch on their mobile system, the OTA-15 upgrade will be available from “Stable Channel” in System Settings -> Updates -> Update Settings -> Channels. But, if you want to manually update your system immediately, you should apply the following command over adb shell after turning on ADB access:

sudo system-image-cli -v -p 0 --progress dots

Subsequently, you can install Ubuntu Touch on supported devices using the UBports Installer and through a “Stable” update channel as well for OTA software update.

Ubuntu Touch OTA-15 Brings support for F(x)tec Pro1/Pro1-X phones

SystemBC is a commodity malware backdoor, which has evolved into a remote control tool and Tor proxy employed by ransomware campaign actors.

According to cybersecurity firm Sophos, some recent ransomware attacks used a set of tools associated with multiple types of ransomware and deployed in much the same way, which suggests that one or more ransomware-as-a-service affiliates are involved. And among those tools is SystemBC, which provides a persistent connection to victims’ systems.

While the SystemBC backdoor is used in combination with other malware to perform exfiltration and lateral movement across multiple targets. The SystemBC capabilities were intended for exploitation, but have now evolved into a toolkit for targeted attacks such as ransomware attack.

SystemBC RAT serving as a Remote control

As malware operators send out a number of payloads back to infected system for execution, SystemBC can parse and execute DLL/EXE data blobs over the Tor connection, including shell code, VBS scripts, batch scripts, Windows commands and PowerShell scripts.

The bot creates randomly named file in the %TEMP% directory and a scheduled task for the script, when it comes to VBS, BAT and CMD commands.

SystemBC checks for an MZ header in the data in order to know if it is a Windows executable, and if it is, then SystemBC loads it directly for execution without having to write a file. But if the data doesn’t have any MZ signature, the malware bot assumes it is shellcode and spawns a thread to execute it.

And once it's determined to be DLL binary data, SystemBC will load it using execute_pe_from_mem_thread and call the export function using call_dll_export_function_thread.

How SystemBC has Evolved since 2019

SystemBC was first documented in August 2019, as a proxy malware that leverages the internet protocol known as SOCKS5 to mask traffic to command-and-control (CnC) servers and downloads a banking Trojan called the DanaBot.

But it has since evolved into a toolset with new capabilities that allow it to use Tor connection to encrypt the destination of its CnC communications, and provide attackers with a persistent backdoor for launching other attacks. And the rise of commodity malware points to a new trend whereby ransomware is provided as a service to affiliates, such as the case of MountLocker, with the operators offering double extortion to affiliates.

SystemBC RAT employed by Attackers for deploying of Ransomware

The NuTyX team has released a new stable version, NuTyX 20.12.0, of the GNU/Linux distribution inspired by the Linux from scratch (LFS) project that gives users full control of their operating system with package manager.

NuTyX 20.12.0 is a completely new 64-bit project, and this latest version 12 offers SysV, SystemD, and home-baked RuNyX init system.

While NuTyX is built around the concepts of Collections and Groups to provide high flexibility, along with its custom package manager called ‘Cards’ that made debut in NuTyX 11.5; the latest version of Cards is v2.4.123.

What's New in NuTyX 20.12.0 Release?

NuTyX 20.12.0 offers LTS (Long-Term Support) kernels 4.9.248, 4.14.212, 4.19.163, 5.4.83, and 5.10.0, along with the latest stable version 5.9.14. Also, it offers three Initialization Systems, namely: SysV, SystemD, and the home-baked RuNyX init system, which is forked out of runit init project.

Other core utilities and desktop software that ships with NuTyX 20.12.0 Release, includes:

  • Epiphany 3.38.2
  • LibreOffice
  • Mesa 3D Library 20.3.0
  • Graphical server Xorg-server 1.20.10
  • Python 3.9.0 and 2.7.18
  • Scribus 1.5.6
  • Thunderbird 78.5.1
  • Falkon 3.1.0

Additionally, NuTyX 20.12.0 has rebuilt its compilation chain, and such components upgraded as Glibc 2.32, GCC 10.2.0 and Binutils 2.34. And NuTyX has also updated desktop environments to the latest versions, including KDE Plasma 5.20.4, MATE 1.24.1, and Xfce 4.14.3, with KDE framework 5.76.0 and application bundle 20.12.0.

How to Download or Upgrade to NuTyX 20.12.0 Release

For an already exisiting user of NuTyX, you can easily upgrade your current system to NuTyX 20.12.0 by running the following command:

sudo cards upgrade

And if you're a new user and want to try out NuTyX 20.12.0, you can grab the ISO image which is available in various editions such as KDE, XFCE, LXDE, and MATE desktop.

NuTyX 20.12.0 Release: Offers SysV, SystemD, and RuNyX init systems

The next Java upgrade, Java Development Kit (JDK) 16 will be due for release in March 2021, haven now reached its rampdown phase as at December 10, 2020, meaning the feature set has been frozen.

While JDK 16 is the reference implementation of the standard Java that's set to follow JDK 15, which arrived on September 15. The release schedule proposed, means that JDK 16 will reach its second rampdown phase on January 14, 2021, followed by the release candidates on February 4 and February 18, 2021.

And the next Java upgrade targets support for primitive, sealed, and records classes, along with vector API and ports for Windows on ARM64 and Alpine Linux.

What New Features to expect in JDK 16?

As the final release of JDK 16 is slated for March 16, 2021, the new capabilities expected to arrive with Java 16 include:

  • Foreign linker API: Brings pure-Java access to native code, along with the proposed foreign-memory access API, foreign linker API will simplify the error-prone process of binding a native library. It is also intended to replace JNI (Java Native Interface) with superior pure-Java development model, offering C support, which is expected to be flexible enough to accommodate support for other platforms, and foreign functions written in languages such as C++.
  • Strong Encapsulation by default for JDK Internals: With the exception of critical internal APIs like misc.Unsafe, users will be able to choose the relaxed strong encapsulation, which has been the default since JDK 9. The goals include improving the security and maintainability of JDK, which as part of Project Jigsaw, will encourage developers to migrate from using internal elements to standard APIs so that developers and end users can be able to update easily to future Java releases.
  • Z Garbage Collector thread-stack processing: This include removing thread-stack processing from ZGC safepoints, and making stack processing lazy, concurrent, and incremental; thereby removing all other per-thread root processing from ZGC safepoints and provide a mechanism for other HotSpot VM subsystems to lazily process stacks.
  • Elastic Metaspace capability: An elastic metaspace which returns unused HotSpot VM class metadata (metaspace) memory more promptly to the OS, brings about reduction in metaspace footprint and simplifies metaspace code and reduce maintenance costs. While metaspace has had high off-heap memory use issues, the plan calls for replacing the memory allocator with a buddy-based allocation scheme, and provide an algorithm to divide memory into partitions.

Additionally, there is the enablement of C++ 14 language features, to allow using C++ 14 capabilities in JDK C++ source code and specific guidance about which of the features can be used in HotSpot VM code. And the language features used by C++ code in JDK have been limited to C++98/03 language standards through to JDK 15, and as the source code was updated with JDK 11, to support building with newer versions of the C++ standard.

How to Get Started with JDK 16

JDK 16 early-access builds for Linux, Windows, and MacOS is now available at You can also join the early adopter program by downloading the beta versions of JDK 16 to give it a spin.

And as JDK 16 is a short-term release, it will be supported for six months. Then, JDK 17, which is due in September 2021, will serve as a long-term support (LTS) release with several years of support. JDK 11 released in September 2018, remains the current LTS release.

JDK 16: What features to Expect in the Next Java upgrade?

Microsoft security research team have disclosed a widespread malware campaign targeting the major browsers, dubbed Adrozek, which browser modifier when installed on devices, can modify the web browsers to inject ads into search engine results.

Adrozek malware campaign started around May through to September 2020, with about 159 unique domains employed in the distribution of hundreds of thousands of unique malware samples. While the attackers relied on polymorphism, which allows them to evade detection and as Adrozek is installed through a drive-by download, several of the domains host tens of thousands of URLs, and a few even more than 100,000 unique URLs.

It affects almost all the popular browsers, including Google Chrome, Firefox and Microsoft Edge browsers on Windows platform, with insertion of unauthorized ads over legitimate ads displayed on search results pages, leading to inadvertent clicking of the ads.

How the Adrozek malware gets Installed on Devices

Adrozek distribution infrastructure is very dynamic, with some domains running for only a day, while others could be active for longer, even up to 120 days. Thus, the attackers distribute hundreds of thousands of unique installer samples of the malware using this sprawling infrastructure.

The Adrozek malware is installed via a drive-by download when web users inadvertently visit any of the malicious domains controlled by the attacker. And the malware gets installed in the browser's Program Files folder using a file name that makes it look like an audio-related software to evade detection.

On installation, Adrozek proceeds to initiate multiple changes in the browser settings and security controls with the intent of installing malicious add-ons that masquerade as genuine tools by repurposing the IDs of the legitimate browser extensions. In addition, the malware exfiltrates website credentials, and maintains persistence by exposing affected devices to additional risks.

The fact that this malware affects multiple browsers is an indication of how the threat landscape has continued to evolve, with increasingly sophisticated attack scenarios.

How to Mitigate against Adrozek Malware

Given that the malware employs polymorphic tactics, it require protection that focuses on identifying and detecting the malicious behavior. Therefore, such tools as Microsoft Defender Antivirus, which is the built-in endpoint protection on Windows 10, comes in handy as it uses behavior-based, machine learning-powered detections to block such malware as Adrozek.

Additionally, affected web users are advised to re-install their browsers and having a good knowledge of the dangers of clicking ads or links on suspicious websites and the risks in downloading and installing software from untrusted sources is necessary.

Adrozek Browser Modifier hijacking Chrome, Firefox and Edge Browsers

Jakarta EE 9 Platform was released by the Eclipse Foundation on December 8, with a new namespace for the Java enterprise edition.

The package new namespace is now jakarta, instead of the erstwhile javax, and all the specification APIs have been moved to the jakarta namespace; which is a very significant update that will open the door for the next evolution of cloud native technologies.

Jakarta EE is the successor to Java EE, which as the former enterprise edition platform of Java, was developed by a team led by Oracle. But, Oracle announced in February 2018 that it was transitioning Java EE development over to the Eclipse Foundation in order to open up platform.

Jakarta EE 9 as a Platform for Cloud native Technologies

Jakarta EE 9 offers a divergence view from previous platform release strategies, with the namespace switch serving as a break change for the enterprise Java ecosystem.

Along with the release of Jakarta EE 9, the Eclipse Foundation also announced the certification of the GlassFish 6.0.0 application server, which is the first compatible implementation of Jakarta EE 9. And other implementations like the Apache Tomcat Java application server are expected to move over to Jakarta EE 9 starting from early next year.

Now, the community working on each Jakarta EE specification will have the flexibility to deliver as much specification releases as possible to meet the requirements. And developers and enterprises that require the advances in technology with a particular Jakarta EE specification such as Servlet will no longer have to wait for full platform release to get started with those advances.

As the Jakarta EE community expects to offer full platform releases often than in the past, they will share more details about the release strategy as it makes progress.

How to get Started with Jakarta EE 9

If you wish to migrate to Jakarta EE 9, the Eclipse transformer tooling project offers utilities (cli, maven plugin ) to help you upgrade the codes in batch mode, as currently Jakarta EE 9 rules is still under development.

And note that the Jakarta EE product vendors are still moving to the new Jakarta EE 9 platform, such as Glassfish v6.0.0.M1 which is now available for testing Jakarta EE 9. WildFly 21 and Payara platform 6 will also provide compatible products in the coming months. While Open Liberty beta offer partial web application support of Jakarta EE 9, Jetty 11.0.0-alpha0 and Apache Tomcat 10.0-M6 have announced Servlet support of Jakarta EE 9 in their respective milestone products.

Jakarta EE 9 offers New Namespace for the Evolution of Java platform

The BlackBerry Research and Intelligence Team has uncovered an ongoing MountLocker campaigns that's part of the initial distribution of MountLocker ransomware, and exfiltration of sensitive data from corporate networks.

While MountLocker is a relatively new ransomware strain that's resposible for past breaches on several corporate networks, which has now developed new capabilities that broaden the scope of its targeting to evade security tools.

MountLocker operates a Ransomware-as-a-Service (RaaS) model, with the updated ransomware broaden to target more file types and evade security software, as well as allowing affiliates to launch double extortion attacks.

MountLocker Ransomware exfiltration of sensitive data from corporate networks

MountLocker contains 2048-bit RSA public key embedded by the attackers, which is imported and used to encrypt random session keys generated via the cryptographically insecure GetTickCount API. It offers the possibility of knowing that the timestamp counter value during execution could lead to brute-forced session key.

On initializing the encryption keys, MountLocker creates the ransom note from template and add the ransomware file extension to the registry. And if a user double clicks on an encrypted file, the ransom note will be opened via Explorer, with the file extension as a hex encoded 4-byte (or 8 character) “Client ID”, and unique per victim organization.

MountLocker leverages on remote desktop (RDP) with compromised credentials to gain initial foothold on victim's system, and subsequently deploys malicious tools to carry out network reconnaissance (AdFind), before eventually deploying the ransomware and spreading it across the network, to exfiltrate sensitive data via FTP.

The list of encryption targets supported by MountLocker is quite expansive, with over 2600 file extensions spanning documents, archives, databases, images, accounting and security software, source code, games, and file backups. And the executable files like .dll, .exe, and .sys remains untouched.

Upon execution, MountLocker proceeds to terminate all security software, and trigger encryption using ChaCha20 cipher, creating a ransom note with a link to a Tor .onion address to contact the attackers via a "dark web" chat service portal for price negotiation.

How to Safeguard against such sophisticated threats

Since inception in July 2020, MountLocker have been seen to expand and improve on their Ransomware. While the current capabilities aren't particularly advanced, it is expected that the group will continue to grow in prominence over the next year.

As such threats continue to evolve, and attackers now attempting to sidestep security barriers by finding ways to accomplish their goals of gaining access to broader network server, there is need to introduce a comprehensive defense system. Such as Microsoft Defender for Endpoint, and Blackberry AI-based endpoint security solution, which are now generally available, and Microsoft has extended the industry-leading endpoint protection to mobile devices.

MountLocker Ransomware: Ransomware-as-a-Service (RaaS) model for Hackers

Zebrocy malware is used by the advanced persistence threat group Sofacy, also known as APT28, Sednit, Fancy Bear, and STRONTIUM, having ties with the Russian government.

While Zebrocy was first reported by Kaspersky Labs as part of APT Trends report in 2017, the Russian threat actors are known for its malware campaigns leveraging on phishing lures, to deliver the Zebrocy malware.

Now, the most recent operation of APT28, according to cybersecurity firm Intezer, is the COVID-19 themed phishing emails employed to deliver the "Golang" version of Zebrocy malware. Albeit, Zebrocy was written in Delphi (called Delphocy) originally, but it has since been replicated in over a dozen other languages, including C++, C#, AutoIT, Go, Python, and VB.NET.

How APT28 Hackers are using COVID-19 Lure to deliver Zebrocy Malware?

Zebrocy malware was mainly employed against governments and organizations engaged in foreign affairs, and the recent malware campaigns are yet another such cyberattack leveraging COVID-19 as a phishing lure, indicating how attackers are repurposing the current world events to their nefarious advantage.

Intezer researchers discovered a Virtual Hard Drive (VHD) file named 30-22-243.vhd which was uploaded from Azerbaijan to VirusTotal. And as VHD is the native file format for VHD used by Microsoft’s Hyper-V, with Windows 10 having native support for the file format and allowing users to mount the file and access its content.

According to the timestamps stored in the file, the disk was created on November 20, 2020, about 10 days before it was uploaded to VirusTotal.

And Windows hides known file extensions by default, which means users can be tricked into believing it’s a Word document. The fact is that only a handful of the 70 antivirus engines were able to detect the file as generic malware, while Intezer Analyze, pinpoints the file as malware associated with Sofacy.

How to Mitigate against the Zebrocy malware

The Zebrocy backdoor has also caught the attention of the US Cybersecurity and Infrastructure Security Agency (CISA), and the later released an advisory cautioning that the malware is "designed to allow a remote operator to perform various functions on the compromised system."

Therefore, CISA recommends that Windows users should exercise caution when using removable media and opening emails with attachments from unknown senders, and the scanning for suspicious email attachments to ensure the extension of the scanned attachment matches the file header.

Zebrocy Malware Campaign by APT28 Hackers using COVID-19 Lure

Fuchsia OS is a new operating system being developed by Google and originally built using Dart programming language, a general-purpose programming language developed by Google too.

While Fuchsia is open source, it was barred from contributions by outside developers, until now. Google has now expanded the open source model to allow anyone to contribute to the development of the Fuchsia OS project.

Fuchsia is rather a digression, as all Google's operation systems are based on the Linux kernel, including Android and Chrome OS. And Fuchsia is based on Magenta kernel, and specifically for embedded hardware, especially embedded devices like car dashboards or GPS units, as the Linux kernel impacts performance which could cause some problems.

Fuchsia OS - Google's new Operating System outside the Linux kernel

Fuchsia OS is based on Magenta kernel, and designed to work across a wide range of devices—from small "embedded devices" all the way up to mobile devices and even laptops and desktops.

Google maintains that Fuchsia OS is a long-term project aimed at creating a general-purpose open source operating system with its own kernel with priorities for security and performance. And currently, it supports a limited number of x64-based hardware, which can also be tested using Fuchsia’s emulator.

It uses Google's own Material Design-friendly Flutter user-interface framework, as well as Dart as the primary programming language.

Fuchsia OS Development Going Public

Fuchsia was developed exclusively by the Fuchsia team, and Google have been developing Fuchsia in the open, in its git repository for the last four years.

Now, Google wants to allow outside developers to become members of the project to submit security patches or to become committers with full write access. If you're a developer and want to contribute to Fuchsia OS, you can download the source code, and get started with contributing to Fuchsia OS, from the official site.

Google opens up Fuchsia OS for Contributions by Outside developers

The Android spyware developed by Iranian threat actors could allow attackers to spy on private chats of users on popular instant messaging apps, like Instagram, WhatsApp, Telegram, Viber, Skype, and even the unofficial Iran-based Telegram client known as Talaeii.

While the Iranian threat actors are backed by the country's Ministry of Intelligence and Security (MOIS) for espionage campaigns that target dissidents, Iranian journalists, and international organizations in the telecom and travel sectors. They employ such tactics as auto-answer calls and forced Wi-Fi connections, targeted at specific numbers for purposes of eavesdropping on conversations.

According to the FBI, the RANA Intelligence Computing Company, also known as RANA Corp, which is a Ministry of Intelligence and Security (MOIS) front company in Tehran, Iran that carry out these malicious cyber activities. The group is known in the cybersecurity circle as APT39, Chafer, Remexi, Cadelspy, and ITG07.

How the FBI traced APT39 operations to RANA?

The Federal Bureau of Investigation (FBI) traces eight distinct sets of previously undisclosed malware that were employed by the APT group to conduct intrusion and reconnaissance activities, including the Android spyware app called "optimizer.apk" which posseses data-stealing and remote access capabilities.

Also, the capabilities include retrieving HTTP GET requests from the Control-and-command (C2) server, stealing device data, AES-encrypting the collected data, and sending data via HTTP POST requests to their malicious C2 server.

And the APK implant comes with data stealing and remote access which also gains root access on Android devices without the users' approval or knowledge.

Measures to safeguard Your Android Device against such Malware Attacks

Android remains the leading mobile operating system, with the biggest share of the global smartphone market, and it's no surprise that it is also the main target of several malware actors.

Therefore, it behoves Android users to ensure that their devices software are up-to-date and that they scrutinize every applications before installation and also make sure all applications are downloaded from the Google Play Store.

RANA Android Malware spy on users of Instant Messengers

The Endless OS team has released a new stable version, Endless OS 3.9.1, bringing updated software and hardware support, such as NVIDIA drivers upgrade to version 450.80 for new graphics cards.

While Endless OS is a Linux-based operating system with simplified and streamlined experience that runs on its own customized desktop environment forked from GNOME 3.

And Endless OS uniqueness stems from its use of a read-only root file system managed by OSTree with app bundles overlaid on top, instead of employing a traditional Linux package management system.

What's New in Endless OS 3.9.1 Release?

Endless OS 3.9.1 has the virtualbox-guest-utils package upgraded and enables 3D acceleration by default when you import downloadable OVF images of Endless OS on VMWare or Virtualbox.

And some issues reported in the previous version, Endless OS 3.9.0 release, has been resolved in the latest release, like the keyboard support issue on Asus laptops and calendar/notifications menu issue, which if its size is a bit big for the screen, would fail to display. Other changes in Endless OS 3.9.1 includes:

  • Parental Controls app Updated to simplify the configuration and installation restrictions.
  • Fixes for issues with installing or updating apps and OS upgrade from USB drive using the App Center.
  • Automatic removal of Unused Flatpak runtimes (marked as end-of-life) during updates.

Additionally, the LibreOffice icons have been updated to official/upstream versions, and the ISO image of Endless OS 3.9.1 doesn't take 90 seconds to boot as was the case with the earlier ISO images.

How to Download or Upgrade to Endless OS 3.9.1

Endless OS 3.9.1 images are available for download on Desktop, Virtual Machine, and Raspberry Pi 4 from the official website.

And the Hack application is now available outside Endless OS on Flathub Linux App Store, which means you can run Hack app on any GNOME-based Linux system with GNOME Shell version 3.36 or higher and Flatpak version 1.8.2 and above.

Endless OS 3.9.1 Release: Upgraded Virtualbox-guest-utils package and 3D acceleration

Microsoft has introduced the concept of Windows Feature Experience Packs as a way to improve on the number of Windows features it rolls out to users over the course of a year.

The company released a preview of the first Windows Feature Experience Pack to participants in the Windows Insider beta program, and testing this first with Windows Insiders, is intended to expand the scope and the frequency of releases in the future.

According to Brandon LeBlanc, a senior Windows program manager, Windows Feature Experience Pack will ultimately get folded into the already existing servicing process for Windows 10 and delivered to users through Windows Update.

What's the Idea behind the Windows Feature Experience Packs?

The idea behind the Windows Feature Experience Packs is to help in shipping "features and experiences" using a new mechanism outside the regular two-a-year upgrade cycle for Windows 10.

It will also be served to users via the regular Windows Update, which rely on the same servicing technology used to deploy the monthly security update, with deliveries including the optional updates on third or fourth Tuesday of every month. And most notably, the "minor" upgrades for Windows 10 that shipped in November of 2019 and 2020.

And this initial feature packs includes two minor enhancements to existing features, the first allow users to save screenshots or snippets of captured screen by the Snip and Sketch tool to any designated folder, instead of automatically saving it to the Pictures/Screenshots folder. While the second, supports a split keyboard for touch keyboard on 2-in-1 devices.

Why New Microsoft's upgrade process?

The clamor for a better OS by customers since Windows 10's debut five years ago, have led to complaints about everything from Microsoft's upgrade velocity to disruptiveness, and often questions their value and motives.

Now, customers have gotten adapted to the new servicing strategy, of which the Windows Feature Experience Pack concept is yet another. Albeit, the feature packs do contradict Microsoft's move towards fewer upgrades, typified by the 30-months of support for Windows 10 Enterprise and once-a-year cadence for Windows 10 Pro and Windows 10 Home editions.

Microsoft Windows Feature Experience Packs as new way to Upgrade Windows 10

Sophisticated cyber attacks are increasingly in the spotlight, and DeathStalker is a known APT hacking group which first came to limelight through a PowerShell-based implant called Powersing back to 2018.

According to Kaspersky researchers, there is a previously undiscovered in-memory Windows backdoor, dubbed "PowerPepper" developed by the Advanced Persistent Threat (APT) Group that can execute malicious code remotely and steal sensitive information from targets in Europe, Asia, and the United States.

The "PowerPepper" in-memory backdoor hacking tool is so-called because of reliance on steganographic trickery to push out backdoor payload in the form of image of ferns or peppers.

DeathStalker, however don’t steal these sensitive information to resell it, neither do they engage in any type of activity associated with the cybercrime groups operating underworld.

How the PowerPepper malware expands the Hackers' toolsets

PowerPepper malware was first spotted in the wild in July 2020, which as a new strain of malware is dropped from Word documents and leverages DoH (DNS over HTTPS) as a communications channel to transmit malicious shell commands from an attacker-controlled server.

The Word documents have social engineering banners luring users to enable macros in a bid to downloading the backdoor, while the spear-phishing emails come with different themes as varied as travel booking, and even the ongoing corona-virus pandemic.

In turn, DNS requests are sent to name servers associated with a malicious C2 domain, which then sends back the command to be run in form of an embedded response, and on execution, the results are relayed to the server via a batch of DNS requests.

How to Mitigate against the "PowerPepper" in-memory malware

The PowerPepper toolset has proved to be effective, and it's pretty well put together, with determined efforts to compromise any targets from around the world.

Therefore, it is recommended that personal users and businesses should update their CMS backends and associated plugins, also restrict PowerShell use on end-user computers with enforced policies, and refrain from opening attached files or clicking links in emails from unknown senders to safeguard against PowerPepper delivery and execution.

APT hacking group, DeathStalker unleash "PowerPepper" in-memory malware

Manjaro Linux is designed to work "straight out of the box" with more focus on user-friendliness and accessibility, and Manjaro 20.2 “Nibia” has continued with the user-friendly-focus bringing updated GNOME, KDE and Xfce editions for the popular desktop Linux distribution.

While Manjaro 20.2 “Nibia” also comes with latest versions of Pamac 9.5.12, Kernel 5.9 and 5.4 LTS, and other new features. Among the features, it will now support encrypted systems without encrypted /boot partition.

What this means is that it will enable graphical password dialogs, with non-us keymaps for inputting passwords and takes up to 1 minute shorter boot times compared to full disk encryption, even as automatic partitioning uses full disk encryption by default.

What's New in Manjaro 20.2 “Nibia” Release?

Manjaro as an Arch Linux-based rolling distribution is available in three distinct editions, namely: GNOME, KDE and Xfce desktop environment.

The GNOME edition has several new features including the latest GNOME desktop version 3.38.2 codenamed “Orbis” and it assures of better performance, with custom App grid, parental control, share Wi-Fi Hotspot via QR Code, new Welcome Tour app, and multi-monitor support, among others.

Also, the GNOME edition now offers two automatic window tiling managers, namely: Pop Shell (keyboard-driven) and the touch-friendly Material Shell, which can be enabled in the Gnome-Layout-Switcher.

For the KDE edition, the new features include the latest Plasma 5.20 desktop environment, which offers Wayland improvements, grid-like system tray, beautiful wallpaper, new power-saving options, and touch support in dolphin, among others.

And lastly, the XFCE edition brings an integrated and leading-edge Xfce experience with Xfce 4.14. The stable Xfce is known to pair well with cutting edge rolling release such as Manjaro, ensuring reliable performance which only a few distros can claim to offer.

How to Download or Upgrade to Manjaro 20.2?

If you are new to Manjaro and want to install Manjaro 20.2 from scratch, you can download the ISO image for your desired desktop environment from the official website.

And as Manjaro is a rolling distribution, there is need to update the all packages and the package database to switch to the new version, Manjaro 20.2.

You can use the following command on your terminal to upgrade your system to the latest Manjaro release:

sudo pacman -Syu

Then, you'll also need to use the below command to enforce a full refresh of the package database and update all packages on your system.

sudo pacman -Syyu

The desktop has been trimmed so that it should now use approximately 40% less ram as before and now also, using Wayland on non-Nvidia hardware is the default option.

Manjaro 20.2 “Nibia” Release: Encrypted systems support without encrypted/boot partition

Microsoft Edge WebView2 for Win32 C/C++ was announced as generally available in October and ready for use in applications to render and interact with HTML content.

The company also officially released a forward-compatible WebView2 SDK along with production-ready WebView2 Runtime, which can be used in any Win32 C/C++ application, and fully supported across existing Windows versions.

And Microsoft’s move to new set of Windows controls as part of the WinUI 3 libraries is perhaps a sign of its rethinking on how the Windows SDKs should be developed.

What exactly is WebView2?

WebView2 is Microsoft’s Edge new embedded web control, which allows Windows app developer to have access to the latest web technologies in both existing and new applications.

It lets developers combine the agility of developing for the web with the ease of building a native desktop application. And WebView2 is a part of Project Reunion, which makes it available across Win32 and UWP applications, as well as in few different UI stacks.

The WebView2 control employs Microsoft Edge (Chromium) as the rendering engine to display web content in native applications. With WebView2, you can embed web code in different parts of native application, or build an entire native application using a single WebView.

Getting Started with WebView2

The common WebView2 rerequisites include WebView2 Runtime or any Microsoft Edge (Chromium) non-stable channel installed on either Windows 10, Windows 8.1, and Windows 7.

And for creating a single-window win32 app, you should start with a basic desktop project that contains a single main window. You can create a traditional Windows Desktop application (C++) for your sample app, and download the modified sample and get started, by navigating to WebView2 Samples.

But in Visual Studio, you'll need to open WebView2GettingStarted.sln and if you're using an older version of Visual Studio, simply hover on the WebView2GettingStarted project, open the contextual menu (right-click), and select Properties. From the Configuration Properties > General, modify Windows SDK Version and Platform Toolset to use the Win10 SDK and Visual Studio toolset (VS toolset).

WebView2: Using Chromium Edge to render and interact with HTML content

The notorious malware botnet, TrickBot has expanded its toolset with the potential to deploy bootkits and take absolute control of an infected system.

According to security researchers at Advanced Intelligence (AdvIntel) and Eclypsium, TrickBot's new functionality allows it to inspect the UEFI/BIOS firmware of targeted systems and check for known vulnerabilities that could allow the attackers to read, write, or erase the UEFI/BIOS firmware of a device.

This new capabilities sets the stage for TrickBot operators to perform even more active exploits such as the installation of firmware implants and backdoors or bricking of any targeted device.

Typical TrickBot Killchain exploit Explained

TrickBot's most common attack chain often begins with EMOTET malspam campaigns, which loads TrickBot and other loaders, and then moves to attack tools like Cobalt Strike and PowerShell Empire to accomplish their objectives, which relative to the victim or organization under attack.

The bad actors also uses LightBot, which is a set of PowerShell scripts that perform reconnaissance on victim hardware and software, in order to hand-pick high-value targets.

And it's clear that such actors would greatly benefit from the addition of UEFI level bootkit in their kill chain, and would survive system re-imagining efforts during the recovery phase of such as a Ryuk or Conti event, and further their ability to semi-permanently brick a device.

This will afford criminal actors more leverage during ransom negotiation, as often, at the end of the kill-chain, either Conti or Ryuk ransomware is deployed.

How to Mitigate against such threats as presented by TrickBot

Given the scope of TrickBot and armed with the new capabilities, TrickBoot is only one line of code away from bricking any device it finds to be vulnerable, and attack of this kind can have severe consequences.

Therefore, it's recommended that organisations should keep their firmware up-to-date, with BIOS write protections are enabled, and firmware integrity must be verified to safeguard against unauthorized modifications.

TrickBoot: TrickBot's New Tricks to take absolute control of Infected System

BlackArch is a penetration testing Linux distribution based on Arch Linux which offers a huge collection of cyber security tools.

While the BlackArch team has released its last update for the year, BlackArch 2020.12.01, with the latest version bringing updated Linux kernel v5.9.11, and updated system packages, config files, and pen testing tools.

BlackArch 2020.12.01 also added over 100 new hacking tools, which brings the total number of available tools in BlackArch to 2608.

What's New in BlackArch 2020.12.01 Release?

BlackArch 2020.12.01 has the “Live ISO” renamed to “Full ISO” and along with renaming, there is a new “Slim ISO” featuring lightweight Xfce desktop environment currently in the works.

The core systems updated includes: vim plugins and window managers such as Openbox, Fluxbox, Awesome and spectrwm. Other changes in BlackArch 2020.12.01 Release includes:

  • Blackarch-installer updated to v1.2.16
  • Improvements to the vim config options
  • Removal of unnecessary files from the ISO env

Additionally, there are fixes for bugs in packages like missing dependencies, and many more. And the official OVA image is available for VMware, Virtualbox, and QEMU.

How to Download or Upgrade to BlackArch 2020.12.01

BlackArch Linux is compatible with Arch installations, therefore, Arch Linux users can also install BlackArch on top of their current system by running the following commands:

$ curl -O
$ echo d062038042c5f141755ea39dbd615e6ff9e23121 | sha1sum -c
$ chmod +x
$ sudo ./
$ sudo pacman -Syu

For installation of all tools from the BlackArch repository, you'll need to run the commands:

$ sudo pacman -S blackarch

And if you're a new user and want to try the latest BlackArch 2020.12.01, you can download either a full ISO containing the complete and functional BlackArch Linux system or netinstall ISO for the lightweight image for bootstrapping machines and follow the official guide to install it.

BlackArch 2020.12.01 Release: Linux Distro for Pen testers and security researchers

PHP, the general-purpose scripting language especially for web development, has undergone a major upgrade, with PHP 8.0 now available as a public release.

The major upgrade brings named arguments, union types, attributes, and Just-In-Time compilation, where the union types feature accept values of multiple different types and passing arguments to a function based on the parameter name, instead of the parameter position.

Albeit, PHP already supported Type or Null and array or Traversable, arbitrary union types wasn't supported until now, but instead has leveraged phpdoc annotations. In turn, it makes arguments order-independent, and self-documenting, which allows for arbitrarily skipping of default values.

What's new in PHP 8.0?

Besides the support for union types, which enables moving more type information from phpdoc into function signatures, types are also checked during inheritance and are made available through reflection.

Other new features in PHP 8.0 includes:

  • PHP attributes offer a form of structured metadata to declarations of classes, functions, methods, constants, parameters, and properties.
  • Constructor property promotion allows the combining of the definition of properties and the constructor through a short-hand syntax. And it addresses a situation in which the simple value objects require a lot of boilerplate code, as a result of all properties needing to be repeated at least four times.
  • Named arguments instead of the parameter position, this featute makes passing arguments to a function based on the parameter name.
  • Tracing JIT and Function JIT Included: Tracing JIT perfoms 3x better on synthetic benchmarks and 1.5x to 2x on some long-running applications. Though, application performance is typically on par with PHP 7.4.
  • Match expression capability, similar to switch but offers a safer semantics and ability to return values.

Additionally, there is the Weak maps, which enable creation of a map from objects to arbitrary values, with the objects used as keys prevented from being garbage-collected. The use case for weak maps is, however, to associate data with individual object instances without having to require that they stay alive and leak memory in long-running processes.

How to Get Started with PHP 8.0

PHP 8.0 follows after the PHP 7 line that made debut in December 2015. And it can be downloaded from the official website.

You can check the supported versions page for more information on the support lifetime of each version of PHP.

Major PHP upgrade (PHP 8.0) brings JIT compilation and union types support

KaOS team has announced the last release of 2020 series, KaOS 2020.11, which follows after the normal two months development cycle.

While KaOS is a Linux distribution built with a very specific focus on Qt and KDE, and currently based on the Linux kernel, with the new stable version having upgraded packages, including: KDE Applications 20.08.3, KDE Frameworks 5.76.0, and Plasma 5.20.3.

And the latest KaOS version offers a lot of new functionalities, such as notifications for when system is out of space, grouping behavior for the Task Manager, and highlight changed settings.

What's New in KaOS 2020.11 Release?

Besides the upgraded packages for the KDE Plasma desktop, namely: KDE Applications 20.08.3, KDE Frameworks 5.76.0, and Plasma 5.20.3, KaOS 2020.11 offers a new plasma-disk to see all of HDD or SDD status using new option available in kinfocenter app, and instead of a swap partition in the Calamares installer, you can now use a swap file.

Other updated core tools in KaOS 2020.11 includes:

  • Git 2.29.2
  • Qt 5.15.2
  • Mesa 20.2.2
  • Linux Kernel 5.8.18
  • NetworkManager 1.26.4
  • Cmake 3.19.0
  • Openvpn 2.5.0
  • Binutils 2.35.1
  • Ruby 2.7.2

Additionally, the KaOS team has rewritten some modules like keyboard and Locale module, in prepartion to move the modules to QML, and continuing the shift to QML, developers now use a new module in QML called usersq.

How to Download or Upgrade to KaOS 2020.11

If you’re an existing KaOS user, you can use the following command to upgrade your current system to KaOS 2020.11:

sudo pacman -Syu

And for those who are trying out KaOS for the first time, you can download the ISO image of the latest KaOS 2020.11 from the official download page.

KaOS 2020.11 Release: New Plasma-disk to see all HDD or SDD status

Bandook Trojan was notorious in its 2015/2017 malware campaigns, which operations were dubbed "Operation Manul” and “Dark Caracal“ respectively.

Now, in a new report published by Check Point Research, hackers affiliated with Dark Caracal had deploy "dozens of digitally signed variants" of Bandook Windows Trojan to again target financial, healthcare, education, energy industry, and legal institutions located across Indonesia, Italy, Germany, Singapore, Switzerland, Turkey, and the United States.

The group which is believed to have ties with the Kazakh and Lebanese governments unleashed a new wave of attacks against these multitude of industries with a crafty retooled version of the 13-year-old backdoor Trojan.

How the Bandook Malware Chain has Evolved?

The malware chain used by the attackers has evolved from the early version, with the full infection chain of the attack broken down into three main stages.

While the initial stage kicks off many other infection chains, with a malicious Word document inside a ZIP file. And when the document is opened, it downloads malicious macros using the external template feature. The macros in turn executes the second stage of the attack, which is a PowerShell script encrypted in the original Word document.

The final stage is when the PowerShell script downloads and executes the Bandook backdoor. And the attackers employ a combination of techniques, with encrypted data embedded inside a shape object within the original document, and accessed from the external template using a particular code.

What Hinders Detection and Analysis of Bandook Operations

The operators behind the malicious infrastructures dubbed “Operation Manul” and “Dark Caracal” are very much still operational, and ready to unleash their cyber attacks.

Albeit, the group behind the infrastructure in these attacks seems to have evolved over time, with several layers of security, valid certificates and other techniques, to hinder detection and analysis of its operations.

Bandook Windows Trojan: Digitally Signed Variants again targets Multiple Sectors

Microsoft's latest Edge update, version 87, made debut with the automatic IE-to-Edge redirection for some websites, and the new tab page update with customizable feeds.

While Microsoft updates Edge browser every six weeks, which typically is a day or two after Google's Chrome update for the same version number, the company has also patched about 19 security vulnerabilities, with the most serious marked as "High" and the second level in a four-step ranking system.

Another major feature is the Edge's new tab page, which Microsoft had touted as enterprise-centric, having connections with workers' Office 365 or Microsoft 365 accounts. The company has advanced the tab page emphasis in Edge 87 to fully blend with the 365 elements with personalized, and work-relevant feeds.

Edge 87 New tab page Customizations

Edge 87 now blends the 365 elements with "personalized, work-relevant company and industry feeds" and users can easily customize the "My Feed" display with relevant content from public resources and from selected areas by the IT administrator.

Though users are able to customize the new tab page's content feed by selecting from a number of sources, but the IT admins have much bigger power, as they can lock-in industry-specific news or display the organization's internal news only. The customization by the user is a straight-forward process if the IT personnels did not choose any industry or point to internally-generated news from the company.

And IT admins also have group policies they can assign to configure both the new feed and the auto-redirection of URLs from IE to Edge, which three policies have been outlined by Microsoft in its support document.

How to Download or Upgrade to Edge 87

Although, Microsoft Edge updates automatically in the background, users can also force an upgrade by navigating to the "About Microsoft Edge" page and from the Help and Feedback menu; the resulting tab will show if the browser has been updated or displays the download process before presenting a "Restart" button.

And those who are new to Edge can manually download Edge 87 for Windows or macOS from the official website. With the Linux version available in Dev Channel form from the Insider website, and the iOS and Android versions can be found in the App Store and Google Play, respectively.

What's New Edge Browser Update? Automatic IE-to-Edge website redirection

AV Linux is a special Linux distribution for multimedia content creators, which is available for both the i386 and x86-64 architectures with customized kernel for low-latency and maximum audio production.

The AV Linux team has released a new version, AV Linux 2020.11.23, as a complete new project under AV Linux MX Edition (AVL-MXE), switching its original base from earlier Debian 10 “Buster” to the new MX Linux 19.3 “Patito Feo” release.

AV Linux, being a multimedia-oriented Linux operating system contains a huge collection of graphics, audio and video production software for media creators.

What's New in AV Linux 2020.11.23 Release?

Given the switch from its original base of earlier Debian 10 “Buster” to the new MX Linux 19.3 “Patito Feo” release, means that it's the first build based on MX Linux (AVL-MXE) and it comes in two editions: one for the x86_64 platform with Xfce desktop, Linux Kernel 5.9.1-rt20, and the other for i386 platform with (Xfce plus) Openbox window manager, Kernel 5.9.1-rt19.

AVL-MXE offers selected repositories that are specifically created for users of Debian GNU/Linux, unlike the MX Linux approach that provides only trusted third-party repositories for software packages. With such Debian repositories as follows contained in this new edition:

  • Liquorix Kernel Repository
  • AVL-MXE Kernel Repository
  • Debian Docker Community Edition
  • WineHQ Wine Repositories
  • Cinelerra-GG Repository
  • KXStudio Repositories

Additionally, the AV Linux MX Edition features expanded AVL-MXE Assistant, Custom Realtime Preempt Kernel for optimal low-latency Audio potential, One-click removal of all Demoware and extensive Audio/Video and Administrator-friendly Custom Actions, among other key functionalities.

How to Download or Upgrade to AV Linux 2020.11.23

For new users who want to give this new edition a spin, the ISO image can be downloaded from the links: AVL-MXE 2020.11.23 Openbox (32-bit) and AVL-MXE 2020.11.23 Xfce (64-bit) for the respective architectures.

And for an in-depth guide on the new AV Linux MX Edition, you can check out the AVL-MXE user manual for more information.

AV Linux 2020.11.23 Release: Multimedia-oriented OS for Content Creators

Stantinko botnet is known to target Windows operating systems with earliest campaigns dating as far back as 2012; and the malware mainly consists of coin-miners and adware.

According to researchers at ESET in a 2017 white paper summarizing Stantinko’s operations, the researchers identified a Linux trojan proxy, which until now, was the only known Linux malware belonging to Stantinko.

Now, a new analysis published by Intezer, has identified a new version of this trojan that masquerades as httpd, which is an Apache Hypertext Transfer Protocol Server, commonly used on Linux servers.

Insight into Stantinko Botnet's Linux proxy

Stantinko is traditionally a Windows malware, but the expansion in its toolset to target Linux wasn't unnoticed, as ESET had observed in 2017 analysis of the Linux trojan proxy deployed via malicious binaries on compromised servers.

While Intezer's recent research also provides insight into the Linux proxy, which is specifically a newer version, v2.17 of the same malware with earlier version as v1.2, called "httpd" and a sample of the malware uploaded to VirusTotal validates a configuration file located in "etc/pd.d/proxy.conf" which is delivered with the malware.

The new version of the malware functions only as a proxy, though Intezer researchers also said the new variant shares similar function with the old version and that some of the hardcoded paths equally bears some similarities to previous Stantinko campaigns.

How the Stantinko Botnet targets Linux servers

Stantinko Botnet creates a socket and a listener to accept connections from infected Linux systems. And HTTP requests from infected client paves way for the proxy to pass on the request to an attacker-controlled server, which responds with appropriate payloads forwarded by the proxy to the client.

But if a non-infected client sends an HTTP request to a compromised server, it will get an HTTP 301 redirect to a preconfigured URL specified in the configuration file. As the latest malware targeting Linux servers, alongside other threats such as IPStorm, Doki, and RansomEXX, the Stantinko Botnet remains part of a broader malware campaign.

Stantinko Botnet: Trojan masquerading as HTTPd targets Linux Servers

GitHub Archive Program is a project to preserve open source software for future generations, as the world runs on open source software, ensuring the amazing works of the open source community are preserved.

While the idea behind the project is to go back in history to preserve the work of individual developers, students, and lesser known developers and their open source projects. Now, the project has expanded with donations to the Bodleian Library at Oxford University in England, the Bibliotheca Alexandrina in Egypt, and the Stanford Libraries in California; and also, storing a copy in the library at GitHub’s headquarters in San Francisco.

And GitHub will be preserving its most popular repositories by the “stars” given by the community, which include projects like Ruby and Go programming languages, with Linux and Android operating systems.

Open source Archive beyond the GitHub Arctic Code Vault

The Archive program includes the storage of a code archive in the Arctic World Archive in Svalbard, Norway, about one mile away from the famous Global Seed Vault, by storing 21TB of repository data and 186 reels of piqlFilm in a decommissioned coal mine in the permafrost this summer.

In partnership with the Long Now Foundation, the Software Heritage Foundation, the Internet Archive, Arctic World Archive, and Microsoft Research, the program aims to preserve both “warm” and “cold” versions of code to ensure multiple copies and formats are preserved, also known as the Lots Of Copies Keeps Stuff Safe (LOCKSS) approach by archivists.

And the overriding idea is to preserve a moment in time, where open source will become the premier mode of software development, and chart the cultural significance of the movement.

Whom are the Archive Program meant to serve?

The archive program is being meant for two sets of people, namely: historians and future software developers who are curious about how a software was developed.

And each donation is encased using a combination of AI-generated art and 3D printing, with all the archived code having technical guides to QR decoding, character encodings, file formats, and other critical metadata; so that future developers can easily decode it.

GitHub expanding its Archive Program into three Historic World Libraries