This RAT, which is dubbed “DarkWatchman”, has been observed spreading by email, and represents a new evolution in fileless malware technique.

According to Prevailion’s Adversarial Counterintelligence Team (PACT), DarkWatchman uses a robust Domain Generation Algorithm (DGA) to identify its C2 (Command and Control) infrastructure and utilizes novel methods for on-system activity, fileless persistence, and dynamic run-time capabilities like self-updating and recompilation.

The PACT team reverse engineered the DGA and investigated the Threat Actor’s (TA) web-based infrastructure, with consolidated results of their analysis into the report.

What is the Delivery Mechanism and Methodology of DarkWatchman?

PACT identified full email messages that included intact headers and subsequently a spoofed sender, what's likely the true sender, the intended recipient, the attachment which was identified as the ZIP file containing the malicious logic file that functions as a dropper for the RAT.

The body of the email, contained additional lure material that would likely anticipate after reading the subject, sch as referencing the (malicious) attachment, and claimed to be from Pony Express which further reinforcing the spoofed address.

DarkWatchman utilizes LOLbins and other novel methods of data transfer within modules to avoid detection, with parts of the malware, including configuration strings and the keylogger stored in the registry to avoid writing to disk.

The initial sample analyzed appears to be targeting a Russian-speaking individual or organization, though the script is written with English variable and function names, PACT based on that assesses with moderate confidence that this is an initial access tool for use by ransomware groups or affiliates.

DarkWatchman: Next Evolution in Fileless Malware Techniques

Offensive Security has released the fourth point version of Kali Linux 2021 series, Kali Linux 2021.4, with a number of exciting new penetration testing tools and several improvements.

Kali Linux 2021.4 brings a number of improvements, such as improved Samba compatibility, enhanced Apple M1 support, ability to switch package manager mirrors, Kaboxer theming, coupled with updates to Xfce, GNOME and KDE desktop environments.

It also support the VMware Fusion Public Tech Preview thanks to having kernel 5.14 with the modules needed for the virtual GPU.

What's New In Kali Linux 2021.4 release?

Kali Linux 2021.4 has the Samba client configured for Wide Compatibility so that it can easily connect to any Samba server, regardless of the version of the protocol in use. It should make it easier to discover vulnerable Samba servers, without having to configure Kali.

With the latest update of Kaboxer tools, Kali Linux 2021.4 brings support for window themes and icon themes, allowing the program to properly integrate with the rest of the desktop without the usage of ugly fallback themes. Below is a quick run down of what’s been added to Kali Linux 2021.4:

  • Dufflebag - Search exposed EBS volumes for secrets
  • Maryam - Open-source Intelligence (OSINT) Framework
  • Name-That-Hash - Do not know what type of hash it is? Name That Hash will name that hash type!
  • Proxmark3 - if you are into Proxmark3 and RFID
  • Reverse Proxy Grapher - graphviz graph illustrating your reverse proxy flow
  • S3Scanner - Scan for open S3 buckets and dump the contents
  • Spraykatz - Credentials gathering tool automating remote procdump and parse of lsass process
  • truffleHog - Searches through git repositories for high entropy strings and secrets, digging deep into commit history
  • Web of trust grapher (wotmate) - reimplement the defunct PGP pathfinder without needing anything other than your own keyring

Additionally, the NetHunter app now includes The Social-Engineer Toolkit, which can be used to customize Facebook, Messenger, or Twitter direct message for social engineering attacks.

How to Upgrade to Kali Linux 2021.4 Release?

For existing users who are using the previous version of Kali Linux, they can simply run the following command to upgrade their system to the latest Kali Linux 2021.4:

sudo apt update && sudo apt -y full-upgrade

And for a fresh installation from scratch, you can download the ISO image from the official page for the different supported versions and systems.

Kali Linux 2021.4 Release: Improved Samba Compatibility

The Zorin team has announced the release of Zorin OS 16 Lite, which condenses the Zorin OS 16 experience into a streamlined distro, designed to run efficiently on low-spec computers.

While Zorin OS 16 is one of the most advanced and popular release based on Ubuntu 20.04.3 LTS, offering a “Pro” edition which replaces the “Ultimate” edition that comes preloaded with a few apps and a couple of layouts. With the base edition, Zorin OS 16 “Core” still free, including all the essential features.

Now, Zorin OS 16 lite edition is powered by Xfce desktop environment for efficient performance with limited resources.

What’s New in Zorin OS 16 Lite Edition?

Zorin OS 16 Lite offers a refreshed with a revamped and refined appearance out of the box, with touches and animations that delightfully elevates your computing experience.

First, the taskbar is entirely new and re-written from the ground up to integrate well into the older desktop, now, it shows window previews when hovering over an app icon, allowing you a better overview of your workflow. It also includes the new Zorin Appearance from Zorin OS 16, designed to be even easier for use and navigation.

Zorin Appearance allows users to select a different desktop layout, and able to change the app and icon theme, with desktop font, and tweaking of other parts of the desktop to make experience truly personal.

Additionally, the Software store in Zorin OS 16 Lite comes pre-loaded with the app catalog of Flathub with the Snap store, and the Ubuntu APT repositories. And the built-in Software store also got many under-the-hood optimizations as well as UI improvements to make it easier to find and install apps from the different sources.

Furthermore, there is a new Sound Recorder app that provides a simple and beautiful way to record audio and speech and play it back. If perhaps, you’re creating a voice memo or producing a podcast, the Sound Recorder app will adapt to your workflow and makes the recording of the audio simply effortless.

How to Download Zorin OS 16 Lite?

Zorin OS 16 Lite and the Pro Lite are now available for download from the company's official website.

If you’ve already purchased the Zorin OS 16 Pro, you can download your copy of Zorin OS 16 Pro Lite from the download link in your purchase email.

Zorin OS 16 Lite Edition: What’s New?

The Firefox-maker is poised to introduce a novel sandboxing technology called RLBox in Firefox 95, which technology was developed in collaboration with researchers at the University of California San Diego and the University of Texas.

RLBox Sandboxing technology uses WebAssembly to isolate potentially-buggy code, making the isolation of subcomponents easier for more secure browsing and will be extended to all supported Firefox platforms (desktop and mobile), with five different modules: Graphite, Hunspell, Ogg, Expat and Woff2.

Even with these modules as untrusted code, or a zero-day vulnerability in any of them should pose no threat to Firefox with the RLBox technology in place.

How Isolating with RLBox makes the Difference?

The major browsers including Chrome, Safari and Microsoft Edge, all run Web content in its own sandboxed process, which in theory helps to prevent it from exploitations by a browser vulnerability to compromise your computer.

And having isolated things along trust boundaries, the next logical step is to also isolate across functional boundaries. This has meant hoisting a subcomponent into its own process, as Firefox runs audio and video codecs in a dedicated, locked-down process with a limited interface to the rest of the system. But, there are some serious limitations to this approach, it requires decoupling the code and making it asynchronous, which is time-consuming and could impose a performance cost.

As a result, nobody would want to seriously consider hoisting something like the XML parser into its own process, because to isolate at that level of granularity, we need a different approach.

Now, with RLBox, rather than hoisting the code into a separate process, it can instead be compiled into WebAssembly and then the WebAssembly compiled into native code and no need of shipping any .wasm files in Firefox, since the WebAssembly step is only an intermediate representation in the build process.

RLBox makes a big win on several fronts: it protects users from accidental defects as well as supply-chain attacks, and reduces the need to scramble when such issues are disclosed upstream.

How to Upgrade to the latest Firefox 95?

Firefox 95 is available for Windows, macOS and Linux, and can be downloaded from Mozilla's official site or from the respective app stores. But as Firefox updates happen in the background, users will only need to relaunch the browser to receive the latest version.

If perhaps you failed to get automatic update, you can manually update on Windows, by pulling up the menu under the horizontal bars at the upper right, then click on the help icon, which is the question mark within the circle. And select "About Firefox" and the upgrade will begin.

For macOS users, they should select "About Firefox" which can be found under the "Firefox" menu. And the page will show whether the browser is up to date or recommend the refresh process.

Mozilla tightens Sandboxing in Firefox 95 with RLBox technology

The process of discovering a new topic to write about, deciding the shape the material should take, formalizing your plan, and then actually producing it is known as content creation.

Furthermore, most content development processes include multiple rounds of editing with various stakeholders before the content is ready for publication.

Because content can take many different forms — blog posts, videos, eBooks, tweets, infographics, and advertisements, to mention a few – the process of creating it is multifaceted and not always as straightforward as it may appear.

Making Money with Your Content

We'll talk about how the rapid development of content creation is assisting people in making the most money. And how to make money by creating material that attracts attention and how to check for plagiarism using various tools before displaying your content to make a profit.

Produce Content Constantly

Consistency is the key to success. When you constantly write great content, you follow a better method gradually. You can't be inconsistent as a content creator if you are trying to make a living. If your audience enjoys your material, you have to keep making more content so they return.

Make sure that all of your content is unique and free of plagiarism. You can utilize various online plagiarism checkers to ensure that your audience is not turned off by receiving duplicate content.

When you stop meeting your audience's expectations and delivering consistent material, they will likely go on to someone else.

Make use of branded collaborations

If you want to build a long-term income flow, you must focus on your audience's perception of your brand. It's vital to create a one-of-a-kind experience that distinguishes you from the competition. It's tough, however, to create that rich and unforgettable experience on your own.

Form strong branded connections to help your content get traction. A branded partnership is when you collaborate with other businesses to share and cross-promote your content to their audiences.

Make Money with Your Work

Everyone fighting for attention on the internet is in a competitive atmosphere. Making money online will be difficult if you don't know what you're offering or who your target market is. As a result, only sell what you're good at to set yourself apart from the competitors.

You won't be able to make money if your information is plagiarized, so make sure you check plagiarism before putting it on show.

Ask yourself a fundamental question: why would consumers buy my products and use my content when they can get the same information and items from other reliable sources? It's at this point that you appreciate the value of focusing on a specific market segment. If you try to get to everyone, you'll end up speaking to no one. So, do what you're good at and find the right people to share your work with.

Make Exclusive Content Available

Making money online is not a one-time task when you offer something that is unique and amazing. It's not possible that you'll be able to make a few contents and start making money. You must be consistent, relevant, and outcome-oriented. You develop material to attract and build your audience first, and then you create new content regularly.

Let's pretend you still don't have any internet fans. It is where your premium content will come in to help your work. If you have something unique to share, there are many platforms that you can choose.

When creating material, you must ensure that it is 100 percent original and devoid of plagiarism. You can use an online plagiarism checker for this reason, which helps you check for plagiarism hence you can create original material that will appeal to your target audience.

Advertisements on Social Media

While selling exclusive material is a difficult business, you must still make sure that people know it. Social media advertisement may require some financial investment, but it will help you in attracting people who are unfamiliar with your content.

Direct Marketing

Direct advertising is frequently a good opportunity for content creators to make money. You can put clickable advertising on your website. After that, the advertiser will pay you for the revenue earned by tap. You can also include adverts in your YouTube videos, depending on the type of content you make. You will then be paid every time a user watches your videos' adverts.

While it is pretty simple, you must be cautious about the types of advertisements you run. Finally, you don't want to promote a product that may hurt your reputation.


While there are many options for content creators to earn money, start with the basics. Feel free to try several strategies to find which one works best for you. Experiment with something else if one of them isn't working for you. Make sure, however, that you establish yourself as an expert on social media.

Every day, work on increasing your network and developing a solid personal brand. Take advantage of every chance to promote the material that comes your way.

Build a following and monetize your work correctly. Most importantly, pursue your passions. You will be followed by money.

Learn what Content Creation is and How is it Profitable?

The Mint team has unveiled some updates about the new features in the upcoming release, Linux Mint 20.3, which release is just around the corner.

While the major upgrades in Linux Mint 20.3 includes the addition of MATE 1.26, against the previous Mint 20.2 release, which had MATE 1.24. Besides the updated version of MATE, it also brings a dark mode for XApps, and a brand-new mysterious app.

In fact, there are several key improvements and additions, many of which will be looked at here.

What New Features are Expected in Linux Mint 20.3 Release?

The most notable change is perhaps the addition of a dark mode for XApps, which change will affect all flavors of Linux Mint.

In the XApps also, the PDF reader gets proper manga support, by just hitting the left arrow key in manga mode, you are taken forward in the document, and the image viewer has received the ability to quickly fit into the width or the height of the displayed picture. And Cinnamon 5.2 brings multi-calendar events and events created in your calendars appears in your calendar applet. The applet also syncs with evolution-data-server, which enables it to support many other online calendars and apps.

Additionally, there is a mysterious app hinted at the Linux Mint blog, called ‘Thingy‘, which is currently on the Mint team’s GitHub account, and may serves as a document organizer app for Linux Mint. Albeit, there are still sketchy facts about the details and not much is known as at yet.

What's the Release Date of Linux Mint 20.3?

The first public beta of Linux Mint 20.3 will be released on December 18. It will perhaps unravel more of the features and changes to expect in the final release.

And the final release of Linux Mint 20.3 is still uncertain to come through this year, as the holiday season is fast approaching, however, ardent users will certainly welcome the gift of Mint 20.3 this Christmas.

Linux Mint 20.3: What's Expected Features and the Release Date?

RTF template injection is a novel technique in which an RTF (Rich Text Format) containing malicious file can be altered to allow for easy retrieval of content hosted on external URL upon opening the RTF file.

According to researchers at Proofpoint, there is an increase in the adoption of the novel and easily implemented phishing attachment technique by APT groups, with different state-sponsored threat actors including those aligned with China and Russia haven been observed using the new template injection as part of their campaigns to deliver malware to targeted victims.

RTF template injection leverages the legitimate RTF template functionality to subvert the plain text document formatting properties of an RTF file and allows the retrieval of a URL resource instead of a file resource via RTF’s template control word capability, which enables a threat actor to replace a legitimate file destination with a URL from which a remote payload can be retrieved.

And by simply altering RTF file’s document formatting properties, specifically the document formatting control word for “\*\template” structure, threat actors can weaponize an RTF file to retrieve remote content by specific URL resource instead of an accessible file resource destination.

How APT Threat Actors are Adopting RTF Template Injection?

APT groups believed to be affiliated to the state interests of India, Russia and China have all adopted RTF template injection, with the template injection RTF files attributable to the DoNot Team, historically been suspected of being aligned with Indian-state interests.

RTF files attributable to a Chinese-related APT group were identified as at September 29, 2021, which targets entities with ties to Malaysian energy exploration. While within this initial adoption period, Gamaredon, an APT group believed to be linked to the Russian Federal Security Service (FSB), was observed utilizing RTF template injection files in phishing campaigns that targeted Ukrainian governmental with file lures on October 5, 2021.

While historically the use of malicious RTF contents has been well documented as a method for delivering malware using RTFs, this new technique is more unique, simplistic and serves as a more effective method for remote payload delivery than previously documented techniques.

How to Safeguard your Systems against RTF Template Injection

RTF template injection is poised for wider adoption in the threat landscape based on its ease of use and its relative effectiveness compared with other phishing attachment template injection-based techniques.

Therefore, organizations should take a defensive, reactive approach to their security and most importantly, remain constantly vigilant, iterating on security procedures to ensure they are not caught off-guard when new RTF Template Injection are deployed to breach their defenses.

Cybercriminals Increasingly Adopting RTF Template Injection Technique

The evasive malware loader dubbed "RATDispenser" by HP Threat Research, is responsible for deploying at least eight different malware variants in 2021.

RATDispenser, as with most JavaScript malware, gains an initial foothold on the system before launching a secondary malware that then establishes control over a compromised device. According to the researchers, RATDispenser is predominantly used as a dropper, meaning the malware is not capable of communicating over a network to deliver malicious payload.

The different malware variants, however, can be purchased or downloaded from underground marketplaces, and the authors of RATDispenser as it seems may be operating a malware-as-a-service business model.

How RATDispenser JavaScript Loader is distributing RATs into the Wild?

RATDispenser infection chain begins with receiving an email containing a malicious attachment, such as a JavaScript file (.js) masquerading as a normal text file, supposedly with information about an order.

The user, however, needs to click on the file for the malware to run. When the malware runs, it decodes itself at runtime and writes a VBScript file on %TEMP% folder using cmd.exe. The cmd.exe process is passed along chained argument, which in parts are written to the new file using the echo function.

The malware families distributed by RATDispenser, includes STRRAT and WSHRAT, accounting for 81% of the samples analyzed. STRRAT is a Java RAT that was first seen in mid-2020, with keylogging and credential stealing capabilities. While WSHRAT, also known as Houdini, is a VBS RAT that appeared in 2013, which also has typical RAT capabilities.

But the most interesting among them is Panda Stealer, a new malware family targeting cryptocurrency wallets. The Panda Stealer was first seen in April 2021. And the least common families are GuLoader and Ratty, with the later an open-source RAT written in Java, and GuLoader is a downloader known for downloading and running various other RATs.

How to Mitigate against RATDispenser JavaScript Loader?

Albeit, JavaScript malware are less common file format than Microsoft Office documents, but in several cases it's more poorly detected.

Organizations should make sure that Network defenders feature is activated, as it can prevent infection by blocking executable email attachment file types from passing through their email gateways, such as JavaScript or VBScript. Also, it can interrupt the execution of the malware by changing the default file handler for JavaScript files, allowing only digitally signed scripts to run, or disabling Windows Script Host (WSH).

RATDispenser JavaScript Loader Distributing Remote Access Trojan

The MX Linux team recently released MX Linux 21 based on Debian 11 “Bullseye” and running Linux Kernel 5.10 LTS, coming as the first stable release of the “Wildflower” series.

Now, MX Linux has announced the release of another edition called MX Linux 21 AHS, where the ‘AHS’ stands for ‘Advanced Hardware Support’ meaning it includes newer graphics stack tailored for modern systems.

MX Linux AHS edition comes with the Xfce desktop environment by default, which guarantees smoother experience, as the Xfce desktop environment already has some significant improvements with the main MX Linux 21 release.

What’s New in MX Linux 21 AHS Edition?

MX Linux 21 AHS comes with Linux Kernel 5.14 and updated open-source graphics stack tailored for modern system.

It includes updated mesa, xorg and vulkan drivers for a graphic stack more inline with newer hardware, also with a few recompiled apps that utilize the later kernel. And MX Linux AHS will receive updates for the graphics stack over time, therefore those that do not need the newer graphics stack, don't have to use AHS.

Additionally, all users of the mainline MX releases can enable the ahs repository through mx-repo-manager to do regular updates, while keeping your 5.10 kernel, albeit you’ll have to get the later mesa, xorg and vulkan drivers.

How to Download and Install MX-21 “AHS” Edition?


MX Linux 21 AHS iso is now available for download, either as a direct download or you can choose to get the torrent files.

But note that there is a known issue for older systems, particularly with intel-based graphics, with suspend-to-ram, or at least resuming after suspend. If that feature is important to you and your PC can otherwise use the 5.10 kernel from the main releases, then stick with the main releases.

MX Linux 21 AHS Edition: What’s the Difference?

There is a new malware loader spreading through spam campaigns, dubbed Squirrelwaffle, that sends its malicious emails as replies to already existing email chains, a tactic that lures a victim into trusting the malicious spam.

According to researchers at Trend Micro, Squirrelwaffle is able to pull this off, using a chain of both ProxyLogon and ProxyShell exploits, vulnerabilities which were earlier patched this May on Microsoft Exchange Servers.

The vulnerabilities enable attackers to bypass ACL controls, with elevated privileges on Exchange PowerShell backend, which permits the attacker to perform remote code execution.

How Hackers exploit ProxyLogon and ProxyShell vulnerabilities in Spam Campaigns?

The server-side request forgery (SSRF) vulnerability allow an attacker access by sending a maliciously crafted web request to an Exchange Server which contains an XML payload targeted at the Exchange Web Services (EWS) API endpoint.

This exploit gives an attacker the ability to get users SID and emails, and bypasses authentication using specially crafted cookies which allows an unauthenticated threat actor to execute EWS requests encoded in the XML payload and ultimately perform operations on victims’ mailboxes.

In one of the Trend Micro team's observed intrusions, all users in the affected network received the spam emails which have been sent as legitimate replies to existing email threads. And the emails were written in English even though this spam campaign targeted the Middle East. Albeit, other languages were used for different regions, but most were in English.

Interestingly, the real account names of the victim’s domain were used as recipient and sender, which increases the possibility that a recipient will click the link to open the malicious files.

How to Mitigate against Squirrelwaffle Attack?

Squirrelwaffle campaigns again reiterates the different tactics used by hackers to lure victims into clicking malicious emails and files. And it also shows that emails from trusted contacts may not be enough indicator that thelink or file in the email is safe.

Therefore, it is important to ensure that the released patches for Microsoft Exchange Server vulnerabilities, ProxyShell and ProxyLogon (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) have been applied and Microsoft recommends that users install more recent (May or July) security updates.

Hackers hijack Email Chains for sending Malicious Spam replies

GitHub will be requiring two-factor authentication (2FA) for maintainers of popular NPM packages, following recent exploits involving popular NPM package ua-parser-js found to contain malicious code.

While ua-parser-js is used in apps/websites to discover the device or browser a person is using from User-Agent data, a computer with the software installed could allow a remote attacker to obtain sensitive information. Also, GitHub disclosed a vulnerability that could allow an attacker to publish new versions of any NPM package using an account without a proper authorization.

The new 2FA policy will start with a cohort of top NPM packages in the first quarter of 2022, according to a bulletin published by GitHub on November 15.

Major incidents on the registry where NPM accounts were Compromised by malicious actors

GitHub discovered an issue in the routine maintenance of a public NPM service, which during maintenance on the database of NPM replica, data were generated that could expose the names of private NPM packages.

It allowed consumers of the replica to identify the names of private packages due to records in the public changes feed. The names of packages in the format of @owner/package created before October 20 were all exposed for a period between October 21 to October 29, before work started on a fix and on determining scope of the exposure.

However, the records containing the private package names have been removed from the service and changes made to prevent the reoccurrence of the issue.

What to do when You have infected package installed or running on your System?

If a PC has an infected package installed or running, it should be considered fully compromised, all information and secret keys stored on that computer should be rotated from a different computer immediately.

GitHub also recommends that the package should be removed, but as total control of the compromised computer may have been given to the threat actors, there isn't any guarantee that removal of the package will remove the malicious software.

GitHub to mandate 2FA for maintainers of top NPM packages

Firefox Relay is a service available at, that offers a smart, easy email aliases solution which can preserve the privacy of your email address.

The service was initially rolled out in a beta phase for early adopters, with limited access to features. Now, it is generally available for all users, with the introduction of a premium plan that unlocks all the features.

While an email alias is temporary email address that forwards all received emails to your actual email inbox. It protects your real email address from spammers and helps in managing spam effectively.

How Does Firefox Relay protect against Spammers?

Firefox Relay, as a privacy-first service hides your real email address to help protect your identity from spammers. It will forward your email messages from your alias email addresses to your primary email address and all messages are deleted after they’re delivered to you.

And you get five free email aliases and up to 150 kb attachments for free. Additionally, the ability for labels to be synced across devices allow you to add information such as an account name or description to make it easier for you to know which websites you are using the alias. This new syncing ability, means you’ll be able to see the labels on all your connected devices, including mobile phone.

Firefox Relay is currently available in the following languages, namely: English, German, Chinese, Dutch, French, Greek, Italian, Portuguese, Swedish, Ukrainian, Slovak, Spanish and Welsh.

How to Get Started with Firefox Relay

Firstly, you need to create a Firefox Account, if you don't already have an account, and you’ll need to sign in at to generate up to five free random email aliases to use. However, if you need more than five email aliases, you'll have to sign up for the Premium service instead.

The premium service introductory price starts at $0.99 per month and currently available in United States, Canada, United Kingdom, Singapore, Malaysia, and New Zealand; with 0.99 EUR/1.00 CHF in Europe including Austria, Germany, Ireland, Belgium, France, the Netherlands, Spain and Switzerland.

Firefox Relay Email Aliases offer protection against Spammers

The Cleafy TIR team has discovered a new Android banking Trojan, dubbed SharkBot, that can initiate money transfers from compromised devices via Automatic Transfer Systems (ATS) technique bypassing multi-factor authentication mechanisms.

SharkBot, once successfully installed in the victim's device, can obtain sensitive banking data through the abuse of Android Accessibility Services, with such information as credentials, login details, current balance, and also able to perform gestures on the infected device.

The botnet is currently targeting victims in the UK, Italy, and the US, mainly banking applications and cryptocurrency exchanges.

How SharkBot Trojan Steals Personal Banking  Information?

SharkBot can implement overlay attacks to steal personal banking login credentials and credit card information and also with capabilities to intercept legitimate banking communications sent via SMS.

It is also capable of performing Automatic Transfer System (ATS) attacks within the infected device, which is an advanced attack technique that enables attackers to auto-fill form fields in legitimate banking apps and initiate transfers from the compromised devices.

The Trojan has a very low detection rate by anti-virus solutions, even with multiple anti-analysis techniques implemented, including obfuscation routine, and a domain generation algorithm (DGA) for its network communication.

SharkBot also attempts to bypass behavioral detection countermeasures such as biometrics put in place by multiple financial services with the abuse of Android Accessibility Services.

How to Mitigate against SharkBot Banking Trojan?

SharkBot is installed on the users' devices using either the side-loading technique or social engineering schemes.

Therefore, it is advised that organizations should be vigilant of these sort of attacks, and also make sure that file permissions aren't set to the "Everyone" group to limit the exposure to further attacks. And always ensure to check the permissions on running database and confirm the permissions are locked down.

New Generation of Android Trojan bypassing multi-factor authentication

HTML Smuggling is a technique used to drop the first-stage dropper—malware samples that's fast gaining notoriety, and recently employed in the spear-phishing campaign carried out by the Nobelium group.

According to Menlo Security, a malware campaign dubbed ISOMorph, been monitored by the team leverages HTML Smuggling to deliver malicious files to victims’ endpoints by evading security solutions like sandboxes and legacy proxies.

ISOMorph attack is multi-staged and capable of checking and disabling various anti-virus programs running on the endpoint.

How ISOMorph uses HTML Smuggling to deliver Malicious files?

ISOMorph attack uses HTML Smuggling to deliver payload to the endpoint as the browser is one of the weakest links, without security solutions to block the payload. HTML Smuggling delivers malicious files by effectively bypassing network security solutions, including legacy proxies, sandboxes, and firewalls.

Attackers use this technique to construct the malicious payload programmatically on HTML page using JavaScript, as opposed to HTTP request to fetch a resource on a web server. It is neither a bug or a design flaw in the browser technologies; developers use the technique most often to optimize file downloads.

The threat actors behind ISOMorph uses JavaScript code to construct the payload on the browser, by creating an element “a” and setting the HREF to the blob, programmatically clicking it will trigger the download to the endpoint.

However, the user must need to open it to execute the malicious code, once the payload is downloaded to the endpoint.

How to Mitigate against ISOMorph Attack?

HTML smuggling is gaining popularity as attackers can easily get their payloads to the endpoint while bypassing all network security, inspection and analysis tools.

As attackers are increasingly upgrading to get their payloads to the endpoint, using such techniques as HTML Smuggling for their initial access, knowing the initial access methods is critical to a strong response strategy.

ISOMorph Attack leverages HTML Smuggling to deliver malware

Microsoft announced the release of C# 10 as part of .NET 6 and Visual Studio 2022, with the object-oriented, type-safe programming language having capabilities that make code quicker and more expressive.

According to the company, C# produces errors when a value that has not been definitely assigned is used, and C# 10 understands the code better to produce less spurious errors, which improvements means users will see less errors and warnings for null references.

Also, C# 10 adds extended property patterns that make it easier to access nested property values in patterns.

What's New in C# 10 Programming Language?

C# 10 brings improvements to structs, as it introduces features for structs that offer better parity between classes and these new features include field initializers, parameterless constructors, record structs and expressions.

Before the release of C# 10, every struct had an implicit public parameterless constructor which set the fields to default, and it was an error to create a parameterless constructor on a struct. But with C# 10, you can include parameterless struct constructors or the implicit parameterless constructor will be provided to set all fields to their default.

In C# 10, you can also specify an explicit return type on a lambda expression, just like on a method or a local function, and the return type goes right before the parameters. Albeit, lambdas are invoked differently from methods and local functions, as a result attributes don't have any effect when the lambda is invoked.

C# 10 has a number of other improvements across the language, with some of these helping to make C# work in the way you expect.

How to Get Started with C# 10?

C# 10 is part of the .NET 6 software development framework and Visual Studio 2022 IDE, and C# programmers using this IDE experience will benefit from several improvements in this release.

Get started by downloading Visual Studio 2022 on Windows which is now available as a 64-bit application, you can edit, run, and debug the biggest and most complex problems without running out of memory.

What's New in Microsoft’s C# 10 Programming Language?

Fedora 35 stable version was recently released with a few notable improvements, including the addition of Gnome 41 and Linux Kernel 5.14, along with the completion of the transition to PipeWire.

While Fedora is known for implementing the latest desktop environments, this release certainly doesn’t seem to change with the norm. Fedora 35 includes KDE Plasma, Xfce, and other desktop environments, as well as images for ARM devices.

And the different desktop variants of Fedora 35, including Fedora Workstation, Fedora KDE, and the others, will also use BTRFS as the default filesystem.

What's New in Fedora 35?

Fedora 35 inclusion of the recently-released Gnome 41 means that it also adds the new Connections app, and significantly improved software center, with multitasking controls for the Fedora 35 Workstation.

On the downside, Fedora 35 opted for Plasma 5.22, instead of the recently released Plasma 5.23, though a minor upgrade, Plasma 5.22 includes the adaptive transparency feature, with improved system settings.

The new Linux 5.14 kernel is great news for those on ARM-based systems, as Linux 5.14 includes many ARM-specific improvements. And ARM computer users will benefit from many of the other improvements in Linux 5.14, mostly as related to GPUs.

What's more? You also get Flatpak app support out-of-the-box to install software easily, and Fedora Kinoite which is based on rpm-ostree technology, features the KDE Plasma desktop..

How to Get Started with Fedora 35?

If you're a new user and want to try Fedora 35, you can donwload the ISO image from the official page, with the images of all editions and variants available.

And you can also check out the full list of changes for all available features in Fedora 35, which can be found in the changelist or in the official announcement.

What's New in Fedora 35 Release?

Mekotio is an old modular banking Trojan that had targeted Latin American countries, but recently made a comeback with stealthy and evasive techniques.

According to Check Point researchers, over 100 attacks has been detected in recent weeks using the new technique, with the infection starting out and distributed with a phishing email having a link to a zip file or a zip archive as an attachment.

The main characteristics of these banking Trojans, such as Mekotio, is the modular attack that gives the attackers the ability to change just a small part of the whole to avoid detection.

How Mekotio new attack flow is carried out

The infection starts with a phishing email containing a link to a zip attachment, which lures the victim into downloading and extracting the zip content.

If the victim clicks on the zip content, the malicious batch script will be executed, that runs a “PowerShell Download Cradles” which downloads and runs a PowerShell script on the memory.

The PowerShell script checks if the target is located in Latin America and makes sure it is not running in a virtual machine. It then sets up persistence in the victim’s operating system by downloading a secondary zip archive.

Check Point researchers believe that the main cybercrime groups behid the new campaigns are operating from Brazil and that they collaborated with Spanish gangs which were recently arrested to distribute malwares. But the arrest did not stop the main cybercrime groups, rather it only stopped the activity of the Spanish gangs.

How to Mitigate against such Banking Trojan like Mekotio?

As threat actors continue to adopt various evasive techniques to avoid detection, with social engineering tricks that lure victims to give up their online banking data, getting more pervasive. Therefore, the most important advice is for users not to click on links that come from any unknown source.

And also beware of lookalike domains, spelling errors in emails or site address, and unfamiliar email senders, especially if they prompt for certain actions that are unusual.

Mekotio Banking Trojan Returns with Stealthy and Evasive Techniques

Microsoft researchers has discovered a vulnerability in how Apple-signed packages are installed with post-install scripts, which could allow an attacker to bypass System Integrity Protection (SIP) in macOS systems.

SIP is a security feature in macOS that restricts a root user access to perform operations that could compromise system integrity. But the vulnerability dubbed "Shrootless" and tracked as CVE-2021-30892, could allow threat actors to create a malicious file and install in infected system that would hijack the installation process.

The attacker could also install a rootkit, with which to overwrite system files, or install more persistent, undetectable malware.

How 'Shrootless' Bug Could allow Attackers Install Rootkit on macOS Systems?

SIP was introduced in macOS Yosemite, also known as "rootless" — that essentially locks down macOS system from root by leveraging the Apple sandbox technology to protect the entire platform.

Now the only legitimate means to disable SIP is simply booting into recovery mode and turning SIP off. And the Turning of SIP on or off is done via the built-in csrutil tool, which also can display the SIP status: Therefore, the researchers looked at macOS processes entitled to bypass SIP protections, which led to the discovery of a software daemon called "system_installd" that enables any of its child processes to circumvent SIP filesystem restrictions.

The successful exploitation of bug could enable a malicious actor to modify protected parts of the file system, including the ability to install malicious kernel drivers, also known as rootkits.

How to Mitigate against the New 'Shrootless' Bug?

Microsoft promptly shared the findings with Apple via Coordinated Vulnerability Disclosure (CVD) through Microsoft Security Vulnerability Research (MSVR). And a fix for the vulnerability was included in the security updates released by Apple on October 26, 2021.

Apple, therefore, recommends that macOS users should update their systems to safeguard from the security problem, as the new OS is beefed up with additional restrictions.

New SIP bypass vulnerability allow attackers break into macOS Systems

Despite the controversy surrounding the AI-driven programming assistant, Copilot, GitHub has gone ahead to add support for more editors like JetBrains IDE and Neovim, along with multiline code completions in languages such as C, C++, C# and Java.

While the early preview was launched with Visual Studio Code extension only, with very few languages supported, Copilot now support programming languages such as JavaScript, TypeScript, Python, Ruby, and Go.

Copilot remains in preview stage, with the support for editors like Neovim and JetBrains IDEs, still expected to be launched in thenext updates with focus on JetBrains’ IntelliJ and PyCharm.

What is GitHub Copilot?

Copilot is an AI system trained on a selection of English language, powered by OpenAI Codex, and source code derived from publicly available repositories on GitHub.

It draws on the context of class names, function and method names, with comments to generate and synthesize the code offering developers with suggestions for new lines of code or functions in the editor. Copilot provides synthesized code suggestions, not just verbatim comments, and safeguards are being implemented to ensure that verbatim comments don't make it into code suggestions.

GitHub also discovered that code snippet suggestions verbatim were about 0.1% of the time. It also suggested that a fair amount of human intervention will be required when working with Copilot.

How to Get Started with Copilot?

Developers are enjoined to sign up to the waitlist to try out Copilot via the GitHub Copilot portal.

The company is keen to engage in a discussion with developers on topics and lead in setting up appropriate standards for training AI models.

GitHub Copilot extends Support for JetBrains IDE

F# 6 is Microsoft's effort to make F# simpler and boost performance, ranging from the language design, tooling and library, with the major goal of removing unnecessary hurdles on the path to adoption.

The new version is more uniform and interoperable with other .NET languages, and according to Microsoft, F# 6 will ship with .NET 6 RC2 and Visual Studio 2022 RC2, and serves as the next step to making it easier for users to write robust, succinct and performant code.

And perhaps, the major technical feature in F# 6 remains authoring asynchronous tasks more performant, and interoperability with other .NET languages like C#.

What's New in F# 6?

F# 6 provides the feature “overloaded custom operations in computation expressions” which since F# 5.0 has been in preview; the feature allows for simpler DSLs in F# including for web programming and validation.

While F# includes active patterns feature that allows users extend pattern matching in intuitive ways, with F# 6, the feature has been augmented with optional Struct representations for active patterns. Also, in F# 6, the “as” pattern can now itself be a pattern, which is important when a type test has given a stronger type to an input.

The in-memory cross-project referencing feature simplifies working between C# projects, as it allows C# projects to reflect immediately in an F# project without recompiling the C# project on disk.

Additionally, F# developers have the benefit of .NET 6 improvements to satisfy packaging rules for commonly used Linux distributions, and profile-guided optimization, can compile startup code with reduce binary size, at higher quality, and rearrange application binaries so that code used at startup is collocated at the start of the file.

How to Get Started with F# 6?

F# 6 release coincides with the release of Visual Studio 2022 on Windows and F# programmers using this IDE experience will benefit from several improvements in this release.

Visual Studio 2022 on Windows is now available as a 64-bit application, which means you can open, edit, run, and debug even the biggest and most complex solutions without running out of memory.

What's New in Microsoft’s F# 6 Programming Language?

Microsoft 365 Defender Threat Intelligence Team has uncovered a unique phishing kit, which it dubbed ToadyZoo, built from code copied from other kits, and available for sale publicly to be reused and repackaged by other kit resellers.

According to the security team, the name “TodayZoo” was picked because of the curious use of these words in the kit's credential harvesting component in past campaigns, which likely is a reference to phishing pages that spoofed a popular video conferencing app.

TodayZoo contained pieces of code copied from other widely circulated kits, with the copied code segments having the comment markers, and other holdovers from previous kits and thus, provides rich insight into the state of the phishing and email threats today.

What is a Phishing Kit?

Also known as a “phish kit”, a phishing kit refers to various parts of a software set meant to facilitate phishing, most commonly used to archive file containing scripts and HTML pages that enable an attacker to easily set up an evasive phishing page to steal credentials.

These phishing kits are sold in underground forums for a one time payment. It also can specifically refer to the unique page itself that spoofs a brand in order to lure users into disclosing their credentials, which are often posted to an asset the attacker controls.

For instance, the researchers observed a series of phishing campaigns that abuse the AwsApps[.]com domain to send email messages that eventually directed users to the spoofed landing pages, the attackers were able to create malicious accounts at scale, with the sender emails appearing with randomly generated domain names.

How TodayZoo represents the latest Trends in the Phishing landscape?

TodayZoo and other phishing kits presents several insights into the underground phishing threat landscape, it further proves that most phishing kits are available based on a smaller cluster of larger kit units.

Albeit this trend isn't quite new, but it continues to serve as the norm, given how phishing kits share large amounts of code among themselves. And the presence of dead links and callbacks to other kits also indicates that phishing kit distributors and operators have easy access to existing kits for reuse to make new ones faster.

Hackers deploy Phishing Kit in widespread Credential Stealing Attacks

MX Linux is a relatively popular Linux/GNU distribution that offers a lot of potential by providing a complete operating system backed by the MX repository, Debian and antiX Linux.

The MX Linux team has released MX Linux 21 based on Debian 11 “Bullseye” and running Linux Kernel 5.10 LTS, with bug fixes and several application updates, coming as the first stable release of the “Wildflower” series.

MX Linux 21 introduces a new edition with Fluxbox 1.3.7, that works seamlessly on high-end computers but light on resources to also support older computers.

What's New in MX Linux 21 “Wildflower” Release?

MX Linux 21 included the Fluxbox edition which will be available as a separate ISO file, along with the regular XFCE and KDE desktop editions.

Fluxbox is a lightweight window manager which is capable of running on both older and modern systems, while the MX community decided to customize the Fluxbox capabilities to bring a unique desktop experience along with a set of pre-installed XFCE apps. Below are other Improvements in MX Linux 21:

  • Better realtek wifi support
  • MX-Tour showing an overview of each desktop environment
  • Xfce 4.16, Plasma 5.20, fluxbox 1.3.7 with mx-fluxbox 3.0 configs
  • New UEFI live system boot menus. UEFI live users can now select your live boot options
  • New installer partition selection/management area, including some lvm support if lvm volume exists already and the ability to set existing data partitions to be mounted on install
  • MX-Comfort default theming, including dark variants and “thick border” Xfwm variants
  • Mesa vulkan drivers are installed by default

Furthermore, there is the UEFI Live boot menus and extra “rollback” boot option, though the live system may likely not boot on systems with secure boot enabled.

How to Download or Upgrade to MX Linux 21?

For a fresh installation, the ISO image of MX Linux 21 can be downloaded from the official website. And you can create an MX Linux bootable USB and then install it, once you download the required image.

For those already using MX Linux 19 ‘Patito Feo’ series, you can update your system to MX-21 by manually upgrading your packages.

MX Linux 21 “Wildflower” Release: What's New?

Microsoft has released a preview of Visual Studio Code for the Web which offers a free, zero-install Visual Studio Code experience running completely on the browser.

While this isn't the first attempt at bringing VS Code to the web, as Microsoft had in 2019 released a web-based version of its Code Editor, Visual Studio Online, which was previously in a private testing with select developers. But the initiative later morphed into GitHub Codespaces and remains under the direction of GitHub.

Now, the new VS Code for the Web provides many of the features of VS Code desktop, including search and syntax highlighting while browsing and editing, along with support for extension to work on your codebase and make edits simpler.

How VS Code for the Web differs from VS Code desktop?

The new VS Code for the Web is a browser-based version of the popular code editor, allowing easy navigating of files and repositories and committing lightweight code changes.

For developers who need access to a runtime to run, build, or debug their code, it is recommended moving to the desktop application or GitHub Codespaces for full access to capabilities of VS Code. Also, VS Code desktop allows you to run extensions that are not yet supported in the web version, and make use of a full set of keyboard shortcuts not limited by browser.

As VS Code for the Web runs entirely in a web browser, it offers a very limited execution environment. Albeit, support for Azure Repos in Visual Studio Code for the Web is already in preview, and the experience will help it to improve over time.

Getting started with VS Code for the Web

VS Code for the Web is live at, you can create a local file or new project, or perhaps, work on an existing local project, and access source code repositories that are hosted elsewhere, such as on GitHub and Azure Repos, part of Azure DevOps.

And to work with both GitHub and Azure Repos, you should note that VS Code for the Web supports only two routes, and

Microsoft brings VS Code to the Web Browser

Social Engineering Campaigns involve the use of deception to get web users into disclosing personal information that could be used for fraudulent purposes, using a variety of techniques such as phishing, whaling, and pharming.

Google’s Threat Analysis Group (TAG) has disclosed tracking a group of hackers recruited in a Russian-speaking forum, that lure their target with fake collaboration opportunities, to hijack their YouTube channel, and then sell it off to the highest bidder or use the channel to broadcast cryptocurrency scams.

As many YouTube creators provide their email address on the channel for easy contact for opportunities, the attackers would forge business emails impersonating an existing company requesting a collaboration.

How Attackers use Social engineering to hijack YouTubers accounts?

Typically, the phishing starts with a custom email of the company introducing its products, and if a target agrees to the deal, a malware page disguised as a software download URL will be sent via email or a PDF, or in some cases, Google documents containing the phishing links.

There are several domains associated with forged companies registered by the attackers and multiple websites built for malware delivery. According to TAG, at least 1,011 domains were created solely for this purpose, with some of the websites clone of legitimate software sites, such as Cisco, and games on Steam, with some generated using online templates.

The researchers identified around 15,000 actor accounts, most of which were created for this campaign specifically. There is also another technique employed by the hackers known as 'pass-the-cookie attack' which is a session hijacking technique that enables anyone access to user accounts with session cookies stored in the browser.

Though the technique has been around for some time, its resurgence could be due to the wider adoption of multi-factor authentication (MFA) that makes it difficult for attackers to break into accounts, hence the shift to social engineering tactics.

How to Mitigate against Social Engineering Attacks?

As the threat actors becomes more sophisticated in their attacks, it is important that web users remain aware of the types of threats and take appropriate steps to further protect their accounts.

Most importantly, they need to activate multi-factor authentication which provides an extra layer of security to account in case password is leaked or stolen. And also enable the “Enhanced Safe Browsing Protection” mode in Chrome browser, which feature increases warnings on potentially suspicious web pages.

YouTube Influencers targeted in New Social Engineering Campaign

Threat actors had mostly targets financial companies, and reason is not farfetched, as these organizations possess a trove of customer data that is a gold mine to hackers.

There is a massive phishing campaign dubbed MirrorBlast which targets financial services organizations. MirrorBlast contains malicious links which download a weaponized Excel document, and due to the extreme lightweight of the macro embedded in its Excel files, it is particularly difficult to detect by security and sandboxing technologies.

The current phishing campaign as tracked by the Morphisec Labs team began in early September, with the attack chain of the infection bearing a similarity to the tactics, techniques, and procedures commonly used by the Russia-based threat group TA505.

How MirrorBlast Spreads through Mass Email Campaigns?

The MirrorBlast attack chain starts with an email attachment document that poses as a file share request, which at a later stage, changes to the use of Google feedproxy URL with SharePoint and OneDrive lure.

The Google feedproxy URLs lead to a compromised SharePoint or fake OneDrive website that the attackers use to evade detection, in addition to a SharePoint sign-in requirement that helps to evade sandboxes. And there are different variants of the document, for the first variants, the macro code was hidden behind the Language and Code document information properties, which later is moved to the sheet cells.

Additionally, there wasn’t any anti-sandboxing and the code added one more obfuscation layer on top of the previous obfuscation.

The success of campaign, however, hinges on the enabling of macros by users after opening the malicious attachments, which an obfuscated MSI file is downloaded to install the next-stage loaders before delivery of the updated version of the Trojan that incorporates obfuscated API calls.

How to Mitigate against MirrorBlast Phishing Campaign?

The MirrorBlast attack have very low detections in VirusTotal, which is indicative of the advancement most threat groups have reached in evading detection-centric solutions.

Organizations should therefore take a defensive, reactive approach to their security and most importantly, remain constantly vigilant, iterating on security procedures to ensure they are not caught off-guard when new TTPs are deployed to breach their defenses.

New Email Phishing Campaign targeting Financial Companies

Tianfu Cup is China's version of Pwn2Own, which in its fourth rendition, like last year's edition, the hacking contest took place in Chengdu, China.

While Tianfu Cup 2021 which has just ended showed off hacking attempts against a number of popular programs, including Windows 10, Linux and popular browsers such as Chrome and Safari, with the hackers successfully hacked several of such popular software programs.

There are multiple other software programs from Microsoft, Adobe, Mozilla, and ASUS that were also successfully hacked with previously unknown exploits in Tianfu Cup 2021.

Major Exploits at Tianfu Cup 2021 Hackathon

The two-day hacking contest took place on October 16 and 17, with several security researchers competing for the prize money. Kunlun Lab took the top spot by winning $654,500 for successful exploits of iOS 15, including a remote code execution flaw in mobile Safari.

Also, the Kunlun Lab researchers pwned Google Chrome by getting Windows system kernel level privilege with two bugs, and the PangU team emerged second with a haul of $522,500 for a remote jailbreak in iPhone 13 Pro running iOS 15, which marks the first time the new iPhone model has been hacked at a public contest, while the VRI team came third by winning a total of $392,500.

Besides the above exploits, several hacks were mounted successfully against targets such as:

  • VMWare Workstation
  • Ubuntu 20/CentOS 8
  • Microsoft Exchange Server
  • Adobe PDF Reader
  • ASUS RT-AX56U router
  • Parallels Desktop
  • Docker CE

The hacking competition also showed off successful hacking attempts against VMWare ESXi, Adobe PDF Reader and Synology DS220j DiskStation, among others.

The Tianfu Cup hackathon had the overriding idea of using web browsers to navigate a remote URL or using a flaw in the software to control the browser or any of the underlying operating systems.

Tianfu Cup Hackathon ended with iOS 15, Chrome and Windows 10 pwned

The latest non-LTS release, Ubuntu 21.10, codenamed “Impish Indri” is now available for download; albeit, it will receive support for only nine months, that is, until July 2022.

While the current Long-term support (LTS) release Ubuntu 20.04 LTS, as LTS release will get major updates and improvements until 2030. Now, let's see if there are any compelling features to make users on Ubuntu 20.04 LTS to want to upgrade to this non-LTS release.

The codename for Ubuntu 21.10, Impish Idri, means “showing no respect for something in a way that is amusing” or to put it another way, inclined to mischief.

What’s New in Ubuntu 21.10 “Impish Indri” Release?

Ubuntu 21.10 brings the long awaited GNOME 40, which is an exciting upgrade and several other notable improvements.

GNOME 40 offers a refreshing change to Ubuntu, but only after experiencing it, can you actually tell. Here’s a quick rundown of what to expect with this release.

  • Refreshed Installer
  • PulseAudio 15 With Bluetooth LDAC Support
  • Wayland Session with NVIDIA Proprietary Driver
  • Package updates to LibreOffice, Thunderbird
  • Firefox as a Snap by default
  • Linux Kernel 5.13

Additionally, the mixed theme feature has been ditched in Ubuntu 21.10, rather opting for light/dark theming. And Linux Kernel 5.13 inclusion means there will be support for advanced Intel and AMD chips, also Apple M1 support.

How to Download or Upgrade to Ubuntu 21.10?

For a fresh installation, the ISO image of Ubuntu 21.10 is now available for download on the official website. And for existing users of Ubuntu 20.04 LTS, you'll get the option of automatic upgrade via the Update Manager.

However, it is recommended that users of Ubuntu 20.04 LTS should wait for the next LTS release, Ubuntu 22.04 LTS.

Ubuntu 21.10 “Impish Indri” Release: What’s New?

LibreOffice is an open-source office productivity software suite, mostly used by adherents of Linux distributions and it is run and maintained by The Document Foundation.

While LibreOffice supports digital signatures of ODF documents and macros within docs, it tends to present visual aids that alteration of the document never occurred since the last signing and validation of the signature. But, there are some vulnerabilities in how LibreOffice handles the documents, as an Improper Certificate Validation in LibreOffice could allow an attacker to create a digitally signed ODF document.

The attacker could modify a digitally signed ODF document to insert additional signing time timestamp by manipulating the documentsignatures.xml or macrosignatures.xml stream within the doc, which LibreOffice would then present as a valid signature.

How the exploitation of the Flaws could allow an attacker to Manipulate the Timestamp of signed ODF documents?

The exploitation of the flaws, which are three in number, could permit an attacker to alter the contents of a doc or self-sign a document with an unvalid signature, and manipulate the timestamp of signed ODF documents, including altering the contents of a document.

LibreOffice will incorrectly display a valid signature indicator suggesting that the document was not tampered with since the signing, and presents the signature with an unknown algorithm as legitimately issued by a trusted party.

The vulnerabilities could also be weaponized by malicious actors to alter documents, making them appear as if digitally signed by a trusted source.

How to Mitigate against LibreOffice's Digital Signature Spoofing?

The discovery was credited to NDS of Ruhr University Bochum who reported the flaws, and The Document Foundation has promptly issued security fixes for the three vulnerabilities.

The flaws were fixed in LibreOffice versions 7.0.5, 7.0.6, 7.1.1 and 7.1.2. Therefore, it is recommended that users of LibreOffice should update their software to the latest versions.

LibreOffice susceptible to Critical Digital Signature Spoofing Flaws

Java Development Kit (JDK) 18 release is still some months away, and the next upgrade Java 18 has already started to take shape, with the simple web server proposal and proposal for a re-incubation of a foreign function and memory API.

While Java 17 brought new interface types for PRNGs including jumpable PRNGs and implementations of an additional class of splittable PRNG algorithms (LXM); the new interface, dubbed RandomGenerator, offered a uniform API for all new and existing PRNGs.

The JDK Enhancement Proposal (JEP) index of Java technologies cites the record patterns and an array of proposals as expected for JDK 18, albeit, it has not been marked officially.

What to Expect in Java 18 and the Final Release date?

Java 18 is due for release in March 2022, and has already started to take shape, with proposals to preview record patterns and array patterns, incubate the vector API, and adopt UTF-8 as the default character set.

JDK 17 was a long-term support (LTS) release, which means it will receive at least eight years of support from Oracle, while JDK 18 is a short-term feature release that be supported for only six months. Below are some of the officially targeted JDK 18 proposals:

  • Foreign function and memory API: The intent is to replace JNI with a superior and pure Java development model
  • Code snippets in Java API: the introduction of @snippet tag for JavaDoc’s Standard to simplify the inclusion of example source code in API documentation
  • Preview of record patterns and array patterns: the Java language would be enhanced with record patterns to deconstruct record values, array patterns, and to deconstruct array values
  • Vector API: concerns vector computations that compile at run time to optimal vector instructions on supported CPUs, achieving performance superior to equivalent scalar computations
  • Simple web server proposal: a command-line tool that would be provided to start a minimal web server which serves static files only

If you're a developer and want an early-access to open source builds of JDK 18, you can get it at But note that JDK 18 is not due until March 2022, and it would be supported for only six months.

JDK 18: What to Expect in Java 18 and the Final Release date?

Windows Subsystem for Linux (WSL) is a compatibility layer for native running of Linux binary executables on Windows machines, introduced as a feature in Windows 10.

Now, Microsoft has launched a standalone WSL application in the Microsoft Store for Windows 11 machines, which will allow users to get the latest WSL updates and features faster, without the need to modify their Windows version. Albeit, this as an initial preview to help ensure the best quality before making it generally available.

Microsoft maintains that WSL app is the exact same WSL that users are already familiar to and love, all that was changed is how it gets installed and updated.

Why WSL Users should be excited about this big change?

Before now, WSL served as an optional component inside of Windows, which means that users need to avail the “Turn Windows Features on or off” dialogue to enable it, and it requires you restarting your machine.

And the binaries that make up WSL’s logic are part of the Windows image, and serviced and updated as part of Windows itself. But with WSL app, you can get access to WSL features faster, and don’t have to worry about updating your Windows version to get the latest WSL updates.

This change simply decoupled WSL from Windows version, allowing users to update through the Microsoft Store. Now, once new features such as GPU compute and Linux file system drive mounting are released, you'll get access to it right away on your machine without the need to update the entire Windows OS.

How to Download and install WSL App from the Microsoft Store?

Firstly, you should make sure your machines is running a Windows 11 build or higher (Windows build number 22000 or higher) and that the Virtual Machine Platform optional component is enabled.

This can be done by running: dism.exe /online /enable-feature /featurename:VirtualMachinePlatform /all in an elevated PowerShell prompt Click on this link to go the Microsoft store page for WSL app and click Install to install WSL, and then you can install any Linux distro of your choice to start using it.

Microsoft debuts WSL App for Windows 11 in the Microsoft Store

There is a new malware family, dubbed "FontOnLake" by cybersecurity firm ESET, that utilizes custom and well-designed modules, and mainly targets systems running Linux.

And the modules employed by this malware are constantly under development and offer remote access to the operators, including collection of credentials, and serving as a proxy server; while to collect data or conduct other malicious activity, this malware uses modified legitimate binaries that are adjusted to load further components.

The sneaky nature of FontOnLake in combination with the advanced design suggest that they are used in targeted attacks; with the binaries such as cat, kill or sshd which are commonly used on Linux systems and additionally serve as a persistence mechanism.

How FontOnLake Rootkit Malware targets Linux Systems?

According to ESET researchers, the first known file of this malware family appeared on VirusTotal last May, with other samples uploaded throughout the year. The location of the C&C server from which the samples were uploaded to VirusTotal might indicate that its targets are mainly in Southeast Asia.

FontOnLake’s currently known components can be divided into the following groups: Trojanized applications, Backdoors and Rootkits – which are kernel mode components that mostly hide and disguise their presence, assist with updates, or provide fallback backdoors.

The trojanized applications are used mostly to load custom backdoor or rootkit modules, but aside from that, they can also collect sensitive data. And all the trojanized files are standard Linux utilities, with each serving as a persistence method because they are commonly executed on system start-up. Albeit, the initial way these trojanized applications get to their victims is yet unknown.

The different backdoors discovered are written in C++ and all use, though in slightly different ways, the same Asio library from Boost for asynchronous network and low-level I/O. With Poco, Protobuf, and features from STL such as smart pointers used as well.

How to Mitigate against FontOnLake Malware?

For organizations or individuals who want to protect their Linux endpoints or servers from this malware threat, they should use a multilayered security product and ensure that their version of Linux distribution is updated to the latest version.

If you require further technical details on FontOnLake, you can check out the comprehensive white paper provided by ESET.

Linux Systems targeted in New Rootkit Malware campaign