Análisis-De-Malware

This article presents a detailed analysis of a recent malware campaign that uses advanced obfuscation techniques to evade detection. The infection chain begins with a JScript script attached to a phishing email and culminates with the download of Remcos RAT. The analysis focuses on the obfuscation techniques used and how to disassemble each stage of the attack. Phishing Campaign and First Stage of Infection The campaign was distributed via phishing emails impersonating a legitimate Czech company. Although the email contained credible visual elements, it failed DMARC/SPF checks, which would likely have resulted in it being quarantined by most mail servers. ...

Cybersecurity researchers have discovered two new malicious extensions in the Chrome Web Store designed to exfiltrate OpenAI ChatGPT and DeepSeek conversations, along with browsing data, to servers under the attackers’ control. This type of attack, which uses browser extensions to stealthily capture AI conversations, has been dubbed “Prompt Poaching” by Secure Annex. Malicious Extensions Identified The two extensions, which together have more than 900,000 users, are: Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI (ID: fnmihdojmnkclgjpcoonokmkhjpjechg, 600,000 users) AI Sidebar with Deepseek, ChatGPT, Claude, and more. (ID: inhcgfpbfdjbjogdfjbclgolkmhnooop, 300,000 users) Both extensions were discovered exfiltrating user conversations and all Chrome tab URLs to a remote command and control (C2) server every 30 minutes. They use a deceptive tactic, requesting consent for “anonymous, non-identifiable analytics data” while actually exfiltrating the entire content of ChatGPT and DeepSeek conversations. ...

The U.S. Department of Justice (DoJ) has announced the indictment of 54 individuals for their alleged involvement in an automated teller machine (ATM) “jackpotting” scheme that diverted millions of dollars. The large-scale conspiracy involved the use of Ploutus malware to force ATMs across the country to dispense cash. According to authorities, the defendants are part of the Venezuelan criminal group Tren de Aragua (TdA), which has been designated as a foreign terrorist organization by the US Department of State. ...

What are TLS Callbacks? Thread Local Storage (TLS) is a Windows operating system mechanism that allows each thread in a process to have its own copy of specific variables. To support this, Windows PE (Portable Executable) executable files contain a TLS directory (IMAGE_TLS_DIRECTORY). This directory not only describes where the TLS data is stored and its size, but also includes a list of callback functions. TLS callbacks are an execution mechanism that allows code to run automatically when a process or thread starts, even before the program’s normal entry point (main or WinMain for EXEs, or DllMain for DLLs) is reached. ...

A joint investigation by Amnesty International, Haaretz, Inside Story and Inside IT has revealed that the human rights lawyer from Balochistan province, Pakistan, was the target of Intellexa’s Predator spyware. This incident marks the first time that a member of civil society in Pakistan has been targeted by this surveillance tool. The attack was carried out using a suspicious link sent by WhatsApp, which Amnesty International identified as an “attempted Predator attack” based on its technical behavior and characteristics. ...

Financially motivated cybercriminal group GoldFactory has launched a new wave of attacks targeting mobile users in Indonesia, Thailand and Vietnam. Attackers are using a government spoofing technique to distribute legitimate banking applications modified with malware. The activity, observed since October 2024, involves the distribution of apps that act as conduits for advanced Android malware, according to a Group-IB white paper. The GoldFactory Threat Actor GoldFactory is a Chinese-speaking cybercrime group, active since at least June 2023. The group is known for using custom malware families such as GoldPickaxe, GoldDigger, and GoldDiggerPlus, which previously targeted Android and iOS devices. Research suggests that GoldFactory has close ties to Gigabud, another Android malware detected in mid-2023. Despite differences in code base, GoldDigger and Gigabud share similarities in their spoofing targets and landing pages. ...