Hackers plant malware on Jerusalem Post website

Scattergun opportunists


Hackers compromised the website of the Jerusalem Post on Monday so that it served up malware.

The attack relied on planting scripts on the site itself, rather than the more common tactic of compromising its ad-serving system to serve tainted ads. The attack ultimately attempted to dump Windows-based malware on the Windows PCs of visiting surfers.

Sophos - which was among the first to document the attack - defines this strain of malware as Behav-290.

Paul Baccas (AKA Pob) a virus researcher at Sophos reckons the attack is more likely to be down to opportunists than a reaction to heightened tensions in the Middle East over recent days, following deaths on a flotilla of boats bound for Gaza.

"In the current climate some will assume that the site has been hacked by a politically motivated hacker," Baccas writes. "However, in my experience the majority of hacks like this are done via a scattergun approach and it was just bad luck (and bad website security) that meant that the Jerusalem Post was the victim." ®

Similar topics


Other stories you might like

  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • Symbiote Linux malware spotted – and infections are 'very hard to detect'
    Performing live forensics on hijacked machine may not turn anything up, warn researchers

    Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team have analyzed an unusual piece of Linux malware they say is unlike most seen before - it isn't a standalone executable file.

    Dubbed Symbiote, the badware instead hijacks the environment variable (LD_PRELOAD) the dynamic linker uses to load a shared object library and soon infects every single running process.

    The Intezer/BlackBerry team discovered Symbiote in November 2021, and said it appeared to have been written to target financial institutions in Latin America. Analysis of the Symbiote malware and its behavior suggest it may have been developed in Brazil. 

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • Clipminer rakes in $1.7m in crypto hijacking scam
    Crooks divert transactions to own wallets while running mining on the side

    A crew using malware that performs cryptomining and clipboard-hacking operations have made off with at least $1.7 million in stolen cryptocurrency.

    The malware, dubbed Trojan.Clipminer, leverages the compute power of compromised systems to mine for cryptocurrency as well as identify crypto-wallet addresses in clipboard text and replace it to redirect transactions, according to researchers with Symantec's Threat Intelligence Team.

    The first samples of the Windows malware appeared in January 2021 and began to accelerate in their spread the following month, the Symantec researchers wrote in a blog post this week. They also observed that there are several design similarities between Clipminer and KryptoCibule – another cryptomining trojan that, a few months before Clipminer hit the scene, was detected and written about by ESET analysts.

    Continue reading
  • Chinese-sponsored gang Gallium upgrades to sneaky PingPull RAT
    Broadens targets from telecoms to finance and government orgs

    The Gallium group, believed to be a Chinese state-sponsored team, is going on the warpath with an upgraded remote access trojan (RAT) that threat hunters say is difficult to detect.

    The deployment of this "PingPull" RAT comes as the gang is broadening the types of organizations in its sights from telecommunications companies to financial services firms and government entities across Asia, Southeast Asia, Europe and Africa, according to researchers with Palo Alto Networks' Unit 42 threat intelligence group.

    The backdoor, once in a compromised system, comes in three variants, each of which can communicate with the command-and-control (C2) system in one of three protocols: ICMP, HTTPS and raw TCP. All three PingPull variants have the same functionality, but each creates a custom string of code that it sends to the C2 server, which will use the unique string to identify the compromised system.

    Continue reading
  • Chinese 'Aoqin Dragon' gang runs undetected ten-year espionage spree
    Researcher spots it targeting Asian government and telco targets, probably with Beijing's approval

    Threat researcher Joey Chen of Sentinel Labs says he's spotted a decade worth of cyber attacks he's happy to attribute to a single Chinese gang.

    Chen has named the group Aoqin Dragon, says its goal is espionage, and that it prefers targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam.

    The gang is fond of attacks that start by inducing users to open poisoned Word documents that install a backdoor – often a threat named Mongall or a modified version of the open source Heyoka project.

    Continue reading

Biting the hand that feeds IT © 1998–2022