Attackers can get root by crashing Ubuntu’s AccountsService
Attackers can get root by crashing Ubuntu’s AccountsService
Police arrests ransomware affiliate behind high-profile attacks
Bugs in billions of WiFi, Bluetooth chips allow password, data theft
Google pushes emergency Chrome update to fix zero-day used in attacks
TinyNuke info-stealing malware is again attacking French users
Phishing campaign uses PowerPoint macros to drop Agent Tesla
Dell driver fix still allows Windows Kernel-level attacks
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Nuclear fallout
The info-stealing malware TinyNuke has re-emerged in a new campaign targeting French users with invoice-themed lures in emails sent to corporate addresses and individuals working in manufacturing, technology, construction, and business services.
The goal of this campaign is to steal credentials and other private information and install additional payloads onto a compromised system.
The TinyNuke malware activity first appeared in 2017, culminated in 2018, then dropped significantly in 2019, and almost faded out of existence in 2020.
Observing new attacks that deploy the particular malware strain in 2021 is surprising but not entirely unexpected.
According to researchers at Proofpoint who have been following these campaigns, this re-emergence manifests through two distinct sets of activity, with separate C2 infrastructure, payloads, and lure themes.
This could also indicate that the malware is used by two different actors, one associated with the initial TinyNuke actors and one linked to actors who typically use commodity tools.
Finally, there’s no overlap with PyLocky distribution as seen in 2018 or with any other ransomware infection this time.
The actor compromises legitimate French websites to host the payload URL, while the executables are masked as innocuous software.
For the C2 communications, the most recent campaigns use Tor, which is the same method used since 2018.
One of the strings, “nikoumouk,” used in these communications is the same as a slang term discovered in the 2018 analysis, further linking this campaign to the original threat actors.
“Proofpoint researchers observed the string “nikoumouk” sent to the C2 server for an unknown purpose. According to information sharing partners and open-source information, the actors previously used that string in C2 communications in previous campaigns since 2018,” explains Proofpoint’s report.
“The string is an insult in popular Arabic, mainly used in French speaking suburbs in Europe.”
In the current campaigns, emails include URLs that download ZIP files. These ZIP files contain a JavaScript file that will execute PowerShell commands to download and execute the TinyNuke malware.
In terms of capabilities, TinyNuke loader can steal credentials with form-grabbing and web-inject capabilities for Firefox, Internet Explorer, and Chrome, and can also install additional payloads.
Persistence is secured by adding a new registry key as shown below:
Although the ongoing campaigns use specific lures, the actors could update their messages to present the recipients with new baits.
Also, if new actors are using TinyNike, it likely means that the original authors are selling it on the dark web, or its code may be circulating independently since it was released on GitHub at some point years ago.
Either way, its deployment could increase even more, and the range of email lures deployed against targets could become very wide.
It is vital to remain vigilant and avoid clicking on embedded buttons that lead to sites hosting the malicious compressed executable.
Because these sites are otherwise legitimate, your Internet security solution may not raise any flags, so extreme caution is advised.
Flubot Android malware now spreads via fake security updates
Over nine million Android devices infected by info-stealing trojan
Android malware BrazKing returns as a stealthier banking trojan
Emotet malware is back and rebuilding its botnet via TrickBot
Snake malware biting hard on 50 apps for only $25
Not a member yet? Register Now
Amazon explains the cause behind Tuesday’s massive AWS outage
Hackers start pushing malware in worldwide Log4Shell attacks
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

Beware: Free Discord Nitro phishing targets Steam gamers

CISA orders federal agencies to fix hundreds of exploited security flawsUS sanctions…

T-Mobile says it blocked 21 billion scam calls this year

Microsoft warns of easy Windows domain takeover via Active Directory bugsUK govt…

Magniber ransomware gang now exploits Internet Explorer flaws in attacks

HPE says hackers breached Aruba Central using stolen access keyFBI warns of…

Bugs in billions of WiFi, Bluetooth chips allow password, data theft

Attackers can get root by crashing Ubuntu’s AccountsServiceAttackers can get root by…