BPDoxS

BPDoxS Building a Safer Digital Landscape: Comprehensive Cybersecurity Solutions for Your Business

🔒 Ready for 2025’s stealthiest attacks? Discover the 7 Critical APT Threats that are silently breaching bank security sy...
01/05/2025

🔒 Ready for 2025’s stealthiest attacks? Discover the 7 Critical APT Threats that are silently breaching bank security systems—and how to stay one step ahead. 🚨👀

Dive into our latest blog for in-depth analysis, real-world examples and more. Read the full article on our website—link in bio or read now at "link"! 🌐✨

Our Director/CEO, Mohan Preet Singh Virk, was recently interviewed by SafetyDetectives!He shared insights on how BPDoxS ...
11/04/2025

Our Director/CEO, Mohan Preet Singh Virk, was recently interviewed by SafetyDetectives!

He shared insights on how BPDoxS is making cybersecurity more accessible through open-source solutions, our journey so far, and what lies ahead for the future of digital protection.

Big thanks to the team at SafetyDetectives for the feature!
Read the full interview now —

🔗 https://www.safetydetectives.com/blog/bpdoxs-interview/

--

- 🚀 Elevate your security game with our state-of-the-art cybersecurity solutions!- 💼 Shield your business from cyber thr...
05/04/2024

- 🚀 Elevate your security game with our state-of-the-art cybersecurity solutions!
- 💼 Shield your business from cyber threats for a worry-free digital experience.
- 🌟 Get Your services at Affordable prices without compromising on quality and top notch services.
- 📞 Contact us now for a personalized consultation and let's build a secure future together.

Feel free to reach us out at +91 77175-71863 OR drop an email 📧 [email protected]
Visit Our website to Learn more ⌨️ --> https://bpdoxs.com/

🔒✨

🌐💻 Navigating the Digital Storm: How COVID-19 Rewrote the Rules of Cyber Crime 🦠🔒
19/09/2023

🌐💻 Navigating the Digital Storm: How COVID-19 Rewrote the Rules of Cyber Crime 🦠🔒

Poorly managed Linux SSH servers are being targeted as part of a new campaign that deploys different variants of a malwa...
29/03/2023

Poorly managed Linux SSH servers are being targeted as part of a new campaign that deploys different variants of a malware called ShellBot.

ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server.

ShellBot is installed on servers that have weak credentials, but only after threat actors make use of scanner malware to identify systems that have SSH port 22 open.

A list of known SSH credentials is used to initiate a dictionary attack to breach the server and deploy the payload, after which it uses the Internet Relay Chat (IRC) protocol to communicate with a remote server.

This encompasses the ability to receive commands that allows ShellBot to carry out DDoS attacks and exfiltrate harvested information.

ASEC said it identified three different ShellBot versions – LiGhT's Modded perlbot v2, DDoS PBot v2.0, and PowerBots (C) GohacK – the first two of which offer a variety of DDoS attack commands using HTTP, TCP, and UDP protocols.

PowerBots, on the other hand, comes with more backdoor-like capabilities to grant reverse shell access and upload arbitrary files from the compromised host.

"If ShellBot is installed, Linux servers can be used as DDoS Bots for DDoS attacks against specific targets after receiving a command from the threat actor," ASEC said. "Moreover, the threat actor could use various other backdoor features to install additional malware or launch different types of attacks from the compromised server."

The development also comes as Microsoft revealed a gradual increase in the number of DDoS attacks targeting healthcare organizations hosted in Azure, surging from 10-20 attacks in November 2022 to 40-60 attacks daily in February 2023.

A new Golang-based botnet dubbed HinataBot has been observed to leverage known flaws to compromise routers and servers a...
29/03/2023

A new Golang-based botnet dubbed HinataBot has been observed to leverage known flaws to compromise routers and servers and use them to stage distributed denial-of-service (DDoS) attacks.

"The malware binaries appear to have been named by the malware author after a character from the popular anime series, Naruto, with file name structures such as Hinata--, Akamai said.

Among the methods used to distribute the malware are the exploitation of exposed Hadoop YARN servers and security flaws in Realtek SDK devices (CVE-2014-8361)and Huawei HG532 routers (CVE-2017-17215, CVSS score: 8.8).

Since then, newer artifacts have been detected in Akamai's HTTP and SSH honeypots as recently as this month, packing in more modular functionality and added security measures to resist analysis. This indicates that HinataBot is still in active development and evolving.

The malware, like other DDoS botnets of its kind, is capable of contacting a command-and-control (C2) server to listen for incoming instructions and initiate attacks against a target IP address for a specified duration.

While early versions of the botnet utilized protocols such as HTTP, UDP, TCP, and ICMP to carry out DDoS attacks, the latest iteration is limited to just HTTP and UDP. It's not immediately known why the other two protocols were axed.

Akamai, which conducted 10-second attack tests using HTTP and UDP, revealed that the HTTP flood generated 3.4 MB of packet capture data and pushed 20,430 HTTP requests. The UDP flood, on the other hand, created 6,733 packets for a total of 421 MB of packet capture data.

Besides being used as distractions to conceal extortion and data theft, DDoS attacks are also expected to rise due to the arrival of new malware strains that are capable of targeting IoT devices and taking over accounts to gain unauthorized access to resources.

Bitcoin ATM maker General Bytes disclosed that unidentified threat actors stole cryptocurrency from hot wallets by explo...
29/03/2023

Bitcoin ATM maker General Bytes disclosed that unidentified threat actors stole cryptocurrency from hot wallets by exploiting a zero-day security flaw in its software.

"The attacker was able to upload his own java application remotely via the master service interface used by terminals to upload videos and run it using 'batm' user privileges."

"The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean"

The company said that the server to which the malicious Java application was uploaded was by default configured to start applications present in the deployment folder ("/batm/app/admin/standalone/deployments/").

In doing so, the attack allowed the threat actor to access the database; read and decrypt API keys used to access funds in hot wallets and exchanges; send funds from the wallets; download usernames, password hashes, and turn off two-factor authentication (2FA); and even access terminal event logs.

In addition to urging customers to keep their crypto application servers (CASs) behind a firewall and a VPN, it's also recommending to rotate all users' passwords and API keys to exchanges and hot wallets.

The company further emphasized that it had conducted multiple security audits since 2021 and that none of them flagged this vulnerability. It appears to have been unpatched since version 20210401.

General Bytes did not disclose the exact amount of funds stolen by the hackers, but an analysis of the cryptocurrency wallets used in the attack reveals the receipt of 56.283 BTC ($1.5 million), 21.823 ETH ($36,500), and 1,219.183 LTC ($96,500).

A banking trojan dubbed Mispadu has been linked to multiple spam campaigns targeting countries like Bolivia, Chile, Mexi...
29/03/2023

A banking trojan dubbed Mispadu has been linked to multiple spam campaigns targeting countries like Bolivia, Chile, Mexico, Peru, and Portugal with the goal of stealing credentials and delivering other payloads.

Mispadu (aka URSA) was first documented by ESET in November 2019, describing its ability to perpetrate monetary and credential theft and act as a backdoor by taking screenshots and capturing keystrokes.

"One of their main strategies is to compromise legitimate websites, searching for vulnerable versions of WordPress, to turn them into their command-and-control server to spread malware from there, filtering out countries they do not wish to infect, dropping different type of malware based on the country being infected," researchers Fernando García and Dan Regalado said.

It's also said to share similarities with other banking trojans targeting the region, like Grandoreiro, Javali, and Lampion. Attack chains involving the Delphi malware leverage email messages urging recipients to open fake overdue invoices, thereby triggering a multi-stage infection process.

Should a victim open the HTML attachment sent via the spam email, it verifies that the file was opened from a desktop device and then redirects to a remote server to fetch the first-stage malware.

The RAR or ZIP archive, when launched, is designed to make use of rogue digital certificates – one which is the Mispadu malware and the other, an AutoIT installer – to decode and execute the trojan by abusing the legitimate certutil command-line utility.

Metabase Q noted that the certutil approach has allowed Mispadu to bypass detection by a wide range of security software and harvest over 90,000 bank account credentials from over 17,500 unique websites.

Copycat websites for instant messaging apps like Telegram and WhatApp are being used to distribute trojanized versions a...
29/03/2023

Copycat websites for instant messaging apps like Telegram and WhatApp are being used to distribute trojanized versions and infect Android and Windows users with cryptocurrency clipper malware.

While the first instance of clipper malware on the Google Play Store dates back to 2019, the development marks the first time Android-based clipper malware has been built into instant messaging apps.

The attack chain begins with unsuspecting users clicking on fraudulent ads on Google search results that lead to hundreds of sketchy YouTube channels, which then direct them to lookalike Telegram and WhatsApp.

What's novel about the latest batch of clipper malware is that it's capable of intercepting a victim's chats and replacing any sent and received cryptocurrency wallet addresses with addresses controlled by the threat actors.

Another cluster of clipper malware makes use of OCR to find and steal seed phrases by leveraging a legitimate machine learning plugin called ML Kit on Android.

A third cluster is designed to keep tabs on Telegram conversations for certain Chinese keywords, both hard-coded and received from a server, related to cryptocurrencies, and if so, exfiltrate the complete message, along with the username, group or channel name, to a remote server.

A fourth set of Android clippers come with capabilities to switch the wallet address as well as harvest device information and Telegram data such as messages and contacts.

The rogue Android APK package names are listed below -

- org.telegram.messenger
- org.telegram.messenger.web2
- org.tgplus.messenger
- io.busniess.va.whatsapp
- com.whatsapp

All the analyzed RAT samples are based on the publicly available Gh0st RAT, barring one, which employs more anti-analysis runtime checks during its ex*****on and uses the HP-socket library to communicate with its server.

An Android voice phishing (aka vishing) malware campaign known as FakeCalls has reared its head once again to target Sou...
29/03/2023

An Android voice phishing (aka vishing) malware campaign known as FakeCalls has reared its head once again to target South Korean users under the guise of over 20 popular financial apps.

FakeCalls malware possesses the functionality of a Swiss army knife, able not only to conduct its primary aim but also to extract private data from the victim's device.

In the observed attacks, users who install the rogue banking app are enticed into calling the financial institution by offering a fake low-interest loan.

The ultimate goal of the campaign to get the victim's credit card information, which the threat actors claim is required to qualify for the non-existent loan.

The malicious app also requests for intrusive permissions so as to harvest sensitive data, including live audio and video streams, from the compromised device, which are then exfiltrated to a remote server.

The latest FakeCalls samples further implement various techniques to stay under the radar. One of the methods involves adding a large number of files inside nested directories to the APK's asset folder, causing the length of the file name and path to breach the 300-character limit.

While the attack exclusively focuses on South Korea, the cybersecurity company has warned that the same tactics can be repurposed to target other regions across the world.

The findings also come as Cyble shed light on two Android banking trojans dubbed Nexus and GoatRAT that can harvest valuable data and carry out financial fraud.

Nexus, a rebranded version of SOVA, also incorporates a ransomware module that encrypts the stored files and can abuse Android's accessibility services to extract seed phrases from cryptocurrency wallets.

Spain, Saudi Arabia, Australia, Turkey, China, Switzerland, Japan, Colombia, Italy, and India lead the list of top countries infected by mobile financial threats.

The North Korea-linked Lazarus Group has been observed weaponizing flaws in an undisclosed software to breach a financia...
13/03/2023

The North Korea-linked Lazarus Group has been observed weaponizing flaws in an undisclosed software to breach a financial business entity in South Korea twice within a span of a year.

While the first attack in May 2022 entailed the use of a vulnerable version of a certificate software that's widely used by public institutions and universities, the re-infiltration in October 2022 involved the exploitation of a zero-day in the same program.

Cybersecurity firm AhnLab Security Emergency Response Center (ASEC) said it's refraining from divulging more specifics owing to the fact that "the vulnerability has not been fully verified yet and a software patch has not been released."

The adversarial collective, after obtaining an initial foothold by an unknown method, abused the zero-day bug to perform lateral movement, shortly after which the AhnLab V3 anti-malware engine was disabled via a BYOVD attack.

It's worth noting here that the Bring Your Own Vulnerable Driver, aka BYOVD, technique has been repeatedly employed by the Lazarus Group in recent months, as documented by both ESET and AhnLab in a series of reports late last year.

Among other steps taken to conceal its malicious behavior include changing file names before deleting them and modifying timestamps using an anti-forensic technique referred to as timestomping.

The attack ultimately paved the way for multiple backdoor payloads (Keys.dat and Settings.vwx) that are designed to connect to a remote command-and-control (C2) server and retrieve additional binaries and execute them in a fileless manner.

The development comes a week after ESET shed light on a new implant called WinorDLL64 that's deployed by the notorious threat actor by means of a malware loader named Wslink.

Address

Patiala
147001

Telephone

+917717571863

Website

Alerts

Be the first to know and let us send you an email when BPDoxS posts news and promotions. Your email address will not be used for any other purpose, and you can unsubscribe at any time.

Contact The Business

Send a message to BPDoxS:

Shortcuts

Share

Category