Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

TinyNuke Info-stealing Malware is Again Attacking French Users

TinyNuke Info-stealing Malware is Again Attacking French Users

The info-stealing malware TinyNuke has re-emerged in a new campaign targeting French users with invoice-themed lures in emails sent to corporate addresses and individuals working in manufacturing, technology, construction, and business services.

The goal of this campaign is to steal credentials and other private information and install additional payloads onto a compromised system.

Re-emergence of TinyNuke

The TinyNuke malware activity first appeared in 2017, culminated in 2018, then dropped significantly in 2019, and almost faded out of existence in 2020.

Observing new attacks that deploy the particular malware strain in 2021 is surprising but not entirely unexpected.

Also Read: Shred It Singapore For Commercial Document Destruction

Number of campaigns per year
Number of campaigns per year
Source: Proofpoint

According to researchers at Proofpoint who have been following these campaigns, this re-emergence manifests through two distinct sets of activity, with separate C2 infrastructure, payloads, and lure themes.

This could also indicate that the malware is used by two different actors, one associated with the initial TinyNuke actors and one linked to actors who typically use commodity tools.

Finally, there’s no overlap with PyLocky distribution as seen in 2018 or with any other ransomware infection this time.

Payloads hosted on legitimate sites

The actor compromises legitimate French websites to host the payload URL, while the executables are masked as innocuous software.

Indicators of compromise for recent TinyNuke campaigns
Indicators of compromise for recent TinyNuke campaigns
Source: Proofpoint

For the C2 communications, the most recent campaigns use Tor, which is the same method used since 2018.

One of the strings, “nikoumouk,” used in these communications is the same as a slang term discovered in the 2018 analysis, further linking this campaign to the original threat actors.

“Proofpoint researchers observed the string “nikoumouk” sent to the C2 server for an unknown purpose. According to information sharing partners and open-source information, the actors previously used that string in C2 communications in previous campaigns since 2018,” explains Proofpoint’s report.

Also Read: How To Make Effective Purchase Order Template Singapore

“The string is an insult in popular Arabic, mainly used in French speaking suburbs in Europe.”

In the current campaigns, emails include URLs that download ZIP files. These ZIP files contain a JavaScript file that will execute PowerShell commands to download and execute the TinyNuke malware.

PowerShell code fetching the payload ZIP file
PowerShell code fetching the payload ZIP file
Source: Proofpoint

In terms of capabilities, TinyNuke loader can steal credentials with form-grabbing and web-inject capabilities for Firefox, Internet Explorer, and Chrome, and can also install additional payloads.

Persistence is secured by adding a new registry key as shown below:

Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x00E02BC647BACE72A1\xe4\x8d\x82
Data: C:\Users\[User]\AppData\Roaming\E02BC647BACE72A1\firefox.exe

Μise en garde

Although the ongoing campaigns use specific lures, the actors could update their messages to present the recipients with new baits.

Also, if new actors are using TinyNike, it likely means that the original authors are selling it on the dark web, or its code may be circulating independently since it was released on GitHub at some point years ago.

Either way, its deployment could increase even more, and the range of email lures deployed against targets could become very wide.

Sample message from recent TinyNuke campaign
Sample message from recent TinyNuke campaign
Source: Proofpoint

It is vital to remain vigilant and avoid clicking on embedded buttons that lead to sites hosting the malicious compressed executable.

Because these sites are otherwise legitimate, your Internet security solution may not raise any flags, so extreme caution is advised.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us