Over 1,000 WordPress Sites Infected with JavaScript Backdoors Enabling Persistent Attacker Access - Related to hits, aviation,, firms, deploying, 1,000

New polyglot malware hits aviation, satellite communication firms

A previously undocumented polyglot malware is being deployed in attacks against aviation, satellite communication, and critical transportation organizations in the United Arab Emirates.

The malware delivers a backdoor called Sosano, which establishes persistence on the infected devices and allows the attackers to execute commands remotely.

The activity was discovered by Proofpoint in October 2024, which states that the attacks are linked to a threat actor named 'UNK_CraftyCamel.' While the campaign is still small, the researchers analysis that it is still advanced and dangerous to targeted companies.

Proofpoint's researchers noted that the attacks bear similarities with operations from Iranian-aligned groups TA451 and TA455. However, the latest campaign is distinct, having a strong cyber-espionage focus.

Polyglot malware consists of specially crafted files that contain multiple file formats, allowing them to be interpreted differently by various applications.

For example, a single file could be structured as both a valid MSI (Windows installer) and a JAR (Java archive), causing Windows to recognize it as an MSI while the Java runtime interprets it as a JAR.

This technique enables attackers to stealthily deliver malicious payloads by evading security software, which typically analyzes files based on a single format.

In the new campaign observed by Proofpoint, the attack begins with a highly targeted spear-phishing email sent from a compromised Indian electronics enterprise (INDIC Electronics).

These emails contain malicious URLs that direct victims to a spoofed domain (indicelectronics[.]net), where they are prompted to download a ZIP archive ("[website]").

The archive contains an LNK (Windows shortcut) file disguised as an XLS, as well as two PDF files ("[website]" and "[website]"). Both PDFs are polyglot files containing a legitimate PDF file structure but an additional malicious file structure.

The first PDF contains HTA (HTML Application) code, while the other includes a hidden ZIP archive.

One of the PDF lures used in the attacks.

The main benefit of using polyglots is evasion, as most security tools will inspect the first file format (PDF), which is a benign document, and completely ignore the malicious hidden portion (HTA/ZIP payloads).

When executing the LNK file, [website] launches [website], which executes the HTA script hidden inside the first PDF, triggering the launch of the second PDF file.

The hidden archive inside the second PDF writes a URL file to the Windows Registry for persistence and then executes an XOR-encoded JPEG file that decodes a DLL payload ("[website]"), which is the Sosano backdoor.

Proofpoint says Sosano is a relatively simple Go-based payload with limited functionality that was likely bloated to 12MB in size to obfuscate what small amounts of malicious code it uses.

Once it's activated, Sonaso establishes a connection with its command-and-control (C2) server at "bokhoreshonline[.]com" and awaits commands, including file operations, shell command execution, and fetching and launching additional payloads.

Defending against polyglot threats requires a multifaceted approach combining email scanning, user education, and security software that can detect multiple file formats in a single file.

If not needed in daily operations, blocking dangerous file types such as LNKs, HTAs, and ZIPs at the email gateway is prudent.

In VMware ESXi, Fusion und Workstation haben die Entwickler Sicherheitslücken ausfindig gemacht, durch die Angreifer etwa aus den virtuellen Maschinen......

Google hat eine neue Sicherheitsfunktion für Android-Geräte angekündigt, die Betrugsversuche per künstlicher Intelligenz (KI) erkennen können soll. Da......

Der Nachrichtenstrom zu aktuell angegriffenen Sicherheitslücken in Software reißt nicht ab. Die US-amerikanische IT-Sicherheitsbehörde CISA warnt nun ......

Seven Malicious Go Packages Found Deploying Malware on Linux and macOS Systems

Cybersecurity researchers are alerting of an ongoing malicious campaign targeting the Go ecosystem with typosquatted modules that are designed to deploy loader malware on Linux and Apple macOS systems.

"The threat actor has , including one (github[.]com/shallowmulti/hypert) that appears to target financial-sector developers," Socket researcher Kirill Boychenko showcased in a new analysis.

"These packages share repeated malicious filenames and consistent obfuscation techniques, suggesting a coordinated threat actor capable of pivoting rapidly."

While all of them continue to be available on the official package repository, their corresponding GitHub repositories barring "github[.]com/ornatedoctrin/layout" are no longer accessible. The list of offending Go packages is below -.

The counterfeit packages, Socket's analysis found, contain code to achieve remote code execution. This is achieved by running an obfuscated shell command to retrieve and run a script hosted on a remote server ("alturastreet[.]icu"). In a likely effort to evade detection, the remote script is not fetched until an hour has elapsed.

The end goal of the attack is to install and run an executable file that can potentially steal data or credentials.

The disclosure arrived a month after Socket revealed another instance of a software supply chain attack targeting the Go ecosystem via a malicious package capable of granting the adversary remote access to infected systems.

"The repeated use of identical filenames, array-based string obfuscation, and delayed execution tactics strongly hints at a coordinated adversary who plans to persist and adapt," Boychenko noted.

"The discovery of multiple malicious hypert and layout packages, along with multiple fallback domains, points to an infrastructure designed for longevity, enabling the threat actor to pivot whenever a domain or repository is blacklisted or removed."

In LibreOffice hat das Projekt eine Sicherheitslücke entdeckt. Angreifer können dadurch Makros ausführen lassen. Aktualisierte Software bessert die Sc......

Mozilla hat für alle aktuell unterstützten Firefox- und Thunderbird-Versionen Sicherheitsupdates herausgegeben, Google für den Webbrowser Chrome. Chro......

The rapid adoption of cloud services, SaaS applications, and the shift to remote work have fundamentally reshaped how enterprises operate. These techn......

Over 1,000 WordPress Sites Infected with JavaScript Backdoors Enabling Persistent Attacker Access

Over 1,000 websites powered by WordPress have been infected with a third-party JavaScript code that injects four separate backdoors.

"Creating four backdoors facilitates the attackers having multiple points of re-entry should one be detected and removed," c/side researcher Himanshu Anand stated in a Wednesday analysis.

The malicious JavaScript code has been found to be served via cdn.csyndication[.]com. As of writing, as many as 908 websites contain references to the domain in question.

The functions of the four backdoors are explained below -.

Backdoor 1, which uploads and installs a fake plugin named "Ultra SEO Processor," which is then used to execute attacker-issued commands.

Backdoor 2, which injects malicious JavaScript into [website].

Backdoor 3, which adds an attacker-controlled SSH key to the ~/.ssh/authorized_keys file so as to allow persistent remote access to the machine.

Backdoor 4, which is designed to execute remote commands and fetches another payload from gsocket[.]io to likely open a reverse shell.

To mitigate the risk posed by the attacks, it's advised that consumers delete unauthorized SSH keys, rotate WordPress admin credentials, and monitor system logs for suspicious activity.

The development comes as the cybersecurity corporation detailed another malware campaign has compromised more than 35,000 websites with malicious JavaScript that "fully hijacks the user's browser window" to redirect site visitors to Chinese-language gambling platforms.

"The attack appears to be targeting or originating from regions where Mandarin is common, and the final landing pages present gambling content under the 'Kaiyun' brand.

The redirections occur through JavaScript hosted on five different domains, which serves as a loader for the main payload responsible for performing the redirects -.

The findings also follow a new findings from Group-IB about a threat actor dubbed ScreamedJungle that injects a JavaScript code-named Bablosoft JS into compromised Magento websites to collect fingerprints of visiting individuals. More than 115 e-commerce sites are believed to be impacted to date.

The injected script is "part of the Bablosoft BrowserAutomationStudio (BAS) suite," the Singaporean corporation presented, adding it "contains several other functions to collect information about the system and browser of customers visiting the compromised website."

It's stated that the attackers are exploiting known vulnerabilities affecting vulnerable Magento versions ([website], CVE-2024-34102 aka CosmicSting and CVE-2024-20720) to breach the websites. The financially motivated threat actor was first discovered in the wild in late May 2024.

"Browser fingerprinting is a powerful technique commonly used by websites to track user activities and tailor marketing strategies," Group-IB showcased. "However, this information is also exploited by cybercriminals to mimic legitimate user behavior, evade security measures, and conduct fraudulent activities."

Cyber threats are growing more sophisticated, and traditional security approaches struggle to keep up. Organizations can no longer rely on periodic as......

A [website] Army soldier who pleaded guilty last week to leaking phone records for high-ranking [website] government officials searched online for non-extraditi......

A new campaign is targeting companies in Taiwan with malware known as Winos [website] as part of phishing emails masquerading as the country's National Taxa......