#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

VirusTotal | Breaking Cybersecurity News | The Hacker News

Category — VirusTotal
Raspberry Robin Returns: New Malware Campaign Spreading Through WSF Files

Raspberry Robin Returns: New Malware Campaign Spreading Through WSF Files

Apr 10, 2024 Cyber Crime / Malvertising
Cybersecurity researchers have discovered a new Raspberry Robin campaign wave that has been propagating the malware through malicious Windows Script Files ( WSFs ) since March 2024. "Historically, Raspberry Robin was known to spread through removable media like USB drives, but over time its distributors have experimented with other initial infection vectors," HP Wolf Security researcher Patrick Schläpfer  said  in a report shared with The Hacker News. Raspberry Robin, also called QNAP worm, was  first spotted  in September 2021 that has since  evolved into a downloader  for various other payloads in recent years, such as SocGholish, Cobalt Strike, IcedID, BumbleBee, and TrueBot, and also serving as a precursor for ransomware. While the malware was initially distributed by means of USB devices containing LNK files that retrieved the payload from a compromised QNAP device, it has since  adopted other methods  such as social engineering and malvertising. It's attribute
China-Linked Hackers Target Myanmar's Top Ministries with Backdoor Blitz

China-Linked Hackers Target Myanmar's Top Ministries with Backdoor Blitz

Jan 30, 2024 Malware / Cyber Espionage
The China-based threat actor known as  Mustang Panda  is suspected to have targeted Myanmar's Ministry of Defence and Foreign Affairs as part of twin campaigns designed to deploy backdoors and remote access trojans. The findings come from CSIRT-CTI, which said the activities took place in November 2023 and January 2024 after artifacts in connection with the attacks were uploaded to the VirusTotal platform. "The most prominent of these TTPs are the use of legitimate software including a binary developed by engineering firm Bernecker & Rainer (B&R) and a component of the Windows 10 upgrade assistant to sideload malicious dynamic-link libraries (DLLs)," CSIRT-CTI  said . Mustang Panda, active since at least 2012, is also recognized by the cybersecurity community under the names BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, and TEMP.Hex. In recent months, the adversary has been attributed to attacks targeting
The Secret Weakness Execs Are Overlooking: Non-Human Identities

The Secret Weakness Execs Are Overlooking: Non-Human Identities

Oct 03, 2024Enterprise Security / Cloud Security
For years, securing a company's systems was synonymous with securing its "perimeter." There was what was safe "inside" and the unsafe outside world. We built sturdy firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls kept our data and systems safe. The problem is that we no longer operate within the confines of physical on-prem installations and controlled networks. Data and applications now reside in distributed cloud environments and data centers, accessed by users and devices connecting from anywhere on the planet. The walls have crumbled, and the perimeter has dissolved, opening the door to a new battlefield: identity . Identity is at the center of what the industry has praised as the new gold standard of enterprise security: "zero trust." In this paradigm, explicit trust becomes mandatory for any interactions between systems, and no implicit trust shall subsist. Every access request, regardless of its origin,
Mac Users Beware: New Trojan-Proxy Malware Spreading via Pirated Software

Mac Users Beware: New Trojan-Proxy Malware Spreading via Pirated Software

Dec 08, 2023 Endpoint Security / Malware
Unauthorized websites distributing trojanized versions of cracked software have been found to infect Apple macOS users with a new  Trojan-Proxy  malware. "Attackers can use this type of malware to gain money by building a proxy server network or to perform criminal acts on behalf of the victim: to launch attacks on websites, companies and individuals, buy guns, drugs, and other illicit goods," Kaspersky security researcher Sergey Puzan  said . The Russian cybersecurity firm said it found evidence indicating that the malware is a cross-platform threat, owing to artifacts unearthed for Windows and Android that piggybacked on pirated tools. The macOS variants propagate under the guise of legitimate multimedia, image editing, data recovery, and productivity tools. This suggests that users searching for pirated software are the targets of the campaign. Unlike their genuine, unaltered counterparts, which are offered as disk image (.DMG) files, the rogue versions are delivered
cyber security

The State of SaaS Security 2024 Report

websiteAppOmniSaaS Security / Data Security
Learn the latest SaaS security trends and discover how to boost your cyber resilience. Get your free…
VirusTotal Data Leak Exposes Some Registered Customers' Details

VirusTotal Data Leak Exposes Some Registered Customers' Details

Jul 18, 2023 Privacy / Malware
Data associated with a subset of registered customers of VirusTotal, including their names and email addresses, were exposed after an employee inadvertently uploaded the information to the malware scanning platform. The security incident, which comprises a database of 5,600 names in a 313KB file, was first disclosed by  Der Spiegel  and  Der Standard  yesterday. Launched in 2004, VirusTotal is a popular service that analyzes suspicious files and URLs to detect types of malware and malicious content using antivirus engines and website scanners. It was acquired by Google in 2012 and became a subsidiary of Google Cloud's Chronicle unit in 2018. When reached for comment, Google confirmed the leak and said it took immediate steps to remove the data. "We are aware of the unintentional distribution of a small segment of customer group administrator emails and organization names by one of our employees on the VirusTotal platform," a Google Cloud spokesperson told The Hacker
Researchers Discover New Sophisticated Toolkit Targeting Apple macOS Systems

Researchers Discover New Sophisticated Toolkit Targeting Apple macOS Systems

Jun 19, 2023 Endpoint Security / Hacking
Cybersecurity researchers have uncovered a set of malicious artifacts that they say is part of a sophisticated toolkit targeting Apple macOS systems. "As of now, these samples are still largely undetected and very little information is available about any of them," Bitdefender researchers Andrei Lapusneanu and Bogdan Botezatu  said  in a preliminary report published on Friday. The Romanian firm's analysis is based on an examination of four samples that were uploaded to VirusTotal by an unnamed victim. The earliest sample dates back to April 18, 2023. Two of the three malicious programs are said to be generic Python-based backdoors that are designed to target Windows, Linux, and macOS systems. The payloads have been collectively dubbed  JokerSpy . The first constituent is shared.dat, which, once launched, runs an operating system check (0 for Windows, 1 for macOS, and 2 for Linux) and establishes contact with a remote server to fetch additional instructions for execut
Russian Turla Hackers Hijack Decade-Old Malware Infrastructure to Deploy New Backdoors

Russian Turla Hackers Hijack Decade-Old Malware Infrastructure to Deploy New Backdoors

Jan 08, 2023 Cyberespionage / Threat Analysis
The Russian cyberespionage group known as Turla has been observed piggybacking on attack infrastructure used by a decade-old malware to deliver its own reconnaissance and backdoor tools to targets in Ukraine. Google-owned Mandiant, which is tracking the operation under the uncategorized cluster moniker  UNC4210 , said the hijacked servers correspond to a variant of a commodity malware called  ANDROMEDA  (aka Gamarue) that was uploaded to VirusTotal in 2013. "UNC4210 re-registered at least three expired ANDROMEDA command-and-control (C2) domains and began profiling victims to selectively deploy KOPILUWAK and QUIETCANARY in September 2022," Mandiant researchers  said  in an analysis published last week. Turla, also known by the names Iron Hunter, Krypton, Uroburos, Venomous Bear, and Waterbug, is an elite nation-state outfit that primarily targets government, diplomatic, and military organizations using a large set of custom malware. Since the onset of Russia's  milit
VirusTotal Reveals Most Impersonated Software in Malware Attacks

VirusTotal Reveals Most Impersonated Software in Malware Attacks

Aug 03, 2022
Threat actors are increasingly mimicking legitimate applications like Skype, Adobe Reader, and VLC Player as a means to abuse trust relationships and increase the likelihood of a successful social engineering attack. Other most impersonated legitimate apps by icon include 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom, and WhatsApp, an analysis from VirusTotal has revealed. "One of the simplest social engineering tricks we've seen involves making a malware sample seem a legitimate program," VirusTotal  said  in a Tuesday report. "The icon of these programs is a critical feature used to convince victims that these programs are legitimate." It's no surprise that threat actors resort to a variety of approaches to compromise endpoints by tricking unwitting users into downloading and running seemingly innocuous executables. This, in turn, is primarily achieved by taking advantage of genuine domains in a bid to get around IP-based firewall defenses
Hackers Abusing BRc4 Red Team Penetration Tool in Attacks to Evade Detection

Hackers Abusing BRc4 Red Team Penetration Tool in Attacks to Evade Detection

Jul 06, 2022
Malicious actors have been observed abusing legitimate adversary simulation software in their attacks in an attempt to stay under the radar and evade detection. Palo Alto Networks Unit 42 said a  malware sample  uploaded to the VirusTotal database on May 19, 2022, contained a payload associated with Brute Ratel C4, a relatively new sophisticated toolkit "designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities." Authored by an Indian security researcher named  Chetan Nayak , Brute Ratel (BRc4) is analogous to Cobalt Strike and is  described  as a "customized command-and-control center for red team and adversary simulation." The commercial software was first released in late 2020 and has since gained over 480 licenses across 350 customers. Each license is offered at $2,500 per user for a year, after which it can be renewed for the same duration at the cost of $2,250. BRc4 is equipped with a wide variety of features,
Researchers Takeover Unpatched 3rd-Party Antivirus Sandboxes via VirusTotal

Researchers Takeover Unpatched 3rd-Party Antivirus Sandboxes via VirusTotal

Apr 25, 2022
Security researchers have disclosed a security issue that could have allowed attackers to weaponize the VirusTotal platform as a conduit to achieve remote code execution (RCE) on unpatched third-party sandboxing machines employed antivirus engines. The flaw, now patched, made it possible to "execute commands remotely within [through] VirusTotal platform and gain access to its various scans capabilities," Cysource researchers Shai Alfasi and Marlon Fabiano da Silva said in a report exclusively shared with The Hacker News. VirusTotal , part of Google's Chronicle security subsidiary, is a malware-scanning service that analyzes suspicious files and URLs and checks for viruses using more than 70 third-party antivirus products. The attack method involved uploading a DjVu file via the platform's web user interface that when passed to multiple third-party malware scanning engines could trigger an exploit for a high-severity remote code execution flaw in ExifTool , an op
VirusTotal Releases Ransomware Report Based on Analysis of 80 Million Samples

VirusTotal Releases Ransomware Report Based on Analysis of 80 Million Samples

Oct 14, 2021
As many as 130 different ransomware families have been found to be active in 2020 and the first half of 2021, with Israel, South Korea, Vietnam, China, Singapore, India, Kazakhstan, Philippines, Iran, and the U.K. emerging as the most affected territories, a comprehensive analysis of 80 million ransomware-related samples has revealed. Google's cybersecurity arm VirusTotal attributed a significant chunk of the activity to the GandCrab ransomware-as-a-service (RaaS) group (78.5%), followed by Babuk (7.61%), Cerber (3.11%), Matsnu (2.63%), Wannacry (2.41%), Congur (1.52%), Locky (1.29%), Teslacrypt (1.12%), Rkor (1.11%), and Reveon (0.70%). "Attackers are using a range of approaches, including well-known botnet malware and other Remote Access Trojans (RATs) as vehicles to deliver their ransomware," VirusTotal Threat Intelligence Strategist Vicente Diaz  said . "In most cases, they are using fresh or new ransomware samples for their campaigns." Some of the oth
VirusTotal Adds Cynet's Artificial Intelligence-Based Malware Detection

VirusTotal Adds Cynet's Artificial Intelligence-Based Malware Detection

Jun 23, 2020
VirusTotal, the famous multi-antivirus scanning service owned by Google, recently announced new threat detection capabilities it added with the help of an Israeli cybersecurity firm. VirusTotal provides a free online service that analyzes suspicious files and URLs to detect malware and automatically shares them with the security community. With the onslaught of new malware types and samples, researchers rely on the rapid discovery and sharing provided by VirusTotal to keep their companies safe from attacks. VirusTotal relies on a continuous stream of new malware discoveries to protect its members from significant damage. Cynet , the creator of the autonomous breach protection platform, has now integrated its Cynet Detection Engine into VirusTotal. The benefits of this partnership are twofold. First, Cynet provides the VirusTotal partner network cutting-edge threat intelligence from its ML-based detection engine (CyAI) that actively protects the company's clients around th
Operator of VirusTotal Like Malware-Scanning Service Jailed for 14 Years

Operator of VirusTotal Like Malware-Scanning Service Jailed for 14 Years

Sep 22, 2018
A Latvian hacker behind the development and operation of counter antivirus service "Scan4You" has finally been sentenced to 14 years in prison. 37-year-old Ruslans Bondars, described as a Latvian "non-citizen" or "citizen of the former USSR who had been residing in Riga, Latvia," was found guilty on May 16 in federal court in Alexandria, during which a co-conspirator revealed he had worked with Russian law enforcement. Bondars created and ran Scan4you—a VirusTotal like online multi-engine antivirus scanning service that allowed hackers to run their code by several popular antiviruses to determine if their computer virus or malware would be flagged during routine security scans before launching them into a real-world malware campaign. While legal scanning services share data about uploaded files with the antivirus firms, Scan4you instead informed its users that they could "upload files anonymously and promised not to share information about the
VirusTotal launches 'Droidy' sandbox to detect malicious Android apps

VirusTotal launches 'Droidy' sandbox to detect malicious Android apps

Apr 05, 2018
One of the biggest and most popular multi-antivirus scanning engine service has today launched a new Android sandbox service, dubbed VirusTotal Droidy , to help security researchers detect malicious apps based on behavioral analysis. VirusTotal, owned by Google, is a free online service that allows anyone to upload files to check them for viruses against dozens of antivirus engines simultaneously. Android Sandbox performs both static and dynamic analysis to automatically detect suspicious applications by executing and monitoring applications in a simulated Android OS environment. Behavioral reports for Android applications (APKs) is not new to VirusTotal, as the website already had service since 2013 that worked based on Cuckoo Sandbox , an open source automated malware analysis system. Replacing this existing system, VirusTotal Droidy has been integrated in the context of the multi-sandbox project and can extract "juicy" details, such as: Network communicatio
How Top Companies Accidentally Leaking Terabytes of Sensitive Data Online

How Top Companies Accidentally Leaking Terabytes of Sensitive Data Online

Aug 09, 2017
An anti-malware detection service provider and premium security firm has been accused of leaking terabytes of confidential data from several Fortune 1000 companies, including customer credentials, financial records, network intelligence and other sensitive data. However, in response to the accusations, the security firm confirmed that they are not pulling sensitive files from its customers; instead, it's up to companies—who are accidentally (but explicitly) sharing their sensitive data to leverage an optional cloud-based anti-malware service. On Wednesday, Information security firm DirectDefense published a blog post, claiming that they found a major issue with endpoint detection and response (EDR) solution offered by US-based company Carbon Black, alleging that the company is leaking hundreds of thousands of sensitive files from its customers. Carbon Black is a leading incident response and threat hunting company that offers security products to nearly thirty of the larg
VirusTotal now Scans Mac OS X Apps for Malware

VirusTotal now Scans Mac OS X Apps for Malware

Nov 19, 2015
Do Mac Computers Get Viruses? Yes, Of Course, they do!  According to stats, malware for MAC OS X has appeared five times more in 2015 alone than the previous five years combined. As malware for Macs is becoming more common, Google has decided to add support for Mac  OS X malware detection to its VirusTotal web-based service. VirusTotal — launched in 2004 and acquired by Google in 2012 — is a free and popular online service for security researchers and Hackers that lets you upload files to check them for viruses. VirusTotal scans uploaded files with more than 55 different Antivirus products and Online scan engines to provide a combined report on the results. VirusTotal also runs certain ' Windows PE files and Android apps ' files in the Sandbox , a controlled research environment used for malware analysis. According to the recent announcement, VirusTotal will also be able to execute suspicious Mac executable files inside its Sandbox environment
Microsoft's Process Explorer added VirusTotal Multi-Antivirus Scanner support

Microsoft's Process Explorer added VirusTotal Multi-Antivirus Scanner support

Feb 01, 2014
Process Explorer , a part of the Microsoft's Sysinternals suite of applications is an alternate task manager for Windows, which offers far more features than 'on-board'. Microsoft's Windows Sysinternal Suite has released the latest version of Process Explorer v16.0  that has an awesome feature which allows a user to scan any running program files with a web-based multi-antivirus scanner VirusTotal . Process Explorer sends the hashes of images and files shown in the process and DLL views to VirusTotal,  and if they have been previously scanned, it reports how many antivirus engines identified them as possibly malicious. This new version of 'Process Explorer' is better than ever before, and is quite fast that allows you to find unwanted malware  immediately and respective hyper-linked result takes you to VirusTotal.com's  detailed report page and there you can even submit more files for scanning. Whenever your system starts doing sluggish behavior
CFR watering hole attack also target Capstone Turbine Corporation

CFR watering hole attack also target Capstone Turbine Corporation

Jan 02, 2013
Last week Council on Foreign Relations website was compromised and recently hit by a drive-by attack using a zero day Internet Explorer 6 vulnerability for Cyber Espionage attack, suspected by Chinese Hackers. Later Microsoft confirmed that  Internet Explorer 6, 7, and 8 are vulnerable to remote code execution hacks. According to researcher  Eric Romang , CFR watering hole attack (CVE-2012-4969 and CVE-2012-4792) has also target Capstone Turbine Corporation website since mid-September. He was able to find a cached version of the first JavaScript that starts the drive-by attack. Then on further search finds that by doing a Google dork search site:capstoneturbine.com "_include"  we can see something strangely like CFR.org "news_14242aa.html" file. Capstone Turbine Corporation is the world's leading producer of low-emission microturbine systems, and was first to market with commercially viable microturbine energy products. Capstone Turbine has shipped thousands of Capstone MicroTurbi
Expert Insights / Articles Videos
Cybersecurity Resources