The Banshee 2.0 malware, an infostealer targeting macOS, evades antivirus detection by employing an encryption mechanism drawn from Apple’s XProtect antivirus product. This variant has spread primarily through Russian cybercrime marketplaces since its introduction in July.

Banshee 2.0 malware uses Apple’s encryption to evade detection

Banshee 2.0 malware, priced at $1,500 as a “stealer-as-a-service,” is designed to steal credentials from various browsers including Google Chrome, Brave, Microsoft Edge, Vivaldi, Yandex, and Opera, alongside browser extensions for cryptocurrency wallets like Ledger, Atomic, Wasabi, Guarda, Coinomi, Electrum, and Exodus. It also gathers additional system information, such as software and hardware specifications, and the macOS password needed to unlock the system.

The initial version of Banshee was often detected by antivirus software due to its plaintext packaging. However, a more potent variant emerged on September 26, utilizing the same encryption algorithm as Apple’s Xprotect antivirus tool, allowing it to evade detection for nearly two months. Check Point Research found that while most antivirus solutions in VirusTotal flagged the initial, plaintext Banshee samples, the newly encrypted version went unnoticed by approximately 65 antivirus engines.

The source of the encryption technique remains unclear, though Check Point’s reverse engineer Antonis Terefos speculated that the malware author, known as “0xe1” or “kolosain,” might have reverse-engineered XProtect binaries or accessed relevant publications. This newfound encryption has enabled Banshee to conceal its functionality effectively.

“It could be that they performed a reverse engineering of the XProtect binaries, or even read relevant publications, but we can’t confirm it. Once the string encryption of macOS XProtect becomes known — meaning the way the antivirus is storing the YARA rules is reverse-engineered — threat actors can easily ‘reimplement’ the string encryption for malicious purposes,” Antonis Terefos, reverse engineer at Check Point Research, claims.

Campaigns and distribution methods

Since late September, Check Point Research has tracked over 26 campaigns utilizing Banshee, categorized into two main groups. The first group consisted of GitHub repository campaigns that thrived from mid-October to early November, promoting cracked versions of popular software alongside the Banshee malware hidden under generic filenames like “Setup,” “Installer,” and “Update.” These repositories also targeted Windows users with the Lumma Stealer.

The second category involved phishing sites where attackers disguised Banshee 2.0 as popular software, including Google Chrome, TradingView, Zegent, Parallels, Solara, CryptoNews, MediaKIT, and Telegram. Users on macOS were directed to download links for the malicious payload.

On November 23, the source code for Banshee was leaked on the Russian dark web forum XSS, prompting its author to cease operations. Despite the leak, Check Point continues to observe ongoing campaigns distributing Banshee through phishing methods masquerading as legitimate software, emphasizing the malware’s continuing threat to macOS users.

Banshee 2.0 malware’s success illustrates the evolving landscape of cybersecurity threats targeting macOS, underscoring the necessity for users to maintain vigilance against potential malware and phishing attacks as they increasingly become targets of sophisticated cybercriminal tactics.

Featured image credit: Kerem Gülen/Midjourney

If you’re used to downloading mobile apps from unofficial platforms, it’s time to exercise caution. A new version of the Octo malware is wreaking havoc on smartphones across Europe.

Cybersecurity experts are warning of a new Trojan designed to attack banking data. This virus, known as Octo2, is the latest iteration of the Exobot malware, which has been around since 2016.

Disguised as legitimate apps like Google Chrome, Enterprise Europe Network, or NordVPN, Octo2 steals credentials to drain victims’ bank accounts.

Octo2 is a more dangerous version of an old threat

Octo2 isn’t a newcomer to the malicious software scene. Back in 2016, its predecessor, Exobot, executed layered attacks and had the ability to control calls, messages, and even instant notifications. By 2022, a new version named Octo emerged, terrifying users by blocking screens, recording keystrokes, and even sending phishing messages.

The creator of this malware, a hacker known as Architect, has recently seen the source code of Octo leak online. This leak led to a dip in profits, as multiple cybercriminals hijacked the code.

In response, Architect developed Octo2 and provided early access to former users of the original Octo.

Octo2’s dangerous reach

European users are particularly at risk. Countries like Italy, Poland, Moldova, and Hungary have already seen an uptick in Octo2 attacks. This malware, hidden within fake versions of apps like Google Chrome and NordVPN, uses a tool called Zombinder to install itself on victims’ smartphones.

Unfortunately, the danger is growing, with new campaigns likely to expand Octo2’s reach, potentially targeting users worldwide.

Why Octo2 is a serious threat?

Octo2 presents a significant challenge for mobile banking security. Its creators have refined the Trojan’s capabilities, improving its stability during remote sessions by reducing lag. They’ve also optimized its ability to hide malicious code, making it harder for users to detect.

In addition, a new algorithm allows cybercriminals to update domain names without having to recreate malware samples.

This adaptability makes Octo2 an ongoing threat.

Luckily, Octo2 is not in the Play Store (yet)

For now, Octo2 has not infiltrated the Google Play Store, but the growing sophistication of this malware means we need to remain more vigilant than ever.

Here are some key steps to avoid falling victim to Octo2:

• Download apps only from official platforms like the Google Play Store or Apple’s App Store.
• Check app reviews and developer information to ensure legitimacy.
• Use reliable antivirus software to detect and block malware before it infects your device.
• Be wary of permissions that apps request, especially those related to messaging, notifications, or access to personal data.

With Octo2 continuing to evolve, it’s essential to stay proactive in safeguarding your devices from these advanced cyber threats.

Image credits: Emre Çıtak/Ideogram AI

What is a computer worm? It is a type of malware that can cause significant damage to computer systems and networks by replicating itself and spreading autonomously. With the rise of technology and the increasing dependence on computers for everyday tasks, cybersecurity has become more critical than ever before.

In a world where cyber threats are evolving and becoming more sophisticated, it is essential to have effective cybersecurity measures in place to protect against the threat of computer worms and other types of malware. In this article, we will explore the world of computer worms, the damage they can cause, and the strategies that individuals and organizations can use to prevent, detect, and remove these threats.

What is a computer worm?

A computer worm is a type of malware that replicates itself and spreads throughout a computer network without the need for a host program or user interaction. It works by exploiting vulnerabilities in the operating system or other software on the target machine to gain access and create copies of itself. Worms can quickly spread to other devices connected to the same network, causing widespread damage and disrupting normal operations.

What is the full form of worm in computer science?

In computer science, the term “worm” stands for “Write Once, Read Many.” This term refers to a type of data storage device that can be written only once but read many times. The term “worm” was first used in the 1970s to describe early forms of optical storage media that used lasers to etch data onto the surface of a disk. These disks could be read many times but could not be modified once the data had been written.

However, in the context of computer security, the term “worm” is used to refer to a self-replicating malware program that spreads through a network, as described in the previous section. The term is used to describe the way in which the malware “worms” its way through a network, infecting as many devices as possible.

How does a computer worm work?

A computer worm typically works in the following way:

1. The worm finds a vulnerability in a computer system or network and exploits it to gain access.
2. Once inside, the worm begins to replicate itself and spread to other systems on the network.
3. The worm may also install additional malicious software on the infected systems or carry out other harmful actions, such as deleting files or stealing sensitive data.
4. The worm can continue to spread and cause damage until it is detected and removed.

Some key characteristics of computer worms include:

• They can spread rapidly and autonomously without human intervention
• They can consume significant amounts of network bandwidth and resources
• They can damage or corrupt files, delete data, or install additional malware
• They can be difficult to detect and remove, especially if they are designed to hide their presence

Computer worm vs virus

While computer worms and viruses are both types of malware, there are some key differences between the two. Here is a summary table comparing the two:

Examples of famous computer worms

Here are some examples of famous computer worms:

• Conficker: A worm that first appeared in 2008 and quickly spread to millions of computers around the world. It was designed to steal sensitive data and create a massive botnet.
• CodeRed: A worm that first appeared in 2001 and infected tens of thousands of servers running Microsoft’s IIS web server software. It caused significant disruptions to internet traffic and website access.
• Morris Worm: A worm that was released in 1988 and is widely considered to be the first computer worm. It infected thousands of UNIX systems and caused significant disruptions to computer networks at the time.
• Stuxnet: A worm that was discovered in 2010 and is believed to have been created by the United States and Israel to target Iran’s nuclear program. It was designed to infect industrial control systems and cause physical damage to centrifuges used in uranium enrichment.

These examples illustrate the significant impact that computer worms can have on computer systems and networks, as well as the need for effective cybersecurity measures to prevent and mitigate these threats.

Impact of computer worms

Computer worms can cause significant damage to computer systems and networks, as well as the data and information they contain. Here are some key impacts of computer worms:

Damage caused by computer worms

• Data loss or theft: Worms can cause data loss or theft by deleting or corrupting files or stealing sensitive information.
• System damage: Worms can damage or destroy computer systems by overloading them with requests or causing them to crash.
• Network disruptions: Worms can cause network disruptions by consuming large amounts of bandwidth or disrupting the flow of network traffic.
• Financial losses: Worms can cause financial losses by disrupting business operations or stealing money or other assets.

Types of systems and data affected by computer worms

Computer worms can affect a wide range of systems and data, including:

• Operating systems: Worms can exploit vulnerabilities in operating systems to gain access to computer systems and networks.
• Applications: Worms can exploit vulnerabilities in applications, such as web browsers or email clients, to gain access to computer systems and networks.
• Data: Worms can delete or corrupt data, steal sensitive information, or lock users out of their own systems or data.
• Networks: Worms can cause disruptions to computer networks, such as slowing down or disabling internet access.

Costs associated with worm attacks

The costs associated with worm attacks can be significant and include the following:

• Lost productivity: Worms can cause significant disruptions to business operations, resulting in lost productivity and revenue.
• IT costs: Worm attacks often require significant IT resources to investigate, contain, and mitigate the damage.
• Legal and regulatory costs: Companies that experience worm attacks may face legal or regulatory penalties for failing to protect sensitive data or customer information.
• Reputation damage: Worm attacks can damage a company’s reputation, resulting in lost customers or revenue.

Computer worms can have a significant impact on computer systems and networks, causing damage to data, applications, and networks, as well as financial and other costs to organizations that fall victim to these attacks. It is therefore essential for individuals and organizations to implement effective cybersecurity measures to prevent and mitigate the damage caused by computer worms.

How to prevent computer worms?

Preventing computer worms requires a multi-layered approach that includes both technical and behavioral measures. Here are some key strategies for preventing computer worms:

Anti-virus software

Anti-virus software is a key tool in preventing computer worms. It can detect and remove known worms, as well as other types of malware, before they can cause damage. Some key features of anti-virus software include:

• Real-time scanning: Anti-virus software can scan incoming files and programs in real-time to detect and prevent infections.
• Regular updates: Anti-virus software should be updated regularly to ensure that it is able to detect the latest threats.
• Quarantine and removal: If an infection is detected, anti-virus software can quarantine the infected file and remove the threat.

Cyberpsychology: The psychological underpinnings of cybersecurity risks

Firewall protection

Firewalls are another important tool in preventing computer worms. A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Some key features of firewall protection include:

• Blocking suspicious traffic: Firewalls can block traffic from known malicious IP addresses or block traffic that does not meet predefined security rules.
• Configuring network access: Firewalls can be configured to allow or deny access to specific network resources based on security rules.
• Monitoring traffic: Firewalls can monitor network traffic to detect and prevent suspicious activity.

Best practices to protect against computer worms

In addition to technical measures, there are also several best practices that individuals and organizations can follow to protect against computer worms:

• Use strong passwords and enable multi-factor authentication to prevent unauthorized access.
• Be cautious when opening email attachments or clicking on links, especially from unknown sources.
• Keep software and operating systems up to date with the latest security patches and updates.
• Regularly backup important data to prevent data loss in the event of an infection.
• Use caution when downloading and installing software, and only download from reputable sources.

Importance of keeping software updated

Keeping software and operating systems up to date is critical in preventing computer worms. This is because worms often exploit vulnerabilities in software to gain access to computer systems and networks. By regularly updating software and operating systems with the latest security patches and updates, individuals and organizations can ensure that known vulnerabilities are patched and protected against. This can significantly reduce the risk of infection from computer worms and other types of malware.

Preventing computer worms requires a multi-layered approach that includes technical measures such as anti-virus software and firewall protection, as well as behavioral measures such as following best practices and keeping the software and operating systems up to date with the latest security patches and updates. By implementing these strategies, individuals and organizations can significantly reduce the risk of infection from computer worms and other types of malware.

Detection and removal of computer worms

Detecting and removing computer worms can be challenging, as worms are often designed to evade detection and spread quickly throughout a network. Here are some key strategies for detecting and removing computer worms:

Symptoms of a computer worm attack

Some common symptoms of a computer worm attack include:

• Slow or unresponsive system performance
• Unexpected system crashes or reboots
• Unusual network activity or slow internet speeds
• Pop-up windows or error messages
• Unexplained changes to system settings or files
• Increased disk usage or other abnormal system behavior

Steps to take if your computer has been infected

If you suspect that your computer has been infected with a worm, it is important to take immediate action to prevent further damage. Here are some steps you can take:

• Disconnect from the internet: Disconnect your computer from the internet to prevent the worm from spreading to other devices on the network.
• Run anti-virus software: Use anti-virus software to scan for and remove the worm.
• Install security patches: Install the latest security patches and updates for your operating system and other software to prevent future infections.
• Change passwords: Change any passwords that may have been compromised during the infection.
• Back up important data: Back up important data to prevent data loss in case the worm causes damage or corruption.

Tools and techniques to detect and remove computer worms

Here are some common tools and techniques that can be used to detect and remove computer worms:

• Anti-virus software: Anti-virus software can detect and remove known worms, as well as other types of malware.
• Firewall protection: Firewalls can block incoming traffic from known malicious IP addresses or block traffic that does not meet predefined security rules.
• Malware scanners: Malware scanners can scan for and remove malware, including worms.
• Rootkit detection tools: Rootkit detection tools can detect and remove hidden malware, including worms.
• System restore: System restore can roll back your system to a previous state before the infection occurred, which can be useful in cases where the infection has caused significant damage.

Detecting and removing computer worms requires a combination of tools and techniques, including anti-virus software, firewall protection, malware scanners, rootkit detection tools, and system restore. It is important to be aware of the symptoms of a worm attack and to take immediate action to prevent further damage. By following best practices for cybersecurity and staying vigilant, individuals and organizations can help protect against the threat of computer worms and other types of malware.

What are 5 examples of computer worms?

Here are five examples of famous computer worms:

• CodeRed: A worm that was first discovered in 2001 and infected tens of thousands of servers running Microsoft’s IIS web server software. It caused significant disruptions to internet traffic and website access.
• ILOVEYOU: A worm that was released in 2000 and is considered to be one of the most destructive worms in history. It spread rapidly through email attachments, causing billions of dollars in damage and infecting millions of computers.
• Conficker: A worm that first appeared in 2008 and quickly spread to millions of computers around the world. It was designed to steal sensitive data and create a massive botnet.
• Morris Worm: A worm that was released in 1988 and is widely considered to be the first computer worm. It infected thousands of UNIX systems and caused significant disruptions to computer networks at the time.
• Stuxnet: A worm that was discovered in 2010 and is believed to have been created by the United States and Israel to target Iran’s nuclear program. It was designed to infect industrial control systems and cause physical damage to centrifuges used in uranium enrichment.

Bottom line

Back to our original question: What is a computer worm? Well, a computer worm is a type of malware that can spread rapidly through computer systems and networks, causing significant damage to data and systems.

As we have seen, computer worms can be difficult to detect and remove, and they can cause a range of problems, from data loss to network disruptions. The best way to protect against computer worms is to implement a multi-layered approach that includes technical measures such as anti-virus software and firewalls, as well as behavioral measures such as following best practices and staying vigilant.

By keeping software and systems up to date and being aware of the latest threats and trends in computer worm attacks, individuals and organizations can help to prevent, detect, and mitigate the damage caused by these malicious programs. In the end, it all comes down to effective cybersecurity practices and the constant need to stay one step ahead of the ever-evolving threat of computer worms and other types of malware.

FAQ

Are computer worms harmful?

Yes, computer worms can be harmful. A computer worm is a type of malware that spreads copies of itself from computer to computer, often using the internet or other computer networks. Worms can consume bandwidth and system resources, causing computers to slow down or crash. In addition, some worms may be designed to carry out malicious actions, such as stealing sensitive information or damaging computer systems.

Which is faster worm or virus?

Generally speaking, worms are faster than viruses because they are self-replicating and can spread quickly through a network without the need for human intervention. Viruses, on the other hand, need to be attached to a file or program in order to spread, which can slow down the replication process.

The phishing email detection tool can help users avoid cyber-attacks

What is ransomware?

Ransomware is a type of malware that encrypts files on a computer or network, rendering them inaccessible to the user. The attacker then demands payment, typically in the form of cryptocurrency, in exchange for providing the decryption key to restore access to the files. Ransomware attacks can be devastating to individuals and organizations, as they can result in the loss of important data and financial resources.

What is phishing?

Phishing is a type of social engineering attack that involves tricking individuals into divulging sensitive information, such as passwords or credit card numbers, by posing as a trustworthy entity in an electronic communication, such as an email or text message. Phishing attacks can be difficult to detect, as they often use convincing-looking logos and branding to appear legitimate. It is important to be cautious when receiving unexpected electronic messages and to verify the authenticity of any requests for sensitive information.

Vulnerability exploitation and spyware activities picked up in July, with abnormally high amounts of activity observed in incursions connected to spyware, according to research conducted by Recorded Future. The creators of mercenary spyware appear to have been unusually active in weaponizing common vulnerabilities and exposures (CVEs). It is unknown, however, whether this is simply due to other threat actors being less active during the summer.

The CVE report details the latest spyware activities

Spyware is a sort of malicious software that is installed on a computer without the knowledge of the end user. Spyware infiltrates the device, obtains sensitive information and internet usage statistics, and then sends it to advertising, data firms, or other users.

The software that is downloaded without the user’s permission is called spyware. Spyware is contentious because, even when installed for seemingly innocuous reasons, it can breach the privacy of the end user and has the potential to be abused.

Spyware is one of the most common online threats. Once installed, it monitors internet traffic, tracks login passwords, and eavesdrops on sensitive information. Spyware’s primary purpose is to collect credit card numbers, banking information, and passwords.

This is the third monthly vulnerability bulletin created by Recorded Future’s Insikt Group’s threat research team; the first was released in June to coincide with the launch of Microsoft’s automated patching service for organizations, which has helped many people feel less anxious about Patch Tuesday.

The CVE monthly report will now be released by Recorded Future on the first Tuesday of each month, with Patch Tuesday continuing to be released on the second Tuesday.

In its most recent report, the research team stated that it had observed the distribution of spyware using newly disclosed zero-day vulnerabilities that affected both Microsoft and Google. The team claimed this showed an often close relationship between top-tier spyware developers and new zero-days.

The Russo-Ukrainian War rewrites the laws of cyber-warfare

“On July 4, 2022, Google disclosed an actively exploited zero-day vulnerability, CVE-2022-2294, which affects Google Chrome. While the company did not disclose details about attacks involving this flaw, it was not long before others reported exploitation,” the team explained.

On July 21, 2022, Avast threat researchers (who were the first to alert Google to the issue) published a report detailing a campaign in which Israeli spyware firm Candiru used CVE-2022-2294 to distribute DevilsTongue software.

Another zero-day vulnerability, this time for Microsoft, was linked to spyware. Microsoft announced a zero-day vulnerability, CVE-2022-22047, on July 12, 2022, affecting the most recent releases of Windows and Windows Server. The mercenary threat organization Knotweed, operating in Austria, used this vulnerability to spread its Subzero spyware.

Security as a service leaves cybersecurity to the experts, but it is a double-edged sword

“A second vulnerability, CVE-2022-30216, also affects current versions of Windows and Windows Server and has a very high CVSS score due to remote code execution, but we have not yet seen exploitation attempts,” the researchers said.

A remote code execution (RCE) vulnerability in Apache Spark, tracked as CVE-2022-33891, found by Databricks researcher Kostya Kortchinsky, whose exploitation was seen in the wild within 48 hours of disclosure, and a SQL injection vulnerability in the Django Python web framework, tracked as CVE-2022-34265, were among the other more serious vulnerabilities in July 2022.

CVE-2022-30190, commonly known as Follina, is a risky zero-click vulnerability in Microsoft Office that, if left unchecked, enables a threat actor to execute PowerShell commands without requiring user input, continues to see high levels of exploitation in July. Although Follina was made public at the end of May and addressed in the June Patch Tuesday update, many people still do not apply the patch.

Rising cybersecurity risks threaten the healthcare industry

“If we could have predicted any vulnerability to see high-profile exploitation after initial disclosure, it would have been Follina. Sure enough, on July 6, 2022, Fortinet researchers released an analytic report on a phishing campaign using Follina to distribute the Rozena backdoor. This malware allows attackers to take over Windows systems completely. Fortinet researchers observed adversaries using Rozena to inject a remote shell connection back to the attacker’s machine,” the Recorded Future team stated.

Israel based start-up CyActive is just an year old is already getting a lot of attention from investors like SFS, VC and the venture capital unit at Siemens.

CyActive has developed the ability to automatically forecast the future of malware evolution, based on bio-inspired algorithms and a deep understanding of the black hats’ hacking process. CyActive is the first to offer proactive detection of future malware before it has ever seen the light of day. The resulting solution delivers unparalleled protection to IT and OT assets. CyActive is backed by JVP, Israel’s leading venture capital firm, and by the Venture Capital Unit of Siemens.

Danny Lev, CyActive’s chief marketing officer, explained the background at the Smart Energy UK and Europe Summit2015: “When an organization experiences an attack, a security measure is placed in order to block it. However, the hacker can then simply make a slight modification to the original code to evade the security measures. These variants form a never-ending cat and mouse game between hackers and defenders. When you look at the APT (advanced persistent threat) level, you’ll find there has never been an attack chain to date that did not contain at least one reused component.”

“Of the new malwares, 98% are ‘direct descendants’ or variants of old versions, and of the remaining 2%, 1.99% are ‘cousins’ that share modules and methods.”

Given this information CyActive’s approach, using biomimicry, is to take the malware sample and permute it to predict the thousands of variants that hackers would likely retool over a three to five-year period ahead.

“We are effectively fast forwarding the future of malware evolution,” says Lev, noting the near impossibility due to costs and time to write from scratch a complete new attack chain.

She adds that the company addresses the “investment asymmetry between hackers and defenders – for every dollar invested by hackers on little variations, thousands are lost by the defenders dealing with them.” Citing examples from the financial sector for which figures are available, she says that Zeus variants cost $100 but its impact damage was over $100 million, while Black POS, the reused malware behind the attack on Target and Home Depot, cost $1,800 per variant but inflicted damage of over $250 million. “In each of these attacks, our solution could have stopped the whole attack chain, based on the reused component.”

CyActive’s detectors are created in CyActive’s cloud, where they are trained on future attacks forecasted by CyActive’s predictive engine. The detectors are then deployed on the client network (both classic enterprise network and SCADA equipment and embedded devices).

Reports suggest that the deal is worth at least $60m. PayPal has, ventured into the Israeli startup market earlier. It acquired Israeli risk tools and analytics firm Fraud Sciences. eBay (soon to be split from PayPal), meanwhile, has an Tel Aviv-based research and development center, based on the buyouts of two Israeli startups – Magento, an open source online retail platform, acquired in 2011, and The Gifts Project, a social commerce company that lets friends buy gifts together online, also acquired in 2011.

(image credit: CyActive)