Antivirus

A nasty new malware strain is stealing data from Linux devices

Audio player loading… A new Linux (opens in new tab) malware has been discovered that is capable of avoiding detection by antivirus programs, steals sensitive data from compromised endpoints (opens in new tab) and infects all processes running on a device.Cybersecurity researchers from Intezer Labs say the malware (opens in new tab), dubbed OrBit, modifies…

Published 3 years ago in
A nasty new malware strain is stealing data from Linux devices
Audio player loading…

A new Linux (opens in new tab) malware has been discovered that is capable of avoiding detection by antivirus programs, steals sensitive data from compromised endpoints (opens in new tab) and infects all processes running on a device.

Cybersecurity researchers from Intezer Labs say the malware (opens in new tab), dubbed OrBit, modifies the LD_PRELOAD environment variable, allowing it to hijack shared libraries and, consequently, intercept function calls. 

“The malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands,” Intezer Labs researcher Nicole Fishbein explained.

Hiding in plain sight

“Once the malware is installed it will infect all of the running processes, including new processes, that are running on the machine.”

Up until only recently, most antivirus solutions did not treat OrBit dropper, or payload, as malicious, the researchers said but added that now, some anti-malware service providers do identify OrBit as malicious. 

“This malware steals in

Read More

Be the first to write a comment.

Leave a Reply

Your email address will not be published. Required fields are marked *

Antivirus

Why This Budget-Friendly VPN & Antivirus Combo Is Blowing Up

If you’re looking to score a two-in-one deal, this discounted VPN + antivirus combo from Surfshark is sure to catch your eye…

Published 2 weeks ago in
Why This Budget-Friendly VPN & Antivirus Combo Is Blowing Up

If you’re looking to score a two-in-one deal, this discounted VPN + antivirus combo from Surfshark is sure to catch your eye…
Read More

Continue Reading
Antivirus

Hackers are using Google.com to deliver malware by bypassing antivirus software. Here’s how to stay safe

Attackers use real Google URLs to sneak malware past antivirus and into your browser undetected This malware only activates during checkout, making it a silent threat to online payments The script opens a WebSocket connection for live control, completely invisible to the average user A new browser-based malware campaign has surfaced, demonstrating how attackers are

Published 2 weeks ago in
Hackers are using Google.com to deliver malware by bypassing antivirus software. Here’s how to stay safe
  • Attackers use real Google URLs to sneak malware past antivirus and into your browser undetected
  • This malware only activates during checkout, making it a silent threat to online payments
  • The script opens a WebSocket connection for live control, completely invisible to the average user

A new browser-based malware campaign has surfaced, demonstrating how attackers are now exploiting trusted domains like Google.com to bypass traditional antivirus defenses.

A report from security researchers at c/side, this method is subtle, conditionally triggered, and difficult for both users and conventional security software to detect.

It appears to originate from a legitimate OAuth-related URL, but covertly executes a malicious payload with full access to the user’s browser session.

You may like

  • Google Apps Script abused to launch dangerous phishing attacks
  • Criminals hijacking subdomains of popular websites such as Bose or Panasonic to infect victims with malware: here’s how to stay safe
  • Cybercriminals have found a sneaky way of stealing tax accounts and even encrypted messages: here’s what you need to know

Malware hidden in plain sight

The attack begins with a script embedded in a compromised Magento-based ecommerce site which references a seemingly harmless Google OAuth logout URL: https://accounts.google.com/o/oauth2/revoke.

However, this URL includes a manipulated callback parameter, which decodes and runs an obfuscated JavaScript payload using eval(atob(…)).

The use of Google’s domain is central to the deception – because the script loads from a trusted source, most content security policies (CSPs) and DNS filters allow it through without question.

This script only activates under specific conditions. If the browser appears automated or the URL includes the word “checkout,” it silently opens a WebSocket connection to a malicious server. This means it can tailor malicious behavior to user actions.

Read More

Continue Reading
Antivirus

Hackers Aren’t Just After Your Devices

Antivirus isn’t enough—hackers are after doors they can open…

Published 4 weeks ago in
Hackers Aren’t Just After Your Devices

Antivirus isn’t enough—hackers are after doors they can open…
Read More

Continue Reading
Antivirus

Police takes down AVCheck site used by cybercriminals to scan malware

An international law enforcement operation has taken down AVCheck, a service used by cybercriminals to test whether their malware is detected by commercial antivirus software before deploying it in the wild. …

Published 4 weeks ago in
Police takes down AVCheck site used by cybercriminals to scan malware

An international law enforcement operation has taken down AVCheck, a service used by cybercriminals to test whether their malware is detected by commercial antivirus software before deploying it in the wild. …
Read More

Continue Reading