The d8s-urls package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-csv package. The affected version is 0.1.0.

**Project description**

**Democritus Urls**

      

Democritus functions\[1\] for working with URLs.

\[1\] Democritus functions are _simple, effective, modular, well-tested, and well-documented_ Python functions.

We use d8s (pronounced "dee-eights") as an abbreviation for democritus (you can read more about this here).

**Installation**

    pip install d8s-urls
    

**Usage**

You import the library like:

from d8s\_urls import \*

Once imported, you can use any of the functions listed below.

**Functions**

*   def url\_scheme(url: str) \-> str:
        """Return the scheme of the url."""
    
*   def url\_fragment(url: str) \-> str:
        """Return the fragment of the url."""
    
*   def url\_examples(n: int \= 10) \-> List\[str\]:
        """Create n URLs."""
    
*   def urls\_find(text: str, \*, domain\_name: str \= '', \*\*kwargs) \-> List\[str\]:
        """Parse URLs from the given text. If a domain name is given, only urls with the given domain name will be returned."""
    
*   def url\_canonical\_form(url: str) \-> str:
        """Get the canonical url."""
    
*   def url\_scheme\_remove(url: str):
        """Remove the scheme from the given URL."""
    
*   def url\_query\_strings\_remove(url: str) \-> str:
        """Return the URL without any query strings."""
    
*   def url\_query\_strings(url: str) \-> Dict\[str, List\[str\]\]:
        """Return all of the query strings in the url."""
    
*   def url\_query\_string(url: str, query\_string: str) \-> List\[str\]:
        """Return the value of the given query string in the given url."""
    
*   def url\_query\_string\_add(url: str, query\_string\_field: str, query\_string\_value: str) \-> str:
        """."""
    
*   def url\_query\_string\_remove(url: str, query\_string\_field\_to\_remove: str) \-> str:
        """Remove the query string at the given field."""
    
*   def url\_query\_string\_replace(url: str, query\_string\_field: str, query\_string\_value: str) \-> str:
        """."""
    
*   def url\_path(url: str) \-> str:
        """Return the path of the url."""
    
*   def url\_path\_segments(url: str) \-> List\[str\]:
        """Return all of the segments of the url path."""
    
*   def url\_fragments\_remove(url: str) \-> str:
        """Return the URL without any fragments."""
    
*   def url\_file\_name(url: str) \-> str:
        """Get the file name of the URL."""
    
*   def url\_domain(url: str) \-> str:
        """Return the domain of the given URL."""
    
*   def get\_first\_arg\_url\_domain(func):
        """If the first argument is a url, get the domain of the url and pass that into the function."""
    
*   def url\_domain\_second\_level\_name(url: str) \-> str:
        """Find the second level domain name for the URL (e.g. 'http://example.com/test/bingo' => 'example') (see https://en.wikipedia.org/wiki/Domain\_name#Second-level\_and\_lower\_level\_domains)."""
    
*   def url\_join(url: str, path: str):
        """Join the URL to the URL path."""
    
*   def is\_url(possible\_url: str) \-> bool:
        """Check if the given string is a URL."""
    
*   def url\_screenshot(url: str, output\_file\_path: str \= '') \-> bytes:
        """."""
    
*   def url\_as\_punycode(url: str) \-> str:
        """Convert the domain name of the URL to Punycode."""
    
*   def url\_as\_unicode(url: str) \-> str:
        """Convert the domain name of the URL to Unicode."""
    
*   def url\_simple\_form(url: str) \-> str:
        """Return the URL without query strings or fragments."""
    
*   def url\_schemes() \-> List\[str\]:
        """Get the url schemes from https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml."""
    
*   def url\_from\_google\_redirect(url: str) \-> Optional\[str\]:
        """Get the url from the google redirect."""
    
*   def url\_encode(url: str) \-> str:
        """Encode the URL using percent encoding (see https://en.wikipedia.org/wiki/Percent-escape)."""
    
*   def url\_decode(url: str) \-> str:
        """Decode a percent encoded URL (see https://en.wikipedia.org/wiki/Percent-escape)."""
    
*   def url\_base\_form(url: str) \-> str:
        """Get the base URL without a path, query strings, or other junk."""
    
*   def url\_rank(url: str) \-> int:
        """."""
    

**Development**

👋  If you want to get involved in this project, we have some short, helpful guides below:

*   contribute to this project 🥇
*   test it 🧪
*   lint it 🧹
*   explore it 🔭

If you have any questions or there is anything we did not cover, please raise an issue and we'll be happy to help.

**Credits**

This package was created with Cookiecutter and Floyd Hightower's Python project template.

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Source Distribution****Built Distribution**

CVE-2022-42036: d8s-urls

The d8s-pdfs package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-urls package. The affected version is 0.1.0.

**Project description**

**Democritus Pdfs**

      

Democritus functions\[1\] for working with PDFs.

\[1\] Democritus functions are _simple, effective, modular, well-tested, and well-documented_ Python functions.

We use d8s (pronounced "dee-eights") as an abbreviation for democritus (you can read more about this here).

**Installation**

    pip install d8s-pdfs
    

**Usage**

You import the library like:

from d8s\_pdfs import \*

Once imported, you can use any of the functions listed below.

**Functions**

*   def pdf\_read(pdf\_path: str) \-> Iterable\[str\]:
        """Get the string from the PDF at the given path/URL."""
    

**Development**

👋  If you want to get involved in this project, we have some short, helpful guides below:

*   contribute to this project 🥇
*   test it 🧪
*   lint it 🧹
*   explore it 🔭

If you have any questions or there is anything we did not cover, please raise an issue and we'll be happy to help.

**Credits**

This package was created with Cookiecutter and Floyd Hightower's Python project template.

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Source Distribution****Built Distribution**

CVE-2022-41387: d8s-pdfs

The d8s-utility package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-urls package. The affected version is 0.1.0.

Democritus functions for working with URLs.

*   Project description
*   Project details
*   Release history
*   Download files

**Project description**

  

Democritus functions\[1\] for working with URLs.

\[1\] Democritus functions are _simple, effective, modular, well-tested, and well-documented_ Python functions.

**Usage**

Coming soon...

**Credits**

This package was created with Cookiecutter and Floyd Hightower's Python project template.

**Project details**  

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Source Distribution**

Close

**Hashes for democritus\_urls-2021.1.2501.tar.gz**

Hashes for democritus\_urls-2021.1.2501.tar.gz

Algorithm

Hash digest

SHA256

b829e62e43629fe7082ef108c36a7002bb02860a19d8b760257d92af6b13c3de

MD5

ff906539588371bd27c7ab381e0f4953

BLAKE2-256

ce6ada2bfa7fa8c51f5ad34d3934e524cf4a6b1e4f2b09ed23108b8476270bb6

CVE-2022-41386: democritus-urls

The d8s-html package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-urls package. The affected version is 0.1.0.

**Project description**

**Democritus Html**

      

Democritus functions\[1\] for working with HTML.

\[1\] Democritus functions are _simple, effective, modular, well-tested, and well-documented_ Python functions.

We use d8s (pronounced "dee-eights") as an abbreviation for democritus (you can read more about this here).

**Installation**

    pip install d8s-html
    

**Usage**

You import the library like:

from d8s\_html import \*

Once imported, you can use any of the functions listed below.

**Functions**

*   def html\_text(html\_content: StringOrBeautifulSoupObject) \-> str:
        """."""
    
*   def html\_unescape(html\_content: StringOrBeautifulSoupObject) \-> str:
        """."""
    
*   def html\_escape(html\_content: StringOrBeautifulSoupObject) \-> str:
        """."""
    
*   def html\_to\_markdown(html\_content: StringOrBeautifulSoupObject, \*\*kwargs) \-> str:
        """Convert the html string to markdown."""
    
*   def html\_find\_comments(html\_content: StringOrBeautifulSoupObject) \-> str:
        """Get a list of all of the comments in the html strings."""
    
*   def html\_soupify(html\_string: str, parser: str \= 'html.parser') \-> bs4.BeautifulSoup:
        """Return an instance of beautifulsoup with the html."""
    
*   def html\_remove\_tags(html\_content: StringOrBeautifulSoupObject) \-> bs4.BeautifulSoup:
        """."""
    
*   def html\_remove\_element(html\_content: StringOrBeautifulSoupObject, element\_tag: str) \-> bs4.BeautifulSoup:
        """."""
    
*   def html\_find\_css\_path(html\_content: StringOrBeautifulSoupObject, css\_path: str) \-> ListOfBeautifulSoupTags:
        """Find the given css\_path in the html\_content."""
    
*   def html\_elements\_with\_class(
        html\_content: StringOrBeautifulSoupObject, html\_element\_class: str
    ) \-> ListOfBeautifulSoupTags:
        """Find all elements with the given class from the html string."""
    
*   def html\_elements\_with\_id(html\_content: StringOrBeautifulSoupObject, html\_element\_id: str) \-> ListOfBeautifulSoupTags:
        """Find all elements with the given html\_element\_id from the html\_content."""
    
*   def html\_elements\_with\_tag(html\_content: StringOrBeautifulSoupObject, tag: str) \-> ListOfBeautifulSoupTags:
        """."""
    
*   def html\_headings\_table\_of\_contents(html\_content: StringOrBeautifulSoupObject) \-> ListOfBeautifulSoupTags:
        """."""
    
*   def html\_headings\_table\_of\_contents\_string(
        html\_content: StringOrBeautifulSoupObject, \*, indentation: str \= '  '
    ) \-> str:
        """."""
    
*   def html\_headings(html\_content: StringOrBeautifulSoupObject) \-> ListOfBeautifulSoupTags:
        """."""
    
*   def html\_to\_json(html\_content: StringOrBeautifulSoupObject, \*, convert\_only\_tables: bool \= False):
        """Convert the html to json using https://gitlab.com/fhightower/html-to-json."""
    
*   def html\_soupify\_first\_arg\_string(func):
        """Return a Beautiful Soup instance of the first argument (if it is a string)."""
    

**Development**

👋  If you want to get involved in this project, we have some short, helpful guides below:

*   contribute to this project 🥇
*   test it 🧪
*   lint it 🧹
*   explore it 🔭

If you have any questions or there is anything we did not cover, please raise an issue and we'll be happy to help.

**Credits**

This package was created with Cookiecutter and Floyd Hightower's Python project template.

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Source Distribution****Built Distribution**

CVE-2022-41385: d8s-html

The d8s-domains package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-urls package. The affected version is 0.1.0.

**Project description**

**Democritus Domains**

      

Democritus functions\[1\] for working with domains.

\[1\] Democritus functions are _simple, effective, modular, well-tested, and well-documented_ Python functions.

We use d8s (pronounced "dee-eights") as an abbreviation for democritus (you can read more about this here).

**Installation**

    pip install d8s-domains
    

**Usage**

You import the library like:

from d8s\_domains import \*

Once imported, you can use any of the functions listed below.

**Functions**

*   def is\_domain(possible\_domain: str) \-> bool:
        """Check if the given string is a domain."""
    
*   def domain\_examples(n: int \= 10) \-> List\[str\]:
        """Create n domain names."""
    
*   def domains\_find(text: str, \*\*kwargs: bool) \-> List\[str\]:
        """Parse domain names from the given text."""
    
*   def domain\_dns(domain: str) \-> str:
        """Get the DNS results for the given domain."""
    
*   def domain\_certificate\_peers(domain: str) \-> List\[str\]:
        """Return a list of all domains sharing a certificate with the given domain."""
    
*   def domain\_whois(domain: str) \-> Optional\[Dict\[str, Any\]\]:
        """."""
    
*   def domain\_subdomains(domain\_name: str) \-> str:
        """Get the subdomains for the given domain name."""
    
*   def domain\_second\_level\_name(domain\_name: str) \-> str:
        """Get the second level name for the given domain name (e.g. google from https://google.co.uk)."""
    
*   def domain\_tld(domain\_name: str) \-> str:
        """Get the top level domain for the given domain name."""
    
*   def domain\_rank(domain\_name: str) \-> int:
        """."""
    
*   def domain\_is\_member(domain\_to\_check: str, domain\_base: str) \-> bool:
        """Given two domains, check if the first domain is a member of the second domain.
    A member means it is either the domain itself, or a subdomain of the domain."""
    
*   def domain\_as\_punycode(domain\_name: str) \-> str:
        """Convert the given domain name to Punycode (https://en.wikipedia.org/wiki/Punycode)."""
    
*   def domain\_as\_unicode(domain\_name: str) \-> str:
        """Convert a given domain name to Unicode (https://en.wikipedia.org/wiki/Unicode)."""
    
*   def tlds() \-> List\[str\]:
        """Get the top level domains from https://iana.org/."""
    
*   def is\_tld(possible\_tld: str) \-> bool:
        """Return whether or not the possible\_tld is a valid tld."""
    

**Development**

👋  If you want to get involved in this project, we have some short, helpful guides below:

*   contribute to this project 🥇
*   test it 🧪
*   lint it 🧹
*   explore it 🔭

If you have any questions or there is anything we did not cover, please raise an issue and we'll be happy to help.

**Credits**

This package was created with Cookiecutter and Floyd Hightower's Python project template.

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Source Distribution****Built Distribution**

CVE-2022-41384: d8s-domains

The d8s-utility package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-file-system package. The affected version is 0.1.0.

**Project description**

**Democritus Utility**

      

Democritus functions\[1\] for working with utility functions.

\[1\] Democritus functions are _simple, effective, modular, well-tested, and well-documented_ Python functions.

We use d8s (pronounced "dee-eights") as an abbreviation for democritus (you can read more about this here).

**Installation**

    pip install d8s-utility
    

**Usage**

You import the library like:

from d8s\_utility import \*

Once imported, you can use any of the functions listed below.

**Functions**

*   def copy\_first\_arg(func):
        """Decorator to make a copy of the first argument and pass into the func."""
    
*   def has\_more\_than\_one\_item(thing: Any) \-> bool:
        """Return whether or not the given thing has a length of at least one."""
    
*   def has\_one\_or\_more\_items(thing: Any) \-> bool:
        """Return whether or not the given thing has a length of at least one."""
    
*   def has\_one\_item(thing: Any) \-> bool:
        """Return whether or not the given thing has a length of at least one."""
    
*   def request\_or\_read(path):
        """If the given path is a URL, request the URL and return the content; if the path exists read the file.
    
    Otherwise, just return the string and assume it is the input itself."""
    
*   def request\_or\_read\_first\_arg(func):
        """If the first arg is a url - request the URL. If it is a file path, try to read the file.
    
    If it is neither a URL nor file path, return the content of the first arg."""
    
*   def is\_sorted(iterable, \*, descending: bool \= False) \-> bool:
        """Return whether or not the iterable is sorted."""
    
*   def first\_unsorted\_value(iterable, \*, descending: bool \= False) \-> Any:
        """Return the first unsorted value in the iterable."""
    
*   def last\_unsorted\_value(iterable, \*, descending: bool \= False) \-> Any:
        """Return the last unsorted value in the iterable."""
    
*   def unsorted\_values(iterable, \*, descending: bool \= False) \-> Iterable\[Any\]:
        """."""
    
*   def sorted\_values(iterable, \*, descending: bool \= False) \-> Iterable\[Any\]:
        """."""
    
*   def ignore\_errors(function, \*args, \*\*kwargs):
        """."""
    
*   def zip\_if\_same\_length(\*iterables, debug\_failure: bool \= False):
        """Zip the given iterables if they are the same length.
    
    If they are not the same length, raise an assertion error."""
    
*   def unique\_items(iterable\_a: Any, iterable\_b: Any) \-> Dict\[str, Set\[Any\]\]:
        """Find the values unique to iterable\_a and iterable\_b (relative to one another)."""
    
*   def prettify(thing: Any, \*args):
        """."""
    
*   def pretty\_print(thing: Any, \*args):
        """."""
    
*   def subprocess\_run(command, input\_\=None):
        """Run the given command as if it were run in a command line."""
    
*   def stringify\_first\_arg(func):
        """Decorator to convert the first argument to a string."""
    
*   def retry\_if\_no\_result(wait\_seconds\=10):
        """Decorator to call the given function and recall it if it returns nothing."""
    
*   def map\_first\_arg(func):
        """If the first argument is a list or tuple, iterate through each item in the list and send it to the function."""
    
*   def repeat\_concurrently(n: int \= 10):
        """Repeat the decorated function concurrently n times."""
    
*   def validate\_keyword\_arg\_value(
        keyword: str, valid\_keyword\_values: Iterable\[Any\], fail\_if\_keyword\_not\_found: bool \= True
    ):
        """Validate that the value for the given keyword is in the list of valid\_keyword\_values."""
    
*   def validate\_arg\_value(arg\_index: StrOrNumberType, valid\_values: Iterable\[Any\]):
        """Validate that the value of the argument at the given arg\_index is in the list of valid\_values."""
    
*   def wait\_and\_retry\_on\_failure(wait\_seconds\=10):
        """Try to call the given function.
    
    If there is an exception thrown by the function, wait for wait\_seconds and try again."""
    

**Development**

👋  If you want to get involved in this project, we have some short, helpful guides below:

*   contribute to this project 🥇
*   test it 🧪
*   lint it 🧹
*   explore it 🔭

If you have any questions or there is anything we did not cover, please raise an issue and we'll be happy to help.

**Credits**

This package was created with Cookiecutter and Floyd Hightower's Python project template.

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Source Distribution****Built Distribution**

CVE-2022-41381: d8s-utility

The d8s-yaml package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-file-system package. The affected version is 0.1.0.

**Project description**

**Democritus Yaml**

      

Democritus functions\[1\] for working with YAML.

\[1\] Democritus functions are _simple, effective, modular, well-tested, and well-documented_ Python functions.

We use d8s (pronounced "dee-eights") as an abbreviation for democritus (you can read more about this here).

**Installation**

    pip install d8s-yaml
    

**Usage**

You import the library like:

from d8s\_yaml import \*

Once imported, you can use any of the functions listed below.

**Functions**

*   def yaml\_files(path, \*, include\_yml\_extensions: bool \= False):
        """."""
    
*   def yaml\_read(yaml\_data: str):
        """."""
    
*   def is\_yaml(possible\_yaml\_data: str) \-> bool:
        """."""
    
*   def yaml\_write(data: Json, \*\*kwargs) \-> str:
        """."""
    
*   def yaml\_clean(yaml\_data: str) \-> str:
        """Standardize the given yaml data."""
    
*   def yaml\_standardize(yaml\_data: str) \-> str:
        """Standardize the given yaml data by reading and writing it."""
    
*   def yaml\_sort(yaml\_data: str) \-> str:
        """."""
    

**Development**

👋  If you want to get involved in this project, we have some short, helpful guides below:

*   contribute to this project 🥇
*   test it 🧪
*   lint it 🧹
*   explore it 🔭

If you have any questions or there is anything we did not cover, please raise an issue and we'll be happy to help.

**Credits**

This package was created with Cookiecutter and Floyd Hightower's Python project template.

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Source Distribution****Built Distribution**

CVE-2022-41380: d8s-yaml

The operators behind the BazaCall call back phishing method have continued to evolve with updated social engineering tactics to deploy malware on targeted networks.
The scheme eventually acts as an entry point to conduct financial fraud or the delivery of next-stage payloads such as ransomware, cybersecurity company Trellix said in a report published last week.
Primary targets of the latest

The operators behind the BazaCall call back phishing method have continued to evolve with updated social engineering tactics to deploy malware on targeted networks.

The scheme eventually acts as an entry point to conduct financial fraud or the delivery of next-stage payloads such as ransomware, cybersecurity company Trellix said in a report published last week.

Primary targets of the latest attack waves include the U.S., Canada, China, India, Japan, Taiwan, the Philippines, and the U.K.

BazaCall, also called BazarCall, first gained popularity in 2020 for its novel approach of distributing the BazarBackdoor (aka BazarLoader) malware by manipulating potential victims into calling a phone number specified in decoy email messages.

These email baits aim to create a false sense of urgency, informing the recipients about renewal of a trial subscription for, say, an antivirus service. The messages also urge them to contact their support desk to cancel the plan, or risk getting automatically charged for the premium version of the software.

The ultimate goal of the attacks is to enable remote access to the endpoint under the guise of terminating the supposed subscription or installing a security solution to rid the machine of malware, effectively paving the way for follow-on activities.

Another tactic embraced by the operators involves masquerading as incident responders in PayPal-themed campaigns to deceive the caller into thinking that their accounts were accessed from eight or more devices spread across random locations across the world.

Regardless of the scenario employed, the victim is prompted to launch a specific URL – a specially crafted website designed to download and execute a malicious executable that, among other files, also drops the legitimate ScreenConnect remote desktop software.

A successful persistent access is followed by the attacker opening fake cancellation forms that ask the victims to fill out personal details and sign in to their bank accounts to complete the refund, but in reality are fooled into sending the money to the scammer.

The development comes as at least three different spinoff groups from the Conti ransomware cartel have embraced the call back phishing technique as an initial intrusion vector to breach enterprise networks.

The ties to Conti don't end there. BazarBackdoor, for its part, is the creation of a cybercrime group known as TrickBot, which was taken over by Conti earlier this year before the latter's shutdown in May-June 2022 over its allegiance to Russia in its assault on Ukraine.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

BazarCall Callback Phishing Attacks Constantly Evolving Its Social Engineering Tactics

By Deeba Ahmed
The phishing email, which was marked as safe by Microsoft, was aimed at 21,000 users of a national healthcare firm.
This is a post from HackRead.com Read the original post: Zoom Phishing Scam Steals Microsoft Exchange Credentials

The IT security researchers at Armorblox have revealed a new phishing attack in which scammers spoofed Zoom users to steal their **Microsoft Exchange credentials**.

For your information, Microsoft Exchange Server is a mail and calendaring server used by millions of companies worldwide. This makes it a lucrative target for cybercriminals.

**Scam Overview**

According to cybersecurity firm Armorblox, the email-based attack used a socially engineered payload that easily tricked the Microsoft Exchange email security mechanism. These include Sender Policy Framework, DomainKeys Identified Mail, and Domain-based Message Authentication Reporting & Conformance.

The email stated that two messages were to be checked on **Zoom**. The email also contained a malicious link with a call-to-action button. There was another malicious link for the unsubscribe button.

If the recipient clicked the call-to-action button, it opened a **fake landing page**, designed as a legit Microsoft landing screen. The user is then asked to enter their Microsoft credentials to check the unread Zoom messages.

The phishing email, which was marked as safe by Microsoft, was aimed at 21,000 users of a national healthcare firm.

**Why Zoom?**

Since COVID-19, **Zoom has been a prime target** for crooks and threat actors around the world. In this case, the scammers also exploited Zoom’s popularity and brand identity to steal credentials. They replicated the genuine Zoom logo and branding intricacies to create a sense of trust among users.

According to Armorblox’s **blog post**, the email title/subject line (For on Today, 2022) and design were socially engineered to instill a sense of urgency. The attackers used the user’s actual name in the recipient section.

The threat attackers also utilized a valid domain, which displayed a ‘trustworthy’ reputation score with just one infection reported in the last 12 months. The fake landing page automatically entered the recipient’s email address in the username field to trick them into believing it to be a valid page. If the user fell for this trap, their credentials were quickly captured.

**How to Stay Protected?**

Armorblox promptly acted and blocked the emails from reaching unsuspecting recipients. However, you must remain vigilant to avoid becoming a phishing scam victim. Always use layered security mechanisms apart from your native email security tools.

Furthermore, closely scrutinize messages rather than immediately responding to messages from unverified sources. Check the sender name, email ID, and the message’s language to find inconsistencies or typo errors.

Lastly, never use one password on multiple sites because if one account is hacked, all others will become vulnerable. Multi-factor authentication is essential to ensure the attacker cannot sign in using hacked credentials.

1.  Prometei botnet uses NSA exploit, hits MS exchange servers
2.  Unpatched Microsoft Exchange Servers Hit By Phishing Attack
3.  Malicious IIS Extensions Used in Backdooring Exchange Servers
4.  Spam Attack Abuses OAuth Apps Against MS Exchange Servers
5.  Ransomware Gang hits Exchange Servers with ProxyShell exploits

Zoom Phishing Scam Steals Microsoft Exchange Credentials

A new piece of research has detailed the increasingly sophisticated nature of the malware toolset employed by an advanced persistent threat (APT) group named Earth Aughisky.
"Over the last decade, the group has continued to make adjustments in the tools and malware deployments on specific targets located in Taiwan and, more recently, Japan," Trend Micro disclosed in a technical profile last week

A new piece of research has detailed the increasingly sophisticated nature of the malware toolset employed by an advanced persistent threat (APT) group named **Earth Aughisky**.

"Over the last decade, the group has continued to make adjustments in the tools and malware deployments on specific targets located in Taiwan and, more recently, Japan," Trend Micro disclosed in a technical profile last week.

Earth Aughisky, also known as Taidoor, is a cyber espionage group that's known for its ability to abuse legitimate accounts, software, applications, and other weaknesses in the network design and infrastructure for its own ends.

While the Chinese threat actor has been known to primarily target organizations in Taiwan, victimology patterns observed towards late 2017 indicate an expansion to Japan.

The most commonly targeted industry verticals include government, telcom, manufacturing, heavy, technology, transportation, and healthcare.

Attack chains mounted by the group typically leverage spear-phishing as a method of entry, using it to deploy next-stage backdoors. Chief among its tools is a remote access trojan called Taidoor (aka Roudan).

The group has also been linked to a variety of malware families, such as GrubbyRAT, K4RAT, LuckDLL, Serkdes, Taikite, and Taleret, as part of its attempts to consistently update its arsenal to evade security software.

Some of the other notable backdoors employed by Earth Aughisky over the years are as follows -

*   SiyBot, a basic backdoor that uses public services like Gubb and 30 Boxes for command-and-control (C2)
*   TWTRAT, which abuses Twitter's direct message feature for C2
*   DropNetClient (aka Buxzop), which leverages the Dropbox API for C2

Trend Micro's attribution of the malware strains to the threat actor is based on the similarities in source code, domains, and naming conventions, with the analysis also uncovering functional overlaps between them.

The cybersecurity firm also linked the activities of Earth Aughisky to another APT actor codenamed by Airbus as Pitty Tiger (aka APT24) based on the use of the same dropper in various attacks that transpired between April and August 2014.

2017, the year when the group set its sights on Japan and Southeast Asia, has also been an inflection point in the way the volume of the attacks has exhibited a significant decline since then.

Despite the longevity of the threat actor, the recent shift in targets and activities likely suggests a change in strategic objectives or that the group is actively revamping its malware and infrastructure.

"Groups like Earth Aughisky have sufficient resources at their disposal that allow them the flexibility to match their arsenal for long-term implementations of cyber espionage," Trend Micro researcher CH Lei said.

"Organizations should consider this observed downtime from this group's attacks as a period for preparation and vigilance for when it becomes active again."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#backdoor