Skip to main content

· One min read
Yevgeniy Goncharov

FortiGuard Labs recently came across files that look suspicious, even during a cursory review. Our subsequent investigation confirmed that the files are malicious and revealed there is more to them than meets the eye: they are a previously unseen infostealer we have named “ThirdEye”. While this malware is not considered sophisticated, it’s designed to steal various information from compromised machines that can be used as stepping-stones for future attacks.

Prevent ThirdEye Infostealer

The ThirdEye infostealer has relatively simple functionality. It harvests various system information from compromised machines, such as BIOS and hardware data. It also enumerates files and folders, running processes, and network information. Once the malware is executed, it gathers all this data and sends it to its command-and-control (C2) server hosted at (hxxp://shlalala[.]ru/general/ch3ckState). And unlike most other malware, it does nothing else.

One interesting string unique to the ThirdEye infostealer family (from which we derived its name) is "3rd_eye", which it decrypts and uses with another hash value to identify itself to the C2.

See more details on FortiGuard Labs

· One min read
Yevgeniy Goncharov

Trojanized Super Mario Game Installer Spreads SupremeBot Malware

Prevent Trojanized Super Mario

According to Cyble blog post, the malware is distributed through java.exe is an XMR (Monero) miner which operates stealthily in the background without the user’s knowledge or consent, leading to unauthorized and potentially harmful utilization of computing resources for mining the cryptocurrency Monero (XMR).

When “java.exe” is executed, the malware establishes a connection with a mining server gulf[.]moneroocean[.]stream to carry out cryptocurrency mining activities.

Concurrently, the malware gathers valuable data from the victim’s system, including computer name, username, GPU, CPU, and other relevant details. This sensitive information is then transferred to a Command and Control (C&C) server via the following URL API:

hxxp://shadowlegion[.]duckdns[.]org/nam/api/endpoint[.]php

Be careful and watch what your children play and what applications they install 🧩 on their devices 📲

· One min read
Yevgeniy Goncharov

Introduction

In the realm of OpenBLD.net DNS, we're excited to introduce OpenBLD+ mode, a feature designed to take our and your experience to the next level.

Powered by Your Support: Our project thrives thanks to the support of users like you. Today you have the opportunity to subscribe for just $3+ and, in return, gain access to a host of exclusive benefits:

  • Enhanced Website Delivery Speed: Enjoy faster website/domain delivery to OpenBLD.net DNS users.
  • Company Logo or Nickname on Project Site: Showcase your company's logo or your nickname on our project site with a link to your website or social profile.
  • Unlimited Access for Dedicated IPs: Benefit from unlimited access for dedicated IPs.
  • Personal Support: Receive assistance in investigating cybersecurity incidents.
  • Have Questions or Suggestions? We're all ears. Feel free to reach out to us Contacts with any questions or suggestions you may have.

Unlock a World of Benefits with OpenBLD+ and elevate our and your online experience.

Join us today!

· 2 min read
Yevgeniy Goncharov

Introduction

The rise of phishing activities has taken the top spot in attacks targeting end-users and organizations. Among the various forms of phishing attacks, there's one known as "SMiShing" attacks, which target users through SMS messages.

SMiShing Attacks

Today, we've noticed a SMiShing campaign in Kazakhstan, where a seemingly innocent link leads to a fake website that mimics the KazPost website, the official postal service of Kazakhstan. Several indicators set this apart:

  • The sender's country code
  • The target website
  • The fact that the package was never ordered

SMiShing Attacks

The provided link directs users to a phishing page designed to imitate post.kz, the official website of the postal service in Kazakhstan.

Recommendation

We strongly advise against responding to such SMS messages. If you have any doubts or concerns, it's best to contact your nearest post office to clarify the details, especially if you did not order a package that coincides with the SMS.

Taking Action

Rest assured that we've promptly added this resource to our shared blocklists and locked it within the OpenBLD DNS system. Your online safety is our top priority.

Conclusion: In these times of increasing digital threats, let's remain vigilant and protect ourselves and our online experiences. Together with OpenBLD.net DNS, we can strive for a safer online environment. Peace ✌️