Security Affairs
JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Malware campaign employs fake security certificate updates

Crooks are using a new phishing technique to trick victims into accepting the installation of a security certificate update and deliver malware. Security experts from Kaspersky Lab discovered spotted a new attack technique used by crooks to distribute malware by tricking victims into installing a malicious “security certificate update” when they visit compromised websites. We […]

mokes buerak fake certificates

Crooks are using a new phishing technique to trick victims into accepting the installation of a security certificate update and deliver malware.

Security experts from Kaspersky Lab discovered spotted a new attack technique used by crooks to distribute malware by tricking victims into installing a malicious “security certificate update” when they visit compromised websites.

We have already observed threat actors distributing malware masqueraded by legitimate software updates. The new technique differs from previous ones because visitors to infected websites are asked to install a software update because the security certificate had expired.

we recently discovered a new approach to this well-known method: visitors to infected sites were informed that some kind of security certificate had expired. Unsurprisingly, the update on offer was malicious.” reads the report published Kaspersky.

“We detected the infection on variously themed websites — from a zoo to a store selling auto parts. The earliest infections found date back to January 16, 2020.”

The attackers that are using this new technique compromised a variety of websites, ranging from a zoo to an e-store selling vehicle parts. The first infections employed in these attacks date back to January 16, 2020. 

The compromised websites display a message claiming the website’s security certificate is expired and urge visitors to install a “security certificate update” to correctly view the content of the website. 

The message is contained within an iframe and content is loaded via a ldfidfa[.]pw/jquery.js script from a third-party server.

While the script is loaded, the URL bar still displays the legitimate address.

“The jquery.js script overlays an iframe that is exactly the same size as the page,” continues the analysis. “As a result, instead of the original page, the user sees a seemingly genuine banner urgently prompting to install a certificate update.”

Once the victim clicked on the update button, a file is downloaded (Certificate_Update_v02.2020.exe). 

The executable unpacks and installs one of two malware variants to the victim, tracked as Mokes and Buerak. 

The Mokes backdoor allows hackers to execute arbitrary commands on the victim’s computer, it works on Linux, Windows and also OS X.

Buerak is a Windows-based Trojan that implements backdoor capabilities and anti-analysis techniques. 

Kaspersky experts included in their analysis the Indicators of Compromise (IoCs).

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, undersea cables)

[adrotate banner=”5″]

[adrotate banner=”13″]