Cyfirma researchers are warning Windows users. Experts say they have discovered traces of new malware targeting the operating system, CyberEYE. It is a Trojan horse with a remote access module that allows hackers to take control of a computer.
The malware is being widely distributed through Telegram channels, a favorite haunt of cybercriminals, and public GitHub repositories. Two hackers, who go by the names @cisamul23 and @CodQu, are behind the malware. They offer it to other cybercriminals for a subscription fee. The virus stands out for its ease of use.
The virus's main purpose is to steal victims' personal data, especially credentials, private keys linked to crypto wallets, and Wi-Fi passwords. The data is exfiltrated by a Telegram bot developed by cybercriminals. This is why the virus is sometimes called TelegramRAT.
How does CyberEYE neutralize Microsoft Defender?
CyberEYE's main advantage is its ability to disable Microsoft Defender, the default antivirus on Windows computers. To neutralize it, the virus directly modifies the Windows registry. By modifying values in the registry, the malware can disable key antivirus functions. It first attacks the protection against unauthorized modifications, which is supposed to prevent the antivirus from being disabled. To complete the Defender deactivation, CyberEYE executes PowerShell commands that will block the other protections offered by the antivirus. With this dual offensive, CyberEYE ensures that Windows Defender's defenses are completely neutralized, even those that would have resisted registry modifications. The entire process takes place without the user suspecting anything. Once the antivirus is paralyzed, the virus is free to steal user data with impunity. Note that CyberEYE has a host of persistence mechanisms that aim to ensure that the virus remains firmly established on the computer. According to Cyfirma, CyberEYE is a "new persistent threat" that puts Windows computers at risk. Researchers expect that "new variants" of the virus will be rapidly developed by cybercriminals, increasing the risks for users. Cyfirma does not specify how the malware spreads to computers. The infection method likely depends on the hackers using the virus.
Source: Cyfirma
0 Comments