Category: Uncategorized

Former Malaysian Prime Minister Najib Razak has been jailed for 15 years for abuse of power and money laundering, in his second major trial for a multi-billion-dollar state funds scandal.

Najib, 72, was accused of misappropriating nearly 2.3 billion Malaysian ringgit ($569m; £422m) from the nation’s sovereign wealth fund 1Malaysia Development Berhad (1MDB).

On Friday afternoon a judge found him guilty in four charges of abuse of power and 21 charges of money laundering.

The former PM is already in jail after he was convicted years ago in another case related to 1MDB.

Friday’s verdict comes after seven years of legal proceedings, which saw 76 witnesses called to the stand.

The verdict, delivered in Malaysia’s administrative capital Putrajaya, is the second blow in the same week to the embattled former leader, who has been imprisoned since 2022.

He was handed four 15-year sentences on abuse of power charges, as well as five years each on 21 money laundering charges. The jail terms run concurrently under Malaysian law.

On Monday, the court rejected his application to serve the remainder of his sentence under house arrest.

But the former prime minister retains a loyal base of supporters, who claim that he’s a victim of unfair rulings and who have showed up at his trials calling for his release.

On Friday, dozens of people gathered outside the court in Putrajaya in support of Najib.

The 1MDB scandal made headlines across the world when it came to light a decade ago, embroiling prominent figures from Malaysia to Goldman Sachs and Hollywood.

Investigators estimated that $4.5bn was siphoned from the state-owned wealth fund into private pockets, including Najib’s.

Najib’s lawyers claim that he had been misled by his advisers – in particular the financier Jho Low, who has maintained his innocence but remains at large.

But the argument has not convinced Malaysia’s courts, which previously found Najib guilty of embezzlement in 2020.

That year, Najib was convicted of abuse of power, money laundering and breach of trust over 42 million ringgit ($10m; £7.7m) transferred from SRC International – a former unit of 1MDB – into his private accounts.

He was sentenced to 12 years in prison, but saw his jail term halved last year.

The latest case concerns a larger sum of money, also tied to 1MDB, received by his personal bank account in 2013. Najib said he had believed the money was a donation from the late Saudi King Abdullah – a claim rejected by the judge on Friday.

Separately Najib’s wife, Rosmah Mansor, was sentenced to ten years in jail in 2022 for bribery. She is free on bail pending an appeal against her conviction.

The scandal has had profound repercussions on Malaysian politics. In 2018 it led to a historic election loss for Najib’s Barisan Nasional coalition, which had governed the country since its independence in 1957.

Now, the recent verdicts has highlighted fissures in Malaysia’s ruling coalition, which includes Najib’s party United Malays National Organisation (UMNO).

Najib’s failed house arrest bid on Monday was met with disappointment from his allies but celebrated by his critics within the same coalition.

Malaysia’s Prime Minister Anwar Ibrahim called for politicians on all sides to respect the court’s decisions.

Former Malaysian lawmaker Tony Pua told the BBC’s Newsday programme that the verdict would “send a message” to the country’s leaders, that “you can get caught for corruption even if you’re number one in the country like the prime minister”.

But Cynthia Gabriel, founding director of Malaysia’s Center to Combat Corruption and Cronyism, argued that the country has made little headway in anti-corruption efforts despite the years of reckoning after the 1MDB scandal.

Public institutions have not been strengthened enough to reassure Malaysians that “the politicians they put into power would actually serve their interests” instead of “their own pockets”, she told Newsday.

“Grand corruption continues in different forms”, she added. “We don’t know at all if another 1MDB could occur, or may have already occurred.”

Magen David Adom

A China-linked advanced persistent threat (APT) group has been attributed to a highly-targeted cyber espionage campaign in which the adversary poisoned Domain Name System (DNS) requests to deliver its signature MgBot backdoor in attacks targeting victims in Türkiye, China, and India.

The activity, Kaspersky said, was observed between November 2022 and November 2024. It has been linked to a hacking group called Evasive Panda, which is tracked as Bronze Highland, Daggerfly, and StormBamboo. It’s assessed to be active since at least 2012.

“The group mainly performed adversary-in-the-middle (AitM) attacks on specific victims,” Kaspersky researcher Fatih Şensoy said in a deep-dive analysis. “These included techniques such as dropping loaders into specific locations and storing encrypted parts of the malware on attacker-controlled servers, which were resolved as a response to specific website DNS requests.”

This is not the first time Evasive Panda’s DNS poisoning capabilities have come to the fore. As far back as April 2023, ESET noted that the threat actor may have either carried out a supply chain compromise or an AitM attack to serve trojanized versions of legitimate applications like Tencent QQ in an attack targeting an international non-governmental organization (NGO) in Mainland China.

In August 2024, a report from Volexity revealed how the threat actor compromised an unnamed internet service provider (ISP) by means of a DNS poisoning attack to push malicious software updates to targets of interest.

Evasive Panda is also one of the many China-aligned threat activity clusters that have relied on AitM poisoning for malware distribution. In an analysis last month, ESET said it’s tracking 10 active groups from China that have leveraged the technique for initial access or lateral movement, including LuoYu, BlackTech, TheWizards APT, Blackwood, PlushDaemon, and FontGoblin.

In the attacks documented by Kaspersky, the threat actor has been found to make use of lures that masquerade as updates for third-party software, such as SohuVA, a video streaming service from the Chinese internet company Sohu. The malicious update is delivered from the domain “p2p.hd.sohu.com[.]cn,” likely indicating a DNS poisoning attack.

“There is a possibility that the attackers used a DNS poisoning attack to alter the DNS response of p2p.hd.sohu.com[.]cn to an attacker-controlled server’s IP address, while the genuine update module of the SohuVA application tries to update its binaries located in appdata\roaming\shapp\7.0.18.0\package,” Şensoy explained.

The Russian cybersecurity vendor said it also identified other campaigns in which Evasive Panda utilized a fake updater for Baidu’s iQIYI Video, as well as IObit Smart Defrag and Tencent QQ.

The attack paves the way for the deployment of an initial loader that’s responsible for launching shellcode that, in turn, fetches an encrypted second-stage shellcode in the form of a PNG image file, again by means of DNS poisoning from the legitimate website dictionary[.]com.

Evasive Panda is said to have manipulated the IP address associated with dictionary[.]com, causing victim systems to resolve the website to an attacker-controlled IP address based on their geographical location and internet service provider.

It’s currently not known how the threat actor is poisoning DNS responses. But two possible scenarios are suspected: either the ISPs used by the victims were selectively targeted and compromised to install some kind of a network implant on edge devices, or a router or firewall used by the victims was hacked for this purpose.

The HTTP request to obtain the second-stage shellcode also contains the current Windows version number. This is likely an attempt on the part of the attackers to target specific operating system versions and adapt their strategy based on the operating system used. It’s worth noting that Evasive Panda has previously leveraged watering hole attacks to distribute an Apple macOS malware codenamed MACMA.

The exact nature of the second-stage payload is unclear, but Kaspersky’s analysis shows that the first-stage shellcode decrypts and runs the retrieved payload. It’s assessed that the attackers generate a unique encrypted second shellcode file for each victim as a way to bypass detection.

A crucial aspect of the operations is the use of a secondary loader (“libpython2.4.dll”) that relies on a renamed, older version of “python.exe” to be sideloaded. Once launched, it downloads and decrypts the next-stage malware by reading the contents of a file named “C:\ProgramData\Microsoft\eHome\perf.dat.” This file contains the decrypted payload downloaded from the previous step.

“It appears that the attacker used a complex process to obtain this stage from a resource, where it was initially XOR-encrypted,” Kaspersky said. “The attacker then decrypted this stage with XOR and subsequently encrypted and saved it to perf.dat using a custom hybrid of Microsoft’s Data Protection Application Programming Interface (DPAPI) and the RC5 algorithm.”

The use of a custom encryption algorithm is seen as an attempt to complicate analysis by ensuring that the encrypted data can only be decoded on the specific system where the encryption was initially performed and block any efforts to intercept and analyze the malicious payload.

The decrypted code is an MgBot variant that’s injected by the secondary loader into a legitimate “svchost.exe” process. A modular implant, MgBot, is capable of harvesting files, logging keystrokes, gathering clipboard data, recording audio streams, and stealing credentials from web browsers. This enables the malware to maintain a stealthy presence in compromised systems for long periods of time.

“The Evasive Panda threat actor has once again showcased its advanced capabilities, evading security measures with new techniques and tools while maintaining long-term persistence in targeted systems,” Kaspersky said.