Search This Blog

Showing posts with label Credential stealing. Show all posts

UBEL is the Android Malware Successor to Oscorp

 

As part of a fresh campaign that began in May 2021, an Android malware that was discovered misusing accessibility features in the device to steal user credentials from European banking applications has morphed into an altogether new botnet. Oscorp, a mobile malware built to attack several financial targets with the purpose of stealing funds from unsuspecting users, was revealed by Italy's CERT-AGID in late January. 

The Oscorp malware, like other Android malware, convinces users to provide them access to the Android Accessibility Service, which allows them to read text on the phone screen, determine an app installation prompt, traverse through the permission list, and install apps on the user's behalf. “Not being able to access the private files of other applications, the actions of these malicious apps are “limited” to the theft of credentials through phishing pages, to blocking the device and possibly to the capture of audio and video,” read the advisory published by Italy’s CERT-AGID. 

Malicious SMS messages were used to spread the malware, with attackers pretending as bank operators to deceive targets over the phone and secretly get access to the infected device using WebRTC protocol, allowing them to execute unlawful bank transfers. While no fresh activities have been detected since then, it appears as Oscorp has returned after a brief hiatus in the shape of the UBEL Android botnet. 

"By analysing some related samples, we found multiple indicators linking Oscorp and UBEL to the same malicious codebase, suggesting a fork of the same original project or just a rebrand by other affiliates, as its source-code appears to be shared between multiple [threat actors]," Italian cybersecurity company Cleafy said on Tuesday, charting the malware's evolution. 

UBEL, like its predecessor, is marketed on underground forums for $980 and asks for invasive permissions that allow it to read and send SMS messages, record audio, install and delete apps, initiate itself automatically after system boot, and exploit Android accessibility services to collect confidential data such as login credentials and two-factor authentication codes, the results of which are exfiltrated back to a remote server. 

Once installed on the system, the malware tries to disguise itself as a service and hide its presence from the target, allowing for long-term persistence. Surprisingly, using WebRTC to communicate with the hijacked Android phone in real-time eliminates the requirement to enroll a new device and take over an account in order to commit fraud. 

"The main goal for this [threat actor] by using this feature, is to avoid a 'new device enrolment', thus drastically reducing the possibility of being flagged 'as suspicious' since device's fingerprinting indicators are well-known from the bank's perspective," the researchers said.

Fake Chrome App is Being Used as Part of a Cyberattack Campaign

 

According to researchers at cybersecurity company Pradeo, a new Android malware has been discovered that imitates the Google Chrome software and has already infected hundreds of thousands of smartphones. The hazard has been labeled a "Smishing Trojan" by the researchers. 
 
According to the researchers, the false Google Chrome app is part of a smartphone attack campaign that uses phishing to steal your credit card information. By downloading the fake software, the device becomes a part of the attack campaign as well. 

“The malware uses victims’ devices as a vector to send thousands of phishing SMS. We evaluate that the speed at which it is spreading has enabled it to already target hundreds of thousands of people in the last weeks. ”, said the researchers in their ‘Security Alert’ post on their website. 

The assault begins with a simple "smishing" gambit, according to Pradeo researchers: targets receive an SMS text telling them to pay "custom fees" to open a package delivery. If they fall for it and press, a message appears informing them that the Chrome app needs to be updated. If they accept the order, they'll be directed to a malicious website that hosts the phony app. It is, in reality, ransomware that is downloaded into their phones. 

After the ostensible "update," victims are directed to a phishing list, which completes the social engineering: According to the study, they are asked to pay a small sum (usually $1 or $2) in a less-is-more strategy, which is of course just a front to collect credit card information.

“Attackers know that we’re accustomed to receiving alerts of all types on our smartphones and tablets,” Hank Schless, senior manager of security solutions at Lookout said. “They take advantage of that familiarity to get mobile users to download malicious apps that are masked as legitimate ones.” 

The campaign is especially risky, according to Pradeo researchers, because it combines an effective phishing tactic, dissemination malware, and multiple security-solution bypasses. “The attack could be the work of a regular level but very ingenuous cybercriminal,” Pradeo’s Roxane Suau said. “All the techniques (code concealment, smishing, data theft, repackaging…) used separately are not advanced, but combined they create a campaign that is hard to detect, that spreads fast and tricks many users.”

Fake Microsoft DirectX 12 Distributes Malware

 

Cybercriminals have built a bogus Microsoft DirectX 12 download page in order to spread ransomware that steals cryptocurrency wallets and passwords. Despite the fact that the website has a contact form, a privacy policy, a disclaimer, and a DMCA infringement page, the website and the services it distributes are not valid.

Users will be routed to an external website when they press the Download buttons, which will prompt them to download a file. You'll be sent a file called '6080b4 DirectX-12-Down.zip' [VirusTotal] or '6083040a Disclaimer.zip' [VirusTotal] depending on whether you want the 32-bit or 64-bit edition. All of these files contribute to malware that attempts to steal files, passwords, and cryptocurrency wallets from their victims.

When the bogus DirectX 12 installers are launched, they silently download and execute malware from a remote site, as discovered by security researcher Oliver Hough. This malware is a data-stealing Trojan that tries to snatch a victim's cookies, directories, device records, installed programs, and even a snapshot of the current desktop. The malware authors are attempting to steal a number of cryptocurrency wallets for Windows applications, including Ledge er Live, Waves.Exchange, Coinomi, Electrum, Electron Cash, BTCP Electrum, Jaxx, Exodus, MultiBit HD, Aomtic, and Monero. 

All of the information is gathered in a %Temp% folder, which the malware will zip up and give back to the attacker. The data will then be analysed and used for other nefarious purposes by the attack. To spread malware, threat actors are rapidly building fake websites, some of which are much more persuasive than others.

Ficker ransomware is already spreading across websites impersonating Microsoft Store and Spotify, according to ESET. Details and user accounts stored in web browsers, email applications, and FTP clients are stolen by the malware. It can even rob from your bitcoin wallet, exfiltrate documents, and take screenshots of your running applications. 

As part of a larger ransomware campaign targeting cybersecurity experts, the Lazarus Group has set up a bogus protection firm and social media accounts. For a fictitious Turkish business called SecuriElite, the attackers built a website, as well as a Twitter and LinkedIn account. When the Google security team was focusing on tracking down the state-backed hackers, the firm was allegedly providing offensive security services.

Logins for 1.3 million Windows Remote Desktop Servers Leaked by UAS

 

UAS, the biggest hacker platform for hacked RDP credentials, has leaked the login names and passwords for 1.3 million new and previously infected Windows Remote Desktop servers. Researchers get an insight into a bustling cybercrime economy for the first time thanks to this huge leak of stolen remote access credentials, and they can use the evidence to tie up loose ends from past cyberattacks. 

The Remote Desktop Protocol (RDP) is a stable, interoperable protocol that allows network terminals to build and maintain secure connections between clients and servers or virtual machines. RDP is the most sought-after listing by cybercriminals because it works through many Windows operating systems and applications. Criminals will gain access to an entire business network by launching their attack with completely valid login credentials. This allows the offenders to remotely monitor a device because the system will not know the nefarious activities. After all, no authentication measures will be used, enabling the criminals to have complete and unrestricted access. 

UAS, or ‘Ultimate Anonymity Services,' is a website that offers Windows Remote Desktop login credentials, leaked Social Security numbers, and SOCKS proxy server access. UAS stands out as a wide marketplace that also provides manual authentication of sold RDP account credentials, customer service, and advice about how to keep remote access to a compromised device. 

"The market functions partially like eBay - a number of Suppliers work with the market. They have a separate place to log in and upload the RDPs they hacked. The system will then verify them, collect information about each one (os, admin access? internet speed, CPU, memory etc etc), which is added to the listing. The supplier interface provides real time stats for the suppliers (what sold, what didn't, what was sold but a refund was asked for, etc). They also provide support if for some reason what you bought doesn't work. They do take customer support seriously," a security researcher who wishes to remain anonymous told. 

Threat actors can scan for compromised computers in a specific country, state, area, zip code, ISP, or operating system while buying stolen RDP accounts, helping them to locate the specific server they need.

Fake Microsoft Store, Spotify Distribute Malware to Steal User Data

 

Attackers are promoting sites that imitate the Microsoft Store, Spotify, and an online document converter to spread malware that steals credit cards and passwords stored in web browsers. ESET, a cybersecurity company, detected the attack and posted an alert on Twitter to be on the lookout for the malicious campaign. 

On both desktops and mobile devices, Windows remains vulnerable to a significant number of malware threats, at least more than its peers and competitors. Despite having an official app store, it is almost too easy to infect a Windows PC by merely installing an app. Microsoft advises users to only download applications from the company's official networks, however, some hackers are taking advantage of this by posing as legitimate companies. Microsoft Store is an online store that sells Microsoft products. 

According to Jiri Kropac, ESET's Head of Threat Detection Labs learned that the attack is carried out by deceptive ads that promote what appear to be legitimate applications. One of the commercials used in this attack, for example, promotes an online Chess game. Users are taken to a fake Microsoft Store page for a fake 'xChess 3' online chess application, which is automatically downloaded from an Amazon AWS server when they click on the ad. 

According to this Any.Run report created by BleepingComputer, the downloaded zip file is called 'xChess v.709.zip' [VirusTotal], which is actually the 'Ficker', or 'FickerStealer,' information-stealing malware in disguise. Other ads from this malware campaign imitate Spotify or an online document converter. Their landing pages can also download a zip file containing the Ficker malware when you visit them. Instead of being greeted by a new online Chess program or the Spotify software when a user unzips the file and runs the executable, the Ficker malware would run and begin stealing the data stored on their device. 

Ficker is a data-stealing Trojan that was first posted on Russian-language hacker forums in January before the developer started renting it out to other threat actors. Threat actors will use this malware to steal passwords from web browsers, desktop messaging clients (Pidgin, Steam, Discord), and FTP clients. The malware can also steal over fifteen cryptocurrency wallets, steal documents, and take screenshots of active applications running on victims' computers, according to the developer.

U.S. Department of Justice Warns of Fake Unemployment Benefits Websites Stealing Data

 

Recently a department of United States Justice has warned its civilians against threat actors who are imitating state workforce agencies (SWAs) in order to hack Americans’ sensible credentials and other important data. 

A press release has been released on 5th March; it reported that the department has received informative reports on the cyber attacks. Further, it added that there were certain threat actors who were mimicking real websites which looked like those genuinely belonging to the state workforce agencies (SWAs). 

The entire purpose of this attack is to pursue users into believing that they are actually applying for unemployment benefits and submitting their information and other sensitive credentials on the right platform. However, after collecting identifiable data of consumers’ hackers use this information for their private advantages such as to commit theft. While doing so, threat criminals usually send spam messages and emails with a link to a spoofed SWA website in order to make victims access these fake websites. 

“Unless from a known and verified source, consumers should never click on links in text messages or emails claiming to be from an SWA offering the opportunity to apply for unemployment insurance benefits,” said the department. 

Department further added that anyone who wants to submit their application for unemployment benefits should directly go to an official SWA website. Around 10 million people in the USA who are trying to take unemployment benefits are also advised that they should watch out for phishing attacks and do not take any communications they receive at face value. 

“Carefully examine any message purporting to be from a company and do not click on a link in an unsolicited email or text message. Remember that companies generally do not contact you to ask for your username or password,” said the department. 

Officers said, if you find yourself being unsure about any messages whether the entity sending the email is authentic or not, you must be contacting the department of the National Center for Disaster Fraud (NCDF) and report the communication but you must not rely on any contact information given in the fraudulent messages.

Masslogger Campaigns Exfiltrates Clients Credentials

 

Assailants are continually reinventing approaches to monetize their tools. Cisco Talos as of late found an intriguing campaign affecting Windows systems and focusing on clients in Turkey, Latvia, and Italy, albeit similar campaigns by the same actor have likewise been focusing on clients in Bulgaria, Lithuania, Hungary, Estonia, Romania, and Spain in September, October and November 2020. The threat actor utilizes a multi-modular approach that begins with the underlying phishing email and carries through to the final payload. The adversaries behind this campaign likely do this to evade detection. However, it can likewise be a shortcoming, as there are a lot of chances for defenders to break the kill chain. 

Conveyed through phishing emails, the Masslogger trojan's most recent variation is contained inside a multi-volume RAR archive using the .chm file format and .r00 extensions, said Switchzilla's security research arm. Cisco Talos added: “Masslogger is a credential stealer and keylogger with the ability to exfiltrate data through SMTP, FTP or HTTP protocols. For the first two, no additional server-side components are required, while the exfiltration over HTTP is done through the Masslogger control panel web application.” 

CHM is an arranged HTML file that contains an embedded HTML file with JavaScript code to start the active infection process. Each phase of the infection is obfuscated to avoid detection using simple signatures. The subsequent stage is a PowerShell script that eventually deobfuscates into a downloader and downloads and loads the main PowerShell loader. The Masslogger loaders appear to be facilitated on undermined authentic hosts with a filename containing one letter and one number linked with the filename extension .jpg. For instance, "D9.jpg". 

Masslogger is not an entirely new creation of the malware industry: Talos highlighted research by infosec chap Fred HK. He ascribed it to a malware underground persona who goes by the handle of NYANxCAT. Costs for Masslogger were apparently $30 for three months or $50 for a lifetime license. Cisco's analysis showed that Masslogger “is almost entirely executed and present only in memory” with just the email attachment and the HTML help file.

Meet Oski Stealer: In-depth Analysis Of the Popular Credential Stealer


In the current scenario credential theft malware is one of the most frequently employed malware in cyber hacking. Many government and non-government organizations are becoming victims of such attacks as employees are being attacked for their credentials. 

The main objective of this malware is to actively acquire confidential and sensitive data, consisting of users' official names, passwords of their systems, and financial information. 

Credential theft Malware is something that can cause destruction to a computer system and its network. The threat actors just don’t use this malware to steal passwords, but also to delete files and render computers inoperable. Potentially, malware can lead to infections which in turn can cause many problems that affect daily operations and the long-term security of affected organizations. 

‘The Oski stealer’, is a credentials stealer, first, it was reported in November 2019. As the name suggests, ‘the Oski stealer’ works as a big information stealer consisting of personal and sensitive information from its victims. 'Oski', the name has been derived from an old Nordic word, meaning ‘Viking warrior’, which is quite fitting considering this popular info-stealer is extremely effective at pillaging privileged information from its targets.  

As per the sources, “the ‘Oski’ stealer’ is a classic information stealer platform that is being sold on Russian underground hacking forums at a low price of $70-$100. The stealer is written in C++ and it has all the typical features of credential theft malware”. 

According to the research, ‘Oski’ targets sensitive information including: 

• Login credentials from different applications 
• System information 
• Browser information (cookies, autofill data, and credit cards) 
• Screenshots 
• Crypto wallets 
• Different user files 

Besides, the stealer can also work as a Downloader to download a second-stage malware with modification of tools. 

Every infection involving three parties: 
1. Malware authors 
2. Malware customers 
3. Malware victims 

The customers contact ‘Oski actors’ on underground forums to buy the malware and, once purchased, they customize it and disperse it to their targets. Oski has become popular and has built a strong reputation within the underground community, with many of its buyers on regular basis providing positive feedback and reviews about the functions of the malware. 

While giving further insights, sources from Intelligence said, “Even we have to admit that Oski’s functionality works pretty well. From setting up and checking the environment to stealing information by application type, Oski’s code is written with purpose and care. The code is neat and clean, without any presence of useless code lines, however, it does lack sophisticated anti-analysis tricks like anti-debugging and dynamic anti-analysis tricks”.

Here's a Quick Guide to Safeguarding Credentials

 


Safeguarding your authentication credentials is your best defense towards preventing your identity from falling into wrong hands. A recent report from Nordpass disclosed that people still use easy-to-remember passwords which however can also be hacked with very little effort. More than 2 million people use very simple passwords for example: ‘1234567’, notably, it won't take more than a second to break. 

People use passwords to gain access to an organization's resources and for recreational purposes as well, however, if the protection of passwords is taken lightly, one might end up falling into the hands of unscrupulous cybercriminals. Password stealing is easier than most of you think as hackers have multiple tools at their disposal, here are the ways by which one can ensure the prevention of the same. 

1 Minimum password length and complexity: Longer passwords with alphanumeric and special characters are considerably harder for hackers to break. For example letters, numbers, and special characters, “while it has been seen that few passwords are very secure against brute-force attacks, but the goal is here to increase entropy to protect password without making overly complicated passwords. 

According to the Open Web Application Security Project (OWASP), password with less than 10 characters can be hacked very easily. However, the question that arises is what length is considered secure but not too long? According to OWASP 160-character passwords considered to be a reasonable length. 

2 Multi-factor authentication (MFA): You must have seen many online shopping apps have started asking for extra authentication to verify your identity, more than just a username/email and password. For example, code on your phone, face or fingerprint scan etc. However, for big IT companies, it is very essential to use multi-factor authentication such as behavioral biometrics, building device reputational controls, IP tracking, and challenge-response protocols into their systems. 

3 Password managers for employees: It can be easy to go way for the companies if companies start having a password manager. This is a very easy and productive way that can ensure whether employees are using complex passwords or not. 

4 “Zero Trust” Security model:  This Network security model implies trusting no one, not even known users or devices without verifying or validating. This security model has been introduced by an analyst at Forrester Research. Although the theory employed is not entirely new, this security model has gained prominence nowadays in digital transformation and the effects can be easily seen on business network security architecture.

Twitter Hack: Three Arrested in the Bitcoin Scam


Graham Clark, a resident of Tampa Florida has been arrested under charges of being involved in July’s Twitter hack that targeted the handles of famous personalities including the CEO of SpaceX and Tesla Inc., Elon Musk, and former President of the US Barack Obama, to name a few. The other two suspects arrested by Californian authorities are Nima “Rolex” Fazeli of Orlando and Mason “Chaewon” Sheppard from Bognor Regis, U.K.

The alleged three ran a scheme under which they hijacked the twitter accounts of various public figures and posted tweets advertising a bitcoin scam from these high-profile accounts. In order to acquire access to internal support tools and these Twitter accounts, Clark compromised a Twitter employee and made use of his credentials. After gaining access to 130 accounts belonging to politicians and celebrities, he tweeted Bitcoin scam messages from 45 and accessed direct messages inbox of 36 of them and stopped with downloading the Twitter Data for a total of 7 accounts. Reportedly, the three cybercriminals involved made a profit worth $120,000 worth of bitcoins as a result of the scam.

Among the affected accounts were Amazon’s founder, Jeff Bezos, Microsoft’s CEO Bill Gates, Kim Kardashian West and Joe Biden.

According to operation led by the FBI in collaboration with the Secret Service and IRS, 17-year-old, Graham Clark is identified as the mastermind of the sophisticated incident; the teenager is just a high-school graduate who will be prosecuted by Hillsborough State authorities.

Bearing charges of conspiracy to commit wire fraud and money laundering, aiding the mastermind in orchestrating the attack, Sheppard is subjected to 45 years of imprisonment as the maximum penalty.

In a related video news conference, State Attorney, Warren said, "I want to congratulate our federal law enforcement partners, the US Attorney’s Office for the Northern District of California, the FBI, the IRS, the US Secret Service, and the Florida Department of Law enforcement. These partners worked extremely quickly to investigate and identify the perpetrators of this sophisticated and extensive fraud."

"This defendant lives here in Tampa, he committed the crimes here, and he’ll be prosecuted here,"

"The State Attorney's Office is handling this prosecution rather than federal prosecutors because Florida law allows for us greater flexibility to charge a minor as an adult in a financial fraud case like this." He added.

Meanwhile, in the regard, Twitter said "We appreciate the swift actions of law enforcement in this investigation and will continue to cooperate as the case progresses.

"For our part, we are focused on being transparent and providing updates regularly."

Six New Vulnerabilities Found in DIR-865L Model of D-Link Routers


Over the last few months, the cyber world witnessed an alarming spike in the number of malicious attacks, it's seen as a direct result of more and more people working from home. As organizations have been experiencing unprecedented cybersecurity challenges, it has become even more crucial for users to keep their networks updated and hence secured.

DIR-865L model of D-Link routers, designed for monitoring home network from anywhere, was found to be containing six vulnerabilities as follows:

1. CVE-2020-13782 [Improper Neutralization of Special Elements used in a Command (Command Injection)]: A backend engine known as cgibin.exe controls the web interface for this router; attackers can place arbitrary code to be executed with administrative privileges.

2. CVE-2020-13786 [Cross-Site Request Forgery (CSRF)]: Threat actors can intercept data present on sections under password protection by capturing the network traffic; the router's web interface consists of various pages that are vulnerable to this security flaw.

3. CVE-2020-13785 (Inadequate Encryption Strength): The attackers can learn a user's password via a brute force attack carried offline on the basis of information that's sent to the client from the router when the user logs into the SharePort Web Access portal in port 8181.

4. CVE-2020-13784 (Predictable Seed in Pseudo-Random Number Generator): By exploiting this vulnerability, the attackers can deduce the information required to perform CSRF attacks even if the router is encrypting session information using HTTPS.

5. CVE-2020-13783 (Cleartext Storage of Sensitive Information): When an attacker attempts to acquire the admin password stored in the tools_admin.php page, he requires physical access to a logged-on machine as credentials sent over the wire are not clear. Once the attacker acquires physical access, he can view the password via the HTML source of the page.

6. CVE-2020-13787 (Cleartext transmission of sensitive information): Attackers capturing network traffic and stealing data can access the password used for guest wifi network, it's done via an option 'Wired Equivalent Privacy' (WEP).

These 6 newly discovered vulnerabilities by Palo Alto Networks' Unit 42 researchers in the D-Link DIR-865L home wireless router can be exploited all at once to run arbitrary commands, delete information, upload malware, exfiltrate data or intercept information and obtain user credentials illicitly.

To stay protected against the session hijacking attacks, users are advised to default all traffic to HTTPS and stay updated with the latest available version of the firmware with fixes, one can find the firmware on the D-Link's website. The website also provides a 'how-to' tutorial for changing the time zone on the router for the users to further defend themselves from possible malicious attacks.

Phishing Attacks Can Now Dodge Microsoft 365's Multi-Factor Authentication


Of late a phishing attack was found to be stealing confidential user data that was stored on the cloud.
As per sources, this is the work of a new phishing campaign that dodges the Office 365 Multi-Factor Authentication (MFA) to acquire the target’s cloud-stored data and uses it as bait to extract a ransom in Bitcoin.

Per reports, researchers discovered that the campaign influences the “OAuth2 framework and OpenID Connect (OIDC) protocol”. It employs a malicious “SharePoint” link to fool the targets into giving permission to “rogue” applications.

MFAs are used as a plan B in cases where the users’ passwords have been discovered. This phishing attack is different because it tries to fool its targets into helping the mal-actors dodge the MFA by giving permissions.

This campaign is not just about gaining ransoms via exploiting the stolen data it is that and the additional threat of having sensitive and personal information at large for others to exploit as well. Extortion and blackmail are among the first things that the data could be misused for.

Sources mentioned that via obtaining basic emails and information from the target’s device, the attacker could easily design “hyper-realistic Reply-Chain phishing emails.”

The phishing campaign employs a commonplace invite for a SharePoint file, which happens to be providing information regarding a “salary bonus”, which is good enough for perfunctory readers to get trapped, mention reports.

The link when clicked on redirects the target to an authentic login page of Microsoft Office 365. But if looked on closely, the URL looks fishy and created without much attention to detail, thus say the security experts.

Reportedly, access to Office 365 is acquired by getting a token from the Microsoft Identity Platform and then through Microsoft Graph authorizations. OIDC is used to check on the user granting the access if authentication comes through then the OAuth2 grants access for the application. During the process, the credentials aren’t revealed to the application.

The URL contains “key parameters” that explain how targets could be tricked into granting permissions to rogue applications on their account. Key parameters signify the kind of access that is being demanded by the Microsoft Identity Platform. In the above-mentioned attack, the request included the ID token and authentication code, mentioned sources.

If the target signs in on the SharePoint link that was delivered via the email they’ll be providing the above-mentioned permissions. If the target doesn’t do so, it will be the job of the domain administrators to handle any dubious activities.

This phishing campaign is just an example of how these attack mechanisms have evolved over the years, to such an extent that they could now try to extort sensitive data out of people seemingly by tricking them into providing permissions without an inkling of an idea of what is actually up.