Search This Blog

Showing posts with label malware. Show all posts

Cybercriminals Are Using Google URLs as a Weapon to Spread Malware

 

Security researchers at Microsoft warned the organizations of a new phishing campaign, they have been tracking activity where contact forms published on websites are exploited to send malicious links to organizations via emails containing fake legal threats. The emails direct recipients to click on a link to review supposed evidence behind their allegations, but are instead led to downloading IcedID, an info-stealing malware. Microsoft Defender for Office 365 identifies and blocks these emails while shielding enterprises from this threat.

As a precautionary measure, Microsoft reported the threat to Google's security teams to warn them that threat actors are using legitimate Google URLs to deliver malware. The Google URLs are useful to the attackers because they will bypass email security filters. Seemingly, the attackers have also bypassed CAPTCHA challenges that are used to test whether the contact submission is from a human.

"Attackers are abusing legitimate infrastructure, such as websites' contact forms, to bypass protections, making this threat highly evasive. Besides, attackers use legitimate URLs, in this case, Google URLs that require targets to sign in with their Google credentials," the Microsoft 365 Defender Threat Intelligence Team stated. 

Microsoft is bothered by the methodology used by threat actors to steal information and has currently detected the criminals using the URLs in an email to deliver IcedID malware. However, it could just as easily be used to deliver other malware.

IcedID is an info-stealing malware that connects to a command-and-control server to download modules that conduct functions like stealing banking credentials and other data. It achieves persistence and downloads additional tools that let remote attackers pursue other malicious actions on a target system, including credential theft, lateral movement, and delivery of additional payloads.

"We have already alerted security groups at Google to bring attention to this threat as it takes advantage of Google URLs. We observed an influx of contact form emails targeted at enterprises by means of abusing companies' contact forms. This indicates that attackers may have used a tool that automates this process while circumventing CAPTCHA protections. As the emails are originating from the recipient's own contact form on their website, the email templates match what they would expect from an actual customer interaction or inquiry," Microsoft further notes.

500,000 Huawei Devices hit by the Joker Malware

 

Security researchers have discovered that over 500,000 Huawei smartphone users who inadvertently subscribe to premium mobile services have downloaded apps contaminated by the Joker malware. For the past couple of years the malware family of Joker has infected apps on Google's Play Store, but it is the first time on Huawei phones. Using the company's in-house platform - App Gallery, Huawei users are not actually able to access the Google Play Store due to business restrictions in the USA. Researchers also discovered in the App Gallery some 10 apparently harmful applications containing malicious command and control server connectivity code for installation and additional components. 

A source noted that “Doctor Web’s virus analysts have uncovered the first malware on App Gallery―the official app store from the Huawei Android device manufacturer. They turned out to be dangerous Android. Joker trojans function primarily to subscribe users to premium mobile services. In total, our specialists discovered that 10 modifications of these trojans have found their way onto App Gallery, with more than 538,000 users having installed them.”

However, the researchers mentioned that the malware might subscribe the user to up to five services, but that restriction could also be changed at any time by the threat actor. Digital keyboards, a camera app, a launcher, an online messenger, an adhesive set, coloring programs, and a game were included in the malicious applications list. Most of the applications were developed by one (Shanxi Kuailaipai Network Technology Co., Ltd.) developer and two from separate developers. More than 538,000 Huawei users have installed these 10 applications, as per the Doctor Web’s reports. 

Doctor Web notified Huawei of these applications and the company detected and removed them from the App Gallery. Although new users cannot download them anymore, whereas if the applications were on the devices of other users then they must be cleaned manually. Upon being enabled, the malware transmits a configuration file to the remote server, including a task list, premium service websites, and JavaScript which imitates user interaction states the researchers. 

The history of Joker malware goes back to 2017 and has consistently made its way through the Google Play store distributed games. In October 2019, Kaspersky Malware Researcher Tatyana Shishkova tweeted over 70 compromise applications that made it official. And the malware reports in Google Play continued to surge. In early 2020, Google announced the removal of some 1,700 Joker-infected applications. Joker remained in the shop last February and even in July of last year he still slips through Google's defenses.

New Malware Downloader Spotted in Targeted Campaigns

 

In recent weeks, a relatively sophisticated new malware downloader has emerged that, while not widely distributed yet, appears to be gaining momentum. Malwarebytes researchers recently discovered the Saint Bot dropper, as they have termed it, being used as part of the infection chain in targeted campaigns against government institutions in Georgia. 

Saint Bot was discovered by researchers while investigating a phishing email containing a zip file containing malware they had never seen before. The zip file included an obfuscated PowerShell script disguised as a link to a Bitcoin wallet. According to Malwarebytes, the script started a chain of infections that led to Saint Bot being dropped on the compromised system. 

In each case, the attackers used Saint Bot to drop information stealers and other malware downloaders. According to the security vendor, the new loader is probably being used by a few different threat actors, implying that there are likely other victims. 

One of the information stealers that Saint Bot has noticed dropping is Taurus, a malware tool designed to steal passwords, browser history, cookies, and data from auto-fill. The Taurus stealer can also steal FTP and email client credentials, as well as system information such as configuration details and installed software. According to Malwarebytes, while Saint Bot mostly has been observed dropping stealers, the dropper is designed to deliver any malware on a compromised system. 

Malware droppers are specialized tools designed to install various types of malware on victim systems. One of the most notable recent examples of such malware is Sunburst, the tool that was distributed via poisoned SolarWinds Orion software updates to some 18,000 organizations worldwide. In that case, the dropper was specifically designed to deliver targeted payloads on systems belonging to organizations of particular interest to the attackers. 

Basically, the downloaders are first-stage malware tools designed to deliver a wide range of secondary and tertiary commodity payloads, such as ransomware, banking Trojans, cryptominers, and other malicious tools. Some of the most popular droppers in recent years, such as Emotet, Trickbot, and Dridex, began as banking Trojans before their operators switched tactics and used their Trojans as malware-delivery vehicles for other criminals. 

Saint Bot, like many other droppers, has several unclear and anti-analysis features to help it avoid malware detection tools. It is designed to detect virtual machines and, in some cases, to detect but not execute on systems located in specific Commonwealth of Independent States countries, which include former Soviet bloc countries such as Russia, Azerbaijan, Armenia, Uzbekistan, Ukraine, and Moldova.

"As we were about to publish on this downloader, we identified a few new campaigns that appear to be politically motivated and where Saint Bot was being used as part of the infection chain. In particular, we observed malicious documents laced with exploits often accompanied by decoy files." a spokesman from Malwarebytes' threat intelligence team states. In all instances, Saint Bot was eventually used to drop stealers. 

According to Malwarebytes, while Saint Bot is not yet a widespread threat, there are indications that the malware's creators are still actively working on it. According to the security vendor, its investigation of the Saint Bot reveals that a previous version of the tool existed not long ago. " Additionally, we are also seeing new campaigns that appear to be from different customers, which would indicate that the malware author is involved in further customizing the product," a Malwarebytes spokesman said.

APKPure Compromised to Deliver Malware

 

APKPure, one of the biggest alternative application stores outside of the Google Play Store, was tainted with malware this week, permitting threat actors to disseminate Trojans to Android gadgets. In an incident that is like that of German telecommunications equipment manufacturer Gigaset, the APKPure customer variant 3.17.18 is said to have been altered trying to trick unsuspecting clients into downloading and installing noxious applications linked to the malevolent code incorporated into the APKpure application. The development was reported by researchers from Doctor Web and Kaspersky. 

“Doctor Web specialists have discovered a malicious functionality in APKPure—an official client application of popular third-party Android app store. The trojan built into it downloads and installs various apps, including other malware, without users’ permission.” reads a post published by Doctor Web. "This trojan belongs to the dangerous Android.Triada malware family capable of downloading, installing, and uninstalling software without users' permission," Doctor Web researchers added.

Triada was designed with the particular purpose to carry out financial frauds, typically hijacking financial SMS transactions. The most intriguing trait of the Triada Trojan is its modular architecture, which gives it theoretically a wide range of abilities. 

As per Kaspersky, the APKPure rendition 3.17.18 was altered to incorporate an advertisement SDK that goes about as a Trojan dropper intended to convey other malware to a victim's gadget. "This component can do several things: show ads on the lock screen; open browser tabs; collect information about the device; and, most unpleasant of all, download other malware," Kaspersky's Igor Golovin said. In light of the discoveries, APKPure has released another rendition of the application (form 3.17.19) on April 9 that eliminates the malevolent part. "Fixed a potential security problem, making APKPure safer to use," the developers behind the app distribution platform said in the release notes.

“If the user has a relatively recent version of the operating system, meaning Android 8 or higher, which doesn’t hand out root permissions willy-nilly, then it loads additional modules for the Triada Trojan. These modules, among other things, can buy premium subscriptions and download other malware. If the device is older, running Android 6 or 7, and without security updates installed (or in some cases not even released by the vendor), and thus more easily rootable, it could be the xHelper Trojan.” states Kaspersky.

Yanbian Gang Malware Continues With Large-Scale Distribution and C2

 

Fake banking apps laced with malware remain a crucial factor in the success of threat actors. For the Yanbian gang, a criminal group in Yanbian, China that targets organizations across Asia, it's a skill they have been honing for more than a decade. 

Since 2013, the Yanbian Gang has been targeting South Korean Android mobile banking customers with malicious Android apps impersonating major banks, including Shinhan Savings Bank, Saemaul Geumgo, Shinhan Finance, KB Kookmin Bank, and NH Savings Bank. RiskIQ's threat research team examined some of the threat group's most recent activity in this vector to examine their malware of choice as well as the large-scale hosting infrastructure they use to distribute and control it. 

Hundreds of Korean language-specific apps were discovered across an extensive list of IP addresses during the researchers' analysis of Yanbian Android apps. These apps were created to steal information from infected victims, such as loan application details, contacts, SMS messages, phone call details, call logs, and applications currently installed on the device. 

Since December 2020, RiskIQ's analysis has identified 377 individual samples of malicious Android apps developed and distributed by the Yanbian Gang. Many of these apps have multiple versions and set up services to run in the background of victim phones, both of which fit the Yanbian Gang's known method of operation. 

While these apps appear to be simple, they are capable of performing a variety of malicious activities that the victim is unaware of. Yanbian Gang actors obtain information not only about the victim, but also their contacts, installed applications, and even messages sent from the infected device. These apps also have a plethora of permissions that they can potentially abuse for malicious purposes that can be abused for malicious purposes. 

One of the discoveries of research was references to various URL paths that led to a specific IP address via HTTP. The Yanbian Gang refers to these paths as "methods," and they serve as Command and Control (C2), allowing the app to initiate device registration, assess device capabilities, steal information, and receive instructions from specified C2 servers. 

Researchers at RiskIQ observed one of the samples communicating using only some of these "methods," most likely due to the limited amount of data stored in their testing device and its lack of features. These communications were sent to the C2 server via encrypted HTTP POST and GET requests. 

The Yanbian Gang continues to target South Korean users with malware, tactics, and targeting similar to that previously reported in 2015. However, the group has evolved to separate infrastructure based on function and to switch hosting providers. Yanbian Gang actively leverages web servers hosting their call-to-action and malicious application delivery, C2 servers, and servers running the Real-Time Messaging Protocol that receive call information, according to RiskIQ.

New REvil Ransomware Version Automatically Logs Windows into Safe Mode

 

The REvil Ransomware is unstoppable when it comes to ingenious hacking tactics and techniques. The well-known ransomware has escalated its attack vector once again, this time by changing the victim's login password in order to reboot the computer into Windows Safe Mode. 

While malicious groups are constantly upgrading their attack strategies in order to fight security measures, the threat actors behind the REvil ransomware are especially skilled at honing their malware in order to make their attack campaigns more effective.

Last month, security researcher R3MRUM discovered a new sample of the REvil ransomware that improves the new Safe Mode encryption method by changing the logged-on user’s password and setting Windows to automatically login on reboot. The ransomware would update the user's password to ‘DTrump4ever’ if the -smode statement is used. 

Afterward, the ransomware configures the following Registry values for Windows to automatically log in with the new account information. It is currently unknown whether new REvil ransomware encryptor samples will continue to use the ‘DTrump4ever' password, but at least two samples submitted to VirusTotal in the last two days have done so. 

This latest strategy exemplifies how ransomware groups are actively refining their tactics in order to effectively encrypt users' devices and demand a ransom payment. 

Asteelflash, a world-leading French EMS company, confirmed last week that it has been the target of a cybersecurity incident, identifying the involvement of REvil ransomware. After initially setting the ransom at $12 million in Monero crypto, the attackers demanded Asteelflash pay a whopping $24 million ransom. However, as the negotiations didn’t reach a point of agreement in time, the actors raised the ransom to double the amount and leaked the first sample of the exfiltrated files. 

Acer, a computer manufacturer, was also hit by the REvil ransomware. REvil has demanded a ransom of $50 million, which may be the highest ever demanded ransom.

REvil has released a service for contact to news media, companies for the best pressure at no cost, and DDoS (L3, L7) as a paid service. Threat actors, or associated partners, will perform voice-scrambled VoIP calls to the media and victim’s business partners with information about the attack.

Slack and Discord are Being Hijacked by Hackers to Distribute Malware

 

A few famous online collaboration tools, including the likes of Slack and Discord, are being hijacked by hackers to disperse malware, experts have cautioned.

Cisco's security division, Talos, published new research on Wednesday featuring how, throughout the span of the Covid-19 pandemic, collaboration tools like Slack and, considerably more generally, Discord have become convenient mechanisms for cybercriminals. With developing frequency, they're being utilized to serve up malware to victims in the form of a link that looks reliable. In different cases, hackers have integrated Discord into their malware to remotely control their code running on tainted machines, and even to steal information from victims. 

Cisco's researchers caution that none of the methods they found really exploits a clear hackable vulnerability in Slack or Discord, or even requires Slack or Discord to be installed on the victims' machine. All things considered, they essentially exploit some little-analyzed features of those collaboration platforms, alongside their ubiquity and the trust that both clients and systems administrators have come to place in them. 

"People are way more likely to do things like click a Discord link than they would have been in the past, because they’re used to seeing their friends and colleagues posting files to Discord and sending them a link," says Cisco Talos security researcher Nick Biasini. "Everybody’s using collaboration apps, everybody has some familiarity with them, and bad guys have noticed that they can abuse them." 

With regards to information exfiltration, the Discord API, for instance, has demonstrated to be quite an effective tool. As the webhook functionality (originally intended to send automated alerts) was intended to have the option to convey any kind of information, and malware oftentimes uses it to ensure stolen information arrives at its intended destination. 

“Webhooks are essentially a URL that a client can send a message to, which in turn posts that message to the specified channel — all without using the actual Discord application,” the researchers say. “The Discord domain helps attackers disguise the exfiltration of data by making it look like any other traffic coming across the network.”

As texting applications grow in popularity, the threats will develop with them. Organizations should know about the dangers, and cautiously pick which platform to utilize, the researchers concluded.

North Korean Lazarus Group Attacks South African Freight Via New Weapon

 

The North Korean-backed Lazarus hacking group employed a new backdoor in targeted attacks against a South African freight and logistics company. ESET researchers first discovered the malware in June 2020, but further evidence suggests Lazarus has been using it in previous attacks going back to at least December 2020. 

The new backdoor malware, dubbed Vyveva is one of the latest tools discovered in the Lazarus armory. Vyveva has the capability of exfiltrating files, gathering data from an exploited machine and its drives, remotely connect to a command-and-control (C2) server and run arbitrary code. It also uses watchdogs to keep track of newly connected drives or the active user sessions to trigger new C2 connections on new sessions or drive events.

While ESET researchers have not gained much success in identifying the initial compromise vector but they have discovered three main components comprising Vyveva – its installer, loader and backdoor. Vyveva also consists a ‘timestomping’ option which allows its operators to manipulate any file’s data using metadata from other files on the system or by setting a random date between 2000 and 2004 to hide new or modified files. 

“Vyveva shares multiple code similarities with older Lazarus samples that are detected by ESET technology. However, the similarities do not end there: the use of a fake TLS protocol in network communication, command-like execution chains, and the methods of using encryption and Tor services all point toward Lazarus. Hence, we can attribute Vyveva to this APT group with high confidence,” security researcher Filip Jurcacko stated.

According to the US government, Lazarus group was formed in 2007 and since then, as per the researchers, the group has been responsible for the $80 million Bangladeshi bank heist and the HaoBao Bitcoin-stealing campaign. The Lazarus Group’s activities were widely reported only after it was blamed for the 2014 cyber-attack on Sony Pictures Entertainment and the 2017 WannaCry ransomware attack on the countries including the US and Britain.

German Company Hit By Supply Chain Attack, Only Few Device Affected

Gigaset, a German device maker, was recently hit with a supply chain attack, the hackers breached a minimum of one company server to attach the malware. Earlier known as Siemens Home and Office Communication Devices, Gigaset is Germany based MNC. The company holds expertise in communication technology area, it also manufactures DECT telephones. Gigaset had around 800 employees, had operations across 70 countries and a revenue of 280 Million euros in the year 2018. 

The attack happened earlier this month, the malware was deployed in the android devices of the German company. According to experts, various users reported cases of malware infections, complaining the devices were attacked with adwares that showed unwanted and intrusive ads. Most of the users reported their complaints on Google support forums. A German website published a list of these package names (unwanted popups) which were installed on the android devices. 

Earlier complaints from the users are suggesting that data might've also been stolen from these devices. The foremost issue that these users faced was SMS texting and sending Whatsapp messages, the latter suspended few accounts on suspicion of malicious activity. The company has confirmed about the breach and said that the only the users who installed latest firmware updates from the infected devices were affected. The company is already set on providing immediate solutions to the affected customers. "It is also important to mention at this point that, according to current knowledge, the incident only affects older devices," said the company. 

The company during its routine investigation found that few of the old devices had malware problems. It was further confirmed by the customer complaints. Gigaset says it has taken the issue very seriously and is working continuously to provide short term solution to its customers. "In doing so, we are working closely with IT forensic experts and the relevant authorities. We will inform the affected users as quickly as possible and provide information on how to resolve the problem. We expect to be able to provide further information and a solution within 48 hours," said Gigaset.

Fake Netflix App Spreads Malware via WhatsApp Messages

 

Researchers have discovered malware camouflaged as a Netflix application, prowling on the Google Play store, spread through WhatsApp messages. As per a Check Point Research analysis released on Wednesday, the malware took on the appearance of an application called "FlixOnline," which publicized by the means of WhatsApp messages promising "2 Months of Netflix Premium Free Anywhere in the World for 60 days." But once installed, the malware begins stealing information and credentials.

The malware was intended to monitor incoming WhatsApp messages and automatically react to any that the victims get, with the content of the response crafted by the adversaries. The reactions attempted to bait others with the proposal of a free Netflix service, and contained links to a phony Netflix site that phished for credentials and credit card information, analysts said. 

“The app turned out to be a fake service that claims to allow users to view Netflix content from around the world on their mobiles,” according to the analysis. “However, instead of allowing the mobile user to view Netflix content, the application is actually designed to monitor a user’s WhatsApp notifications, sending automatic replies to a user’s incoming messages using content that it receives from a remote server.” Once you install the FlixOnline application from the Play Store, it asks for three sorts of authorizations: screen overlay, battery optimization ignore, and notification. Researchers from Check Point noticed that overlay is utilized by malware to make counterfeit logins and steal client credentials by making counterfeit windows on top of existing applications. 

The malware was additionally able to self-propagate, sending messages to client's WhatsApp contacts and groups with links to the phony application. With that in mind, the computerized messages read, “2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE [Bitly link].”

“The malware’s technique is fairly new and innovative,” Aviran Hazum, manager of Mobile Intelligence at Check Point, said in the analysis. “The technique here is to hijack the connection to WhatsApp by capturing notifications, along with the ability to take predefined actions, like ‘dismiss’ or ‘reply’ via the Notification Manager. The fact that the malware was able to be disguised so easily and ultimately bypass Play Store’s protections raises some serious red flags.”

Janeleiro a New Banking Trojan Targeting Corporate, Government Targets

 

A banking Trojan has been found out by cybersecurity researchers, which has targeted many organizations across the state of Brazil. An advisory has been released on Tuesday by ESET on the malware that was being developed in 2018. 
According to cyber intelligence, the Trojan named Janeleiro primarily focused on Brazil and launched multiple cyber attacks against corporate giants in various sectors such as engineering, healthcare sector, finance, retail, and manufacturing. Notably, the threat actors who are operating the banking trojan have also made attempts to get access into government systems using the malware.

According to the researchers, the Trojan is similar to other Trojans that are currently being operated across the state, specifically in Grandoreiro, Casbaneiro, and Mekotio, to name a major few. 

Janeleiro enters into smart devices similar to most malware, however, some features are different. First, Phishing emails will be sent in small batches, masked as unpaid invoices of the firm. These emails contain links that compromise servers into the system and download a .zip archive hosted in the cloud. If the target opens the archive file, a Windows-based MSI installer then loads the main Trojan DLL into the system. 

"In some cases, these URLs have distributed both Janeleiro and other Delphi bankers at different times," ESET says. 

“…This suggests that either the various criminal groups share the same provider for sending spam emails and for hosting their malware, or that they are the same group. We have not yet determined which hypothesis is correct." 

Interestingly, the Trojan first checks the geo-location of the targeted system's IP address. If the state code is Brazil and it remains and runs its operation but if it is other than Brazil then the malware will exit automatically. 

Janeleiro is being used to frame fake pop-up windows "on-demand," such as when operators compromised banking-related keywords from its machine. Once the operators get access to the system then they ask for sensitive credentials and banking details from targets.

The Less Progressive but Consistent, Cycldek Threat Actors

 

It is somewhat usual for tools and methodologies to be allowed to share throughout the nebula of Chinese threat actors. The infamous "DLL side-loading triad" is one of that kind of example. The side-loading-dynamic link library (DLL) is an extremely effective method of cyber-attack that benefits from the management of DLL files by Microsoft Windows applications. A genuine executioner, a malicious DLL, and an encrypted payload have usually been dropped from a self-extraction file. Initially regarded as the LuckyMouse signature, developers observed that other organizations were using a similar 'triad' like HoneyMyte. Although it indicates that attacks depending only on this technique cannot be attributed, the efficient prevention of such triads shows increasing malicious activity. 

A malware sample has been identified by researchers knows as FoundCore Loader which is configured to attack high-profile organizations in Vietnam. As per the high-level perspective of the researchers, the virus chain follows an execution that starts from the – FINDER.exe (a genuine MS Outlook file) which side loads to the outbill.dll (a malicious loader ) that eventually hijacks the flow of the execution and decrypts and runs a Shellcode placed in a rdmin.src file ( that is a malicious loader companion). 

The FoundCore payload is the final payload that is a remote access tool that provides its operators with complete control of the victim machine. This malware begins with 4 threads when it is executed. The first one determines persistence through the development of a service. The second establishes unclear information for the system by modifying its fields like 'Description,' 'Image Path,' 'Display Name' (among others). The third set the vacant DACL ("D:P" SDDL) image for the current process to avoid access to the entire malicious file. To discourage the malicious file from entering. In the end, the worker thread bootstraps execution and connects to the C2 server. It can also incorporate a copy of itself into another process, based on its configuration. FoundCore gives complete control of the victim's machine to the threat player. The malware supports various instructions to manipulate the filesystem, manipulate the procedure, execute arbitrary commands, and record screenshots. DropPhone and CoreLoader are other malware delivered during the attacks. 

Cycldek, which has been active since 2013 and is also recognized as Goblin Panda and Conimes, is famous for its targeted delivery and preferences being the Vietnam targets and the governments in South East Asia. As per a report, that in June 2020 a piece of personalized malware had been used to exfiltrate airborne data, a clear sign of transformation for a group considered less sophisticated. According to Kaspersky, more recent attacks show even more sophistication. 

A genuine part of Microsoft Outlook was mistreated to load a DLL which would operate a shellcode that acts as a loader of FoundCore RAT in an attack on a high-profile Vietnamese organization. While Cycldek has been regarded to be one of the less advanced threat actors in the Chinese-speaking world, the goal of the campaign is recognized to be consistent.

Protect Your Android Phones from Android 'System Update' Malware

 

Security researchers at Zimperium zLabs have discovered a new ‘sophisticated’ Android malware posing as a software update application. This malware becomes more lethal when it sits stealthily masqueraded as a system update.

Once the malware is downloaded on a device, the victim’s device is registered with the Firebase Command and Control (C2), upon which a hacker can send commands via Firebase messaging service to manage data theft. The process of data exfiltration starts once a condition is fulfilled, including the addition of a new mobile contact, app installation, or a receipt of an SMS text.

“When the victim is using Wi-Fi, all the stolen data from all the folders are sent to the C2, whereas when the victim is using a mobile data connection, only a specific set of data is sent to C2,” security researcher at Zimperium zLabs stated.

According to a report by researchers at Zimperium, this malware has the capability of stealing your data once it is installed into your Android phone. Once in control, cybercriminals can record audio and phone calls, take photos, access WhatsApp texts, steal instant messenger texts, peer into GPS location data, examine the default browser’s bookmarks, search for files with specific extensions, inspect the clipboard data, the content of the notifications, steal SMS texts and call logs, list the downloaded applications and even extract device information. 

Security researchers have termed the malware as ‘FakeSysUpdate’ which is quite capable of concealing its source. Unfortunately, researchers have not detected the source of this malware but advised the Android users to remain vigilant regarding the content on their device. Frequently check for official updates, uninstall all the apps that you feel are necessary, and also avoid installing apps from a third-party source.

In an interview with TechCrunch, Shridhar Mittal, CEO of Zimperium zLabs stated that “it’s easily the most sophisticated attack we’ve seen…I think a lot of time and effort was spent on creating this app. We believe that there are other apps out there like this, and we are trying our very best to find them as soon as possible.”

Hackers Attack Users With Malware Using Underground Call Centres

 

BazarLoader malware actors have started working with underground call centres to fool targets of their spamming campaign by making them open corrupted Office files and corrupting their devices with malware. It's not the first time when underground call centres and the hacking group have come up to work together, however, it's the first time when the likes of the BazarLoader gang, a major Malware distributer, have used this technique on such a massive scale. 

How it took place?

The recent attacks have been very unique from the general malware scenario of today, the attackers have their own identities, normally known as BazaCall or BazarCall, the reason being they depend upon telephone calls to conduct their infiltration. Currently, the attack techniques that these hackers use are simple and yet effective. The group (BazarLoader) initiates the malware campaign by sending spam campaigns to specific targets. To attract the attention of the users, the email baits the victims through offers, subscriptions, free trials, etc. 

The email also consists of details for users to call a specific number that is mentioned in the mail to know more about the offer. If the victim dials the mentioned number, they are redirected to a call centre, here, a supposed operator tells directs the victim into downloading an office file, tells the user to disable the office security features, and run an excel or word file which allows hackers to run macros (automated scripts), that is used to download and install the malware in victims' device. Thanks to cybersecurity expert Brad Duncan, the phone recordings of one of the call centres involved are available. 

Targets include high profile accounts 

A cybersecurity expert that goes by the name Analyst said that these attack campaigns started in January 2021. The analyst is the same person that termed the attack as BazarCall, says that most of the targets use .edu or corporate email address, never target home users that use free emails like Gmail, Yahoo, or Hotmail. The Record reports, "the security researcher says the classic endgame for these attacks is to infect corporate networks, where the BazarLoader malware can then turn around and rent access to ransomware gangs, such as the Ryuk crew, with which they’ve collaborated before.

WordPress Websites Infected with Malware Via Fake jQuery Files


Cybersecurity experts discovered fake variants of the jQuery Migrate plugin inserted in various sites that had unclear codes to launch malware. The files are tagged as jquery-migrate.min.js and jquery-migrate.js, currently located where Java files are generally found on WordPress websites but in reality are fake. Presently, around 7 Million websites use the jQuery Migrate plugin, the popularity of the plugin may have led hackers to use it as a decoy to plant their malware under the plugin name. 

Cybersecurity experts Adrian Stoian and Denis Sinegubko earlier this week discovered fake jQuery files pretending to be jQuery migrate plugins on several websites. To avoid getting caught, the infected files interchange with legitimate files having ./wp-includes/js/jquery/ directory where all the WordPress files are present. 

These counterfeit files have further muddled the codes using an anonymous analytics.js file containing malicious codes. As of now, the threat level of this attack is yet to be determined, but a search query shared by Sinegubko revealed that the malicious code infected around forty web pages.  

The filename 'analytics' however, has nothing to do with the metrics of websites. Bleeping computer enquired some infected file codes. "The code has references to "/wp-admin/user-new.php" which is the WordPress administration page for creating new users. Moreover, the code accesses the _wpnonce_create-user variable which WordPress uses to enforce Cross-Site Request Forgery (CSRF) protections," reports Bleeping Computer. 

In general, if the hackers get the CSRF tokens, it allows them to imitate fake requests from the user end. Attaching these malicious scripts on WordPress websites allows hackers to deploy various cyberattacks using that may vary from credit card skimming for Megacart scams or redirecting users to scammed websites. Here, the victims may be led to fake survey forums, tech assistance frauds, requests for subscribing to spam notifications, or installing malicious browser extensions.  

Helpnet Security reports, "everyone with half a mind for security will tell you not to click on links in emails, but few people can explain exactly why you shouldn’t do that. Clicking on that link means that an attacker can fake any user-supplied input on a site and make it indistinguishable from a user doing it themselves."

Beware of Ongoing Brute-Force Attacks Against NAS Devices, QNAP Warns

 

Taiwanese firm, QNAP has warned its clients of ongoing attacks targeting QNAP NAS (network-attached storage) devices and urged to strengthen their devices’ security by changing their passwords and default access port number, and disabling the admin account.

The company warned its customers by stating, “recently QNAP has received multiple user reports of hackers attempting to log into QNAP devices using brute-force attacks – where hackers would try every possible password combination of a QNAP device user account. If a simple, weak, or predictable password is used (such as ‘password’ or ‘12345’) hackers can easily gain access to the device, breaching security, privacy, and confidentiality. ”

If threat actor manages to guess the right password then they are able to secure full access of the targeted device, allowing them to exfiltrate confidential documents or install malware. If the hackers are unable to brute-force their way in, the NAS devices’ system logs will mark the attempts and log them with ‘Failed to login’ warning texts.

To protect their devices from ongoing attacks, customers have to enhance NAS security by changing the default access port number, implementing password rotation policies, and disabling the default admin account. Additionally, since the attack is only viable on Internet-facing NAS devices, QNAP recommends customers don’t display their devices on public networks.

Firstly, customers have to create a new system administrator account before disabling the admin account. If the administrator account on QNAP NAS devices is running on QTS 4.1.2 then the following steps will disable the default admin account:

• Go to Control Panel > Users and edit the ‘admin’ account profile.
 
• Tick the ‘Disable this account’ option and select ‘OK’.

Additionally, customers can also configure the NAS device to automatically block IP addresses behind several numbers of troubled login attempts. QNAP has also published a checklist to secure their customers’ device and protect their data:

• Remove unknown or suspicious accounts from the device 

• Download QNAP MalwareRemover application through the App Center functionality 

• Change all passwords for all accounts on the device
 
• Set an access control list for the device (Control Panel > Security > Security level)

REvil Ransomware Gang Introduces New Malware Features which can Reboot Infected Devices

 

The ransomware gang REvil introduced a special malware feature that allows attackers to reboot infected devices after encryption. REvil emerged in April 2019 and is also recognized by the names Sodinokibi and Sodin. The ransomware gang was linked to many important attacks, including attacks in May 2020 on popular law firm Grubman Shire Meiselas and Sacks and also an attack in April 2020 on Travelex, a London-based currency exchange that paid a $2.3 million ransom for recovering its data. 

The MalwareHunter team researchers recently tweeted that the REvil operators have introduced two new command lines named 'AstraZeneca' and 'Franceisshit,' in Windows Safe Mode, which is utilized to reach the initialization screen for Windows devices. 

"'AstraZeneca' is used to run the ransomware sample itself in the safe mode, and 'Franceisshit' is used to run a command in the safe mode to make the PC run in normal mode after the next reboot," team of MalwareHunter tweeted. 

However it is not special, but the strategy is definitely uncommon, said the analysts. REvil implements this feature most likely as it will help the Ranking software to avoid detection by certain security devices because these functions allow attackers to encrypt the files in windows safe mode. 

"Causing a Windows computer to reboot in safe mode can disable software, potentially even antivirus or anti-ransomware software, that is working to keep your computer safe," says Erich Kron, security awareness advocate at the security firm KnowBe4. "This would then allow the attackers to make changes that may otherwise not be allowed in normal running mode." 

By tracking computers for unusual rebooting activities and by implementing successful data loss protection checks, organizations can deter malicious acts. Since REvil mainly uses compromised RDPs and mail phishing for distribution, it is essential for organizations, ideally through multi-factor authentication, to ensure that all Internet-accessible RDP instances are protected and that their employees are trained on high-quality security sensitives which can help them identify and track phishing attacks. 

Lately, the gang allegedly attacked Taiwan PC maker ‘Acer’ in an on-site version of Microsoft Exchange server, exploiting the unpatched ProxyLogon defect. 

The REvil Gang has gradually strengthened its malware and adapted various new methods of extortion. As of now, it frequently aims at bigger companies looking for significantly greater pay-outs, names, and shames via its devoted leak and targets cyber-insurance victims.

New Worm Capabilities Targets Windows Machines

 

A malware that has verifiably targeted exposed Windows machines through phishing and exploit kits have been retooled to add new "worm" capabilities. Purple Fox, which originally showed up in 2018, is an active malware campaign that as of, not long ago required user interaction or some kind of third-party tool to infect Windows machines. However, the assailants behind the campaign have now upped their game and added new functionality that can force its way into victims' systems on its own, as indicated by new Tuesday research from Guardicore Labs.

“Guardicore Labs have identified a new infection vector of this malware where internet-facing Windows machines are being breached through SMB password brute force,” Guardicore Labs Amit Serper said. In addition to these new worm abilities, Purple Fox malware now additionally incorporates a rootkit that permits the threat actors to conceal the malware on the machine and make it hard to distinguish and eliminate, he said. 

Researchers examined Purple Fox's most recent activity and discovered two huge changes to how assailants are spreading malware on Windows machines. The first is that the new worm payload executes after a victim machine is undermined through a weak exposed service. Purple Fox additionally is utilizing a past strategy to contaminate machines with malware through a phishing effort, sending the payload by means of email to exploit a browser vulnerability, researchers observed. When the worm infects a victim's machine, it creates a new service to establish persistence and execute a simple command that can iterate through a number of URLs that include the MSI for installing Purple Fox on a compromised machine, said Serper. 

“msiexec will be executed with the /i flag, in order to download and install the malicious MSI package from one of the hosts in the statement,” he explained. “It will also be executed with the /Q flag for ‘quiet’ execution, meaning, no user interaction will be required.”

Gadgets caught in this botnet incorporate Windows Server machines running IIS form 7.5 and Microsoft FTP, and servers running Microsoft RPC, Microsoft Server SQL Server 2008 R2, and Microsoft HTTPAPI httpd 2.0, and Microsoft Terminal Service.

Malware Campaign Targets Telegram Desktop Application

 

An independent security researcher based in Basel, Switzerland, Jannis Kirschner, began to look for the widely known Telegram desktop version on the internet on Sunday. The second Google result was an advertisement, which led him directly to malware cloaked as a Telegram for Windows desktop version. At first sight, it was sufficiently convincing for Kirschner to say that "almost fell for it myself." 

Malware vendors are habituated to use the same publicity tools that online businesses use to attract people. To stop such abuse, Google patrols its advertising ecosystem, but malware advertising is still an ongoing problem. Although a visit by telegramdesktop[dot]com to one of those sites now triggered an alert from the Google Safe Browsing service, that the two sites were unsafe and potentially still active and duplicated others. These include the telegraph[dot]net and the telegram[dot]org. The websites were reported to Google by Kirschner. 

Each of these three spoofed websites is Telegram's clones. All links on cloned sites are redirected to the legitimate Telegram domain, design.telegram.com. But one link is exchanged which is supposed to be the execution for the Telegram Desktop version of Windows. 

"A repo probably was a bad choice for delivering malware since it's very verbose (download numbers, time, and other documents)," Kirschner says. "The biggest opsec mistake was that they didn't clean one of the repo's metadata, which led me to discover commit messages and their e-mail [address]."

He further adds that "I believe that it is the same threat actor or group since the TTPs [tactics, techniques, and procedures] are the same, and all sites have been established in a very close timeframe using the same hoster and certificate authority." 

At least a temporary benefit is offered to host malware on platforms such as Bitbucket: surface links are often deemed to be genuine, and attackers are subject to a malicious reservoir that needs to be removed until someone reports it. The techniques help cover a technological filtering and manual screening campaign, but don't always measure properly, says Kirschner. 

A February 2020 report by the security firm Cybereason reported over half a dozen newcomers, crypto miners, ransomware, and other malware put on Bitbucket by bad actors. 

The telegramdesktop[dot]com website seems to be shared with Moldova. Kirschner says this domain was registered on 29 December 2020. A search in the Wayback Machine of the Internet Archive, reveals that telegramdesktop[dot]com was redirected to the rightful domain telegram.org in April 2018. However, according to DomainTools records, the domain expired in October 2018. 

"I assume that domain once belonged to Telegram themselves, expired and was taken over by the criminals now," Kirschner further says.

Everthing You Need to Know About Ongoing TrickBot Attacks, US Agencies Warn

 

The Cybersecurity and Infrastructure Security Agency (CISA) in unison with the Federal Bureau of Investigation (FBI) published an advisory on Wednesday to warn organizations of ongoing TrickBot attacks despite in October multiple security firms dismantled their C2 infrastructure in a joint operation.

In their joint advisory, two agencies disclosed that a sophisticated group of cybercrime actors is leveraging a traffic infringement phishing scheme to lure victims into installing the Trickbot malware.

TrickBot was initially observed in 2016, it is believed to be designed by the threat actors behind the Dyre Trojan. TrickBot has become one of the most prevalent families out there, entrapping machines into a botnet that was being offered under a malware-as-a-service model to both nation-states and cybercrime groups.

“The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed continued targeting through spear phishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot,” the joint advisory reads.

In October 2020, Microsoft revealed that it had disrupted the infrastructure behind TrickBot, taking most of it down. However, the malware survived the takedown attempt and came back stronger, with several new updates that protected against similar attempts. The recent attacks come as a confirmation to the same, that TrickBot’s operators were able to restore their malicious operations. 

“CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation. In clicking the photo, the victim unknowingly downloads a malicious JavaScript file that, when opened, automatically communicates with the malicious actor’s command and control (C2) server to download Trickbot to the victim’s system,” the advisory further stated.