Search This Blog

Showing posts with label Fake Emails. Show all posts

Researchers Discovered Counterfeit Phones with Backdoor to Hack WhatsApp Accounts

 

Budget Android device models that are replicas of popular smartphone brands are infected with numerous trojans devised to target the WhatsApp and WhatsApp Business messaging apps. Doctor Web discovered the malware in the system partitions of at least four different smartphones in July 2022: P48pro, redmi note 8, Note30u, and Mate40. 

The cybersecurity firm said in a report published, "These incidents are united by the fact that the attacked devices were copycats of famous brand-name models. Moreover, instead of having one of the latest OS versions installed on them with the corresponding information displayed in the device details (for example, Android 10), they had the long outdated 4.4.2 version."

The tampering specifically affects two files, "/system/lib/libcutils.so" and "/system/lib/libmtd.so," which have been modified in such a way that when the libcutils.so system library is used by any app, it activates the execution of a trojan embedded in libmtd.so. If the apps that use the libraries are WhatsApp and WhatsApp Business, libmtd.so launches a third backdoor whose primary function is to download and install additional plugins from a remote location.

The researchers stated, "The danger of the discovered backdoors and the modules they download is that they operate in such a way that they actually become part of the targeted apps. As a result, they gain access to the attacked apps' files and can read chats, send spam, intercept and listen to phone calls, and execute other malicious actions, depending on the functionality of the downloaded modules."

Libmtd.so is configured to start a local server that enables connections from a remote or local client via the "mysh" console if the app using the libraries turns out to be wpa supplicant - a system daemon used to manage network connections.

Potential Risks

Based on the discovery of another trojan embedded in the system application responsible for over-the-air (OTA) firmware updates, Doctor Web hypothesised that the system partition implants could be part of the FakeUpdates (aka SocGholish) malware family.

The malicious app, on the other hand, is designed to exfiltrate detailed metadata concerning the infected device as well as download and install other software without the user's knowledge using Lua scripts.

Phony Copyright Emails Employed to Install LockBit Ransomware

 

LockBit ransomware operators are employing a unique strategy to lure victims into infecting their devices with malware by portraying it as copyright claims. 

The ransomware hackers target victims by sending an email regarding a copyright violation for allegedly using media files without the creator’s license. It also urges the victim to remove the content from their websites immediately or face legal action. 

The emails, identified by analysts at AhnLab in Korea, do not determine which files were inappropriately employed in the body of the text; rather, they instruct the receiver to download and open the attached file in order to view the infringing content. 

The attachment is a ZIP file that has been encrypted with a password and contains a compressed file. The archive contains a compressed file, an executable file posing as a PDF document. The executable is an NSIS installer, loading the LockBit 2.0 ransomware which, in turn, encrypts all of the files on the endpoint. 

As BleepingComputer reports, copyright claims are not exactly a novelty when it comes to distributing malware. Earlier this year, there had been “numerous” emails of this sort, distributing the likes of BazarLoader, or the Bumblebee malware loader. 

Bumblebee is employed for deploying second-stage payloads, including ransomware, so opening one of those files on your computer may lead to rapid and disastrous assaults. Copyright claims are a matter that publishers of content should take into serious consideration, but if the claim isn't straightforward but instead requests you to open attached files to view the violation details, it's improbable for it to be a genuine takedown notice. 

LockBit 2.0 is by far the most widespread ransomware variant, security analysts from the NCC group have said. Allegedly, LockBit 2.0 accounted for 40% of all ransomware attacks that occurred in May this year. The notorious ransomware operation recorded a whopping 95 victims in May alone, whereas Conti, BlackBasta, Hive, and BlackCat collectively had 65. 

To mitigate the risks, multi-factor authentication can be applied across the entire ecosystem in order to provide an additional layer of defense against cyber assaults. Those behind LockBit attacks have also been known to exploit stolen usernames and passwords, so if it's known that a password has been part of a data breach, it should be changed.

Google SMTP Relay Service Exploited for Sending Phishing Emails

 

Phishers are exploiting a vulnerability in Google's SMTP relay service to send malicious emails that imitate well-known brands. Threat actors use this service to mimic other Gmail tenants, according to Avanan researcher Jeremy Fuchs. Since April 2022, they've noticed a massive rise in these SMTP relay service exploit attacks in the wild. 

Organizations utilise Google's SMTP relay service to send out promotional messages to a large number of consumers without the risk of their mail server being blacklisted. 

Fuchs explained, “Many organizations offer this service. Gmail does as well, with the ability to route outgoing non-Gmail messages through Google. However, these relay services have a flaw. Within Gmail, any Gmail tenant can use it to spoof any other Gmail tenant. That means that a hacker can use the service to easily spoof legitimate brands and send out phishing and malware campaigns. When the security service sees avanan.com coming into the inbox, and it’s a real IP address from Gmail’s IP, it starts to look more legitimate.” 

As Gmail's SMTP relay servers are usually trusted, email security solutions are circumvented, and recipients see a legitimate-looking email address in the "From:" field. Users will only know something is wrong if they inspect the message headers. 

This brand impersonation method will only work if the impersonated corporation/brand company hasn't enabled its DMARC reject policy, according to Fuchs. A DNS-based authentication standard is known as DMARC. It protects enterprises from impersonation threats by preventing malicious, spoof emails from reaching their intended recipients. 

Using tools like MXToolbox, any phisher — indeed, anyone who uses the internet – may verify whether the DMARC reject policy has been enabled for a certain domain. Trello and Venmo, for example, haven't, according to Fuchs, while Netflix has. 

On April 23rd, 2022, Fuchs claims to have warned Google about how phishers were using their SMTP relay service. “Google noted that it will display indicators showing the discrepancy between the two senders, to aid the user and downstream security systems,” he told Help Net Security. 

He also points out that any SMTP relay could be vulnerable to this type of assault. The DMARC protocol, which Google recommends, is the overarching solution to this well-known security issue. However, until that becomes the norm, recipients should verify the headers of unsolicited email messages and avoid opening attachments or clicking on links in those messages if they can't tell whether they're harmful. 

“We have built-in protections to stop this type of attack. This research speaks to why we recommend users across the ecosystem use the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol. Doing so will defend against this attack method, which is a well-known industry issue,” a Google spokesperson told Help Net Security.

Dridex Targeted Employees with Fake Job Termination Emails

 

A new Dridex malware phishing campaign is using fake employee termination as a lure to open a malicious Excel document, which then trolls them with a season's greeting message.

TheAnalyst, a threat researcher, shared a screenshot of the false employment termination notice on December 22, linking it to a Dridex affiliate. The suspicious email informed the target that their employment will end on December 24, and also that the decision could not be reversed. A password-protected Excel file attached offered further information. 

When a receiver accessed the file, a blurred form with a button to "Enable Content" appeared, allowing the file to run an automated script through its macros function, a technology designed to aid automation that has been misused for years for harmful purposes. After clicking the button, a pop-up window displayed with the words "Merry X-Mas Dear Employees!" 

Dridex is a trojan that was first discovered in 2014 and is related to credential theft. It spreads via email phishing campaigns. According to the US Treasury Department, it has been used to steal more than $100 million from banking institutions in 40 nations. 

Dridex is thought to have been created by Evil Corp., a Russian hacker gang that has become one of the most notorious and prolific cybercrime organizations in recent years. In December 2019, the US government sanctioned the organization and indicted its alleged founders, Maksim Yakubets and Igor Turashev, for their roles in developing Bugat, the predecessor malware to Dridex. 

A response to TheAnalyst's tweet including the false termination notice observed that in some copies of the email, the "Merry X-Mas" pop-up replaced the word "Employees" with racial insults. The racist content with this particular Dridex campaign extends back to a few months, according to TheAnalyst. 

For example, a phishing email sent out to targets during Black Friday mentioned shooting "black protesters" with a license. "If you find this message to be inappropriate or offensive, please click the complaint button in the attached document and we will never contact you again," the message stated. 

According to TheAnalyst, cybercriminals frequently insert racist email addresses inside the malware payloads to insult researchers. This element of the campaign is not visible to the campaign's targets, but it is visible to researchers who seek out, study, and expose phishing campaigns.

This New Phishing Attack Uses a Weaponized Excel File

 

A new phishing campaign is targeting financial sector employees by using links to download a ‘weaponized’ Excel document.

MirrorBlast, a phishing effort, was discovered in early September by security firm ET Labs. Morphisec, a fellow security firm, has now studied the malware and warns that the malicious Excel files might escape malware-detection systems due to "extremely lightweight" embedded macros, making it especially risky for businesses that rely on detection-based protection and sandboxing. 

Macros, or scripts for automating activities, have grown in popularity among cybercriminals. Despite the fact that macros are disabled by default in Excel, attackers employ social engineering to deceive potential victims into allowing macros. Despite appearing to be a simple approach, macros have been employed by state-sponsored hackers because they frequently work. 

Microsoft earlier this year extended its Antimalware Scan Interface (AMSI) for antivirus to combat the rise in macro malware and a recent phenomenon by attackers to utilise outdated Excel 4.0 XLM macros (rather than newer VBA macros) to circumvent anti-malware systems. 

As per Morphisec, the MirrorBlast attack chain is similar to tactics used by TA505, a well-established, financially focused Russia-based cybercriminal group. The group has been active since at least 2014 and is well-known for its usage of a wide range of tools. 

Morphisec researcher Arnold Osipov stated in a blog post, "TA505 is most known for frequently changing the malware they use as well as driving global trends in malware distribution." 

While the MirrorBlast attack begins with a document attached to an email, it afterwards uses a Google feed proxy URL with a SharePoint and OneDrive trap that masquerades as a file-sharing request. When the user clicks the URL, they are sent to a hacked SharePoint site or a bogus OneDrive site. Both versions will take to the malicious Excel document. 

The sample MirrorBlast email demonstrates how the attackers are capitalising on company-issued data on COVID-related modifications to working conditions. Morphisec points out that due to compatibility issues with ActiveX components, the macro code can only be run on a 32-bit version of Office. The macro itself runs a JavaScript script meant to avoid sandboxing by determining if the computer is in administrator mode. The msiexec.exe process is then launched, which downloads and instals an MSI package. 

Morphisec discovered two MIS installation versions that employed legal scripting tools named KiXtart and REBOL. The KiXtart script transmits information about the victim's workstation to the attacker's command and control server, including the domain, computer name, user name, and process list. It then answers with a number indicating whether the Rebol version should be used. Morphisec states that the Rebol script leads to a remote access tool called FlawedGrace, which the group has previously utilised. 

Osipov added, "TA505 is one of many financially motivated threat groups currently active in the marketplace. They are also one of the most creative, as they have a tendency to constantly shift the attacks they leverage to achieve their goals."