Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label File Encryption. Show all posts

Beware of This Dangerous Android malware As It Can Hold Your Phone Hostage

 

A brand-new Android malware has been discovered in the wild that is capable of evading antivirus apps, stealing a tonne of private and financial information, and even encrypting all of the contents on an infected smartphone by using ransomware. 

According to a recent report from the cybersecurity company CloudSEK, this new Android malware, known as "Daam" by its experts, poses a serious threat to the greatest Android phones due to its advanced capabilities. 

As of right now, CloudSEK has discovered the Daam malware in the APK or Android app installation files for the Psiphon, Boulders, and Currency Pro apps, which appear to be sideloaded apps that the Daam malware uses to infect Android smartphones. Psiphon is a VPN programme; Boulders is a smartphone game; and Currency Pro is, as its name implies, a currency converter. 

Your Android phone may be infected with the Daam malware if you installed any of these apps via sideloading rather than through approved app stores like the Google Play Store. The malware can evade detection by antivirus software, and it may already have locked the files on your smartphone by using ransomware, so there may not be a simple remedy. 

File encryption 

The Daam malware is quite complex and has a variety of features intended to steal your data and jeopardise your privacy. For instance, the malware is capable of recording all active VoIP and phone calls, including WhatsApp calls. However, it can also steal your smartphone's files and even contacts. Surprisingly, the Daam malware can not only collect information from your existing contacts but also from newly added contacts. 

The hackers behind this malware campaign's command and control (C&C) server get all of the data that Daam has stolen before sending it back. It's important to note that after installation, dangerous apps used to spread malware request access to private device permissions in order to virtually completely control your Android smartphone. 

As if having all of this private information stolen wasn't bad enough, the Daam malware also encrypts all of the files on an infected Android smartphone using the AES encryption algorithm without getting permission from the user. The device password or PIN on a smartphone can also be changed at the same moment, locking you out totally. 

Mitigation tips

Normally, protecting yourself from mobile malware would only require installing one of the top Android antivirus programmes and turning on Google Play Protect on your phone. 

In this instance, though, the Daam malware was made to evade antivirus apps. Because of this, the best method to safeguard yourself against it is to be extra cautious while downloading new programmes. Although sideloading apps may be practical, doing so puts your Android smartphone at risk of becoming infected with malware. For this reason, you should only download apps from authorised Android app shops. Similar to this, you should still read reviews and check an app's rating before installing it because bad apps occasionally manage to get past Google's security checks.

At the same time, you should refrain from clicking any links sent to your smartphone by email or text message from unidentified senders. These links may take you to malicious websites that could trick you into installing malware or use phishing to collect your information. 

Although the Daam malware is relatively new, it is already quite capable of data theft and making life tough for Android smartphone owners. Because of this, we'll probably continue to hear about it.

Iranian Hackers Employs PowerShell Backdoor to Bypass Security Products

 

Security researchers from Cybereason have discovered that an advanced persistent threat organization with inbounds links to Iran has modified its malware toolset to incorporate a unique PowerShell-based implant named PowerLess Backdoor. 

The Boston-headquartered cybersecurity firm identified a new toolkit used by the Phosphorus group, also known as Charming Kitten and APT35, that installs malicious Microsoft PowerShell code to operate as a remote access backdoor to download further malware payloads.

"The PowerShell code runs in the context of a .NET application, thus not launching 'powershell.exe' which enables it to evade security products," Daniel Frank, a senior malware researcher at Cybereason, explained. "The toolset analyzed includes extremely modular, multi-staged malware that decrypts and deploys additional payloads in several stages for the sake of both stealth and efficacy." 

The hacking group that was first identified in 2017, has employed many attacks in recent years, including ones in which the adversary pretended to be journalists or academicians to trick targets into downloading malware and collecting confidential material. 

Last month, Check Point Research disclosed specifics of an espionage operation that concerned the hacking team abusing the Log4Shell vulnerabilities to install a modular backdoor dubbed CharmPower for follow-on attacks. 

Cybereason discovered that the latest additions to its arsenal form an entirely new toolset that includes the PowerLess Backdoor, which can download and run other modules like a browser info-stealer and a keylogger. Also potentially linked to the same developer of the backdoor are a number of other malware artifacts, counting an audio recorder, an earlier variant of the information stealer, and what the researchers suspect to be an unfinished ransomware variant coded in .NET. 

Additionally, infrastructure overlaps have been noticed between the Phosphorus group and a new ransomware strain named Memento, which initially emerged in November 2021 and took the unusual step of locking files into password-protected archives, then encrypting the password and erasing the original files after their attempts to encrypt the data directly were stopped by endpoint protection. 

"The activity of Phosphorus with regard to ProxyShell took place in about the same time frame as Memento. Iranian threat actors were also reported to be turning to ransomware during that period, which strengthens the hypothesis that Memento is operated by an Iranian threat actor,” Frank added.

SolarMarker Malware Utilize Cutting-Edge Techniques


The SolarMarker data thief and gateway operators have been identified using devious Windows Registry ways to maintain long-term persistence on infected systems, indicating that the malicious actors are constantly changing strategy and improving defensive mechanisms.

The. NET-based malware, which boasts data harvesting and backdoor capabilities, has been linked to at least three consecutive attack waves in 2021. The first batch revealed in April, employed search engine poisoning to trick business executives by visiting dodgy Google pages which downloaded SolarMarker on users' PCs. In August, the malware was discovered to be stealing accounts and sensitive information from the healthcare and education sectors.

In the following infection chains revealed by Morphisec in September 2021, the usage of MSI installers to assure malware dissemination was observed. SolarMarker's technique begins with users being directed to decoy sites with drop MSI installer payloads which, while downloading ostensibly legitimate software like Adobe Acrobat Pro DC, Nitro Pro, or Wondershare PDFelement, really launch a PowerShell script.

According to cybersecurity firm Sophos, which noticed the new behavior, despite the operation's end in November 2021, remote management implants are still located on targeted networks."Such SEO efforts, which blended Google Groups consultations with deceitful web pages and PDF documents hosted on infected sites, are beneficial, the SolarMarker lures were ordinarily at or near the top of the search engines for phrases the SolarMarker actors targeted," said Sophos researchers Gabor Szappanos and Sean Gallagher. 

To assure persistence, the PowerShell installer modifies the Registry Entries and drops a.LNK file into Windows' starting directory. This unlawful alteration causes the malware to be delivered from an encrypted payload concealed behind a "smokescreen" of 100 to 300 garbage files built particularly for this purpose.

The researchers explained, "Usually, one might assume this associated file to be an operable or script file." "However, the linked file for these SolarMarker operations is one of the random trash files, therefore cannot be performed by itself."

Furthermore, the linked junk file's unique and random file extension is used to build a custom file type key, which is then used to run an Executable from the Registry to run the malware during system startup. The backdoor, on the other hand, is constantly growing, with features that allow it to capture information from online browsers, facilitate bitcoin theft, and run arbitrary instructions and programs, with the results being sent to a remote server.

The backdoor is continually being updated with new capabilities that make it possible to steal data from the web browsers, ease bitcoin theft, and execute arbitrary commands and applications with the results related to a remote server. 

Magniber Ransomware Group now Shifted to Exploiting Internet Explorer Flaws

 

The Magniber ransomware group is now infecting users and encrypting their devices via two Internet Explorer vulnerabilities and fraudulent advertising. CVE-2021-26411 and CVE-2021-40444 are the two Internet Explorer vulnerabilities, both with a CVSS v3 severity score of 8.8. 

The first, CVE-2021-26411, is a memory corruption bug that may be triggered by visiting a skillfully constructed website. It was resolved in March 2021. The second flaw, termed CVE-2021-40444, is essentially a remote code execution flaw in Internet Explorer's rendering browser engine. This has an 8.8 rating as well.

Magniber was caught breaching Windows servers in August exploiting the 'PrintNightmare' vulnerabilities, which took Microsoft a considerable time to fix because of their impact on printing. According to Tencent security experts who discovered "new" payloads, the most recent Magniber activity focused on attacking Internet Explorer vulnerabilities utilising malvertising that distributes exploit kits. 

One probable reason for this trend is that Microsoft has substantially solved the 'PrintNightmare' vulnerabilities over the last four months, and the news has been widely broadcasted, compelling administrators to implement security upgrades. Another reason Magniber may have chosen Internet Explorer vulnerabilities is that they are remarkably easy to exploit, relying merely on the recipient's willingness to open a file or webpage to activate them. 

Targeting an old, unpopular browser like Internet Explorer may appear weird. However, according to StatCounter, IE still accounts for 1.15 per cent of worldwide page views. Although this is a small fraction, StatCounter monitors approximately 10 billion page views every month, equating to 115,000,000 page views by Internet Explorer users. 

Furthermore, because Firefox and Chromium-based browsers, such as Google Chrome and Microsoft Edge, use an auto-update system that immediately protects users from known vulnerabilities, it is much more difficult to target them. 

About the Magniber group 

The Magniber group is notorious for exploiting security flaws in order to get access to computers and spread ransomware. They started their operations in 2017, and they are considered the successors of the Cerber ransomware.

Initially, they primarily targeted victims in South Korea. The gang then expanded its activities to other Asian nations such as China, Singapore, and Malaysia. Magniber's reach has grown to the point that it now affects exclusively Asian businesses and organizations. 

The Magniber ransomware has been under active development since its release, and its payload has been totally rebuilt three times. Because it is yet uncracked, there is no decryptor available to assist users to recover any data that have been encrypted by this strain. 

Lastly, because Magniber does not follow the trend of file-stealing and double-extortion, their assaults are confined to file encryption.

LockFile Ransomware Circumvents Protection Using Intermittent File Encryption

 

A new ransomware threat known as LockFile has been affecting organizations all around the world since July. It surfaced with its own set of tactics for getting beyond ransomware security by using a sophisticated approach known as "intermittent encryption." 

The operators of ransomware, called LockFile, have been found exploiting recently disclosed vulnerabilities like ProxyShell and PetitPotam to attack Windows servers and install file-encrypting malware that scrambles just every alternate 16 bytes of a file, allowing it to circumvent ransomware defenses. 

Mark Loman, Sophos director of engineering, said in a statement, "Partial encryption is generally used by ransomware operators to speed up the encryption process, and we've seen it implemented by BlackMatter, DarkSide, and LockBit 2.0 ransomware.” 

"What sets LockFile apart is that, unlike the others, it doesn't encrypt the first few blocks. Instead, LockFile encrypts every other 16 bytes of a document." 

"This means that a file such as a text document remains partially readable and looks statistically like the original. This trick can be successful against ransomware protection software that relies on inspecting content using statistical analysis to detect encryption," Loman added. 

Sophos' LockFile analysis is based on evidence published to VirusTotal on August 22, 2021. Once installed, the virus uses the Windows Management Interface (WMI) to terminate important services linked with virtualization software and databases before encrypting critical files and objects and displaying a ransomware message that looks similar to LockBit 2.0's. 

The ransom message further asks the victim to contact "contact@contipauper.com," which Sophos believes they are referencing a rival ransomware organization named Conti. 
 
Furthermore, after successfully encrypting all of the documents on the laptop, the ransomware erases itself from the system, indicating "there is no ransomware binary for incident responders or antivirus software to identify or clear up." 

Loman warned that the takeaway for defenders is that the cyberthreat landscape never sits still, and adversaries will rapidly grasp any chance or weapon available to conduct a successful attack. 

The disclosures come as the U.S FBI published a Flash report outlining the tactics of a new Ransomware-as-a-Service (RaaS) group known as Hive, which consists of many actors who use multiple mechanisms to attack business networks, steal data, encrypt data on the networks, and attempt to collect a ransom in exchange for access to the decryption keys.