Search This Blog

Showing posts with label Malicious Campaign. Show all posts

Harley Trojan Affecting the Users by Impersonating the Applications

 

There are numerous unpatched malwares hidden under the apps in the Google Play Store that seem to be harmless but are actually malicious programs. Google Play Store is an official platform that runs every process with careful monitoring carried out by the moderators. However, some apps may evade the moderator's check since it's not possible to check all the apps before they go live on the platform. 

One such popular malware, called Trojan Subscribers has been discovered by Kaspersky. It affects the users by signing up for paid services without their knowledge. The malware exhibits similarities with the Jocker Trojan subscriber, experts presume that the two have a common origin. 

A trojan is a malicious code or software that gets downloaded onto a system, disguised as an authorized application. 

In the past 3 years, over 190 apps have been found infected with Harly Trojan on the Google play store, and the number of downloads of such apps is more than 4.8 million.  

To spread the virus to different systems, the threat actors download the original applications and place their malicious code into them and later re-upload them to Google Play Store with some other name. 

The attackers play smart by keeping the same features in the app as listed in the description so that the users do not suspect a threat. The impersonating of legitimate apps also provides advertisement. 

The Trojan malware belonging to the Harley family includes a payload inside the application and uses numerous methods to decrypt and execute the payload. 

After the decryption, the Harley gathers information about the user’s device including the mobile network. By connecting to the mobile network, the malware opens up a list of subscription addresses from a C&C server, where it automatically enters the user's mobile number followed by other options to continue the process, including the OTP from messages. As a result, the user ends up with a paid subscription for a service without their knowledge or consent.  

To avoid being a victim of such apps, anti-virus experts suggest looking for reviews of the applications before downloading them. Google has been notified about such apps and asked to remove all the Trojan-infected apps from the platform and devices that are infected with them. 

ChromeLoader: Microsoft, VMware Warns of the New Malware Campaigns

 

Microsoft and VMware are warning about the ongoing widespread malware campaign of ChromeLoader, which led to an “ongoing wide-ranging click frauds” later this year. 

The malware tool named ChromeLoader is apparently hijacking the browsers to redirect users to ad pages. The software has now evolved into a potential threat by deploying more potent payloads that go beyond malvertising. Variants of ChromeLoader have been dropping malicious browser extensions, node WebKit malware, and even ransomware on Windows PCs and Macs. 

Functioning of ChromeLoader 

Microsoft detected an ongoing widespread campaign of click frauds and attributed it to a threat actor DEV-0796. The malware attack begins with an ISO file that is downloaded when the user clicks a malicious ad, browser redirects, or Youtube comment. The attackers seek to profit from clicks generated by malicious browser extensions or node-WebKit that they have installed on the victim’s device, without being detected.  

The researchers from VMware’s Carbon Black Managed Detection and Response (MDR) team said they have seen the malware’s operators impersonating various legitimate services that would lead users to ChromeLoader. The researchers observed hundreds of attacks that included variants of the malware, targeting multiples sectors such as education, government, healthcare, and enterprises in business services. 

“This campaign has gone through many changes over the past few months, and we don’t expect it to stop [...] It is imperative that these industries take note of the prevalence of this threat and prepare to respond to it” warns the researchers. 

Rapid Evolution Of Malware

Earlier, the malware infected Chrome with a malicious extension that redirected the user traffic to advertising sites performing click frauds and generating income for the threat actors. “But, it later evolved into an ‘info-stealer’, stealing sensitive data stored in browsers and deploying zip bombs (i.e. malicious archive files) to crash systems, while still retaining its adware function,” said researchers, in an advisory released on September 19. 

Since Adware does not cause any significant damage to a victim’s software, the threat is not taken seriously by analysts. However, any software, such as ChromeLoader, that could enter a system undetected, is an immediate threat to a user, as the victim may as well apply modifications, facilitating monetization options for the malware. 

“The Carbon Black MDR team believes that this is an emerging threat that needs to be tracked and taken seriously [...] due to its potential for delivering more nefarious malware,” VMware said in the advisory. 

Reverse Tunnels and URL Shorteners Employed by Attackers to Launch Phishing Campaign

 

Security researchers at CloudSEK, a digital risk protection firm have witnessed a significant surge in the usage of reverse tunnel services and URL shorteners in conjunction with wide-scale phishing campaigns. 

The methodology employed by attackers is different from the more typical modus operandi of registering domains with hosting providers, who are more likely to react to complaints and shut down the malicious sites. 

The reverse tunnel services assist threat actors in hosting phishing pages locally using their devices and route connections via the external service. Additionally, they can develop new URLs through the URL shortening services as many times as required to bypass security detection. Many of the phishing URLs are updated in less than 24 hours, making it more difficult for researchers to spot and take down malicious domains. 

As reported by BleepingComputer, researchers have identified more than 500 sites hosted and distributed using a combination of reverse tunneling and URL shortening. Ngrok, LocalhostRun, and Argo were the most commonly abused reverse tunnel services, while Bit.ly, is.gd, and cutt.ly were the most prevalent URL shorteners. 

According to CloudSEK, cybercriminals may hide their identity by using URL shorteners to mask the name of the URL, which is typically a series of random characters. The malicious links are distributed via Telegram, WhatsApp, phony social media pages, texts, and emails. 

It is worth noting that the cybersecurity landscape is not unfamiliar with the exploit of reverse tunneling. For example, the digital banking platform of the State Bank of India had been previously impersonated for such phishing campaigns to exfiltrate users’ credentials. 

The malicious link was concealed behind “cutt[.]ly/UdbpGhs” and directed to the domain “ultimate-boy-bacterial-generates[.]trycloudflare[.]com/sbi” that employed Cloudflare’s Argo tunneling service. Subsequently, the malicious page requested bank account credentials, PAN card numbers, Aadhaar unique identification numbers, and mobile phone numbers. However, CloudSEK did not share how damaging this campaign was for bank users. 

Private details collected this way can be sold on the dark web or used by hackers to drain bank accounts. If the data is from a firm, the attackers could use it to launch ransomware attacks or business email compromise (BEC) scams. To mitigate the risks, users should avoid clicking on links received from an unfamiliar source.

Researchers Warn of Fake Windows 11 Upgrade Containing Info Stealing Malware

 

Cybercriminals are tricking users into installing a fake Windows 11 upgrade that includes malware that steals data from web browsers and crypto-wallets. The malicious campaign that is still running operates by poisoning search results to drive traffic to a website impersonating Microsoft’s Windows 11 advertising page and offering the information stealer. 

According to CloudSEK threat researchers who analyzed the malware and published a technical report, malicious actors are focusing on people who rush to install Windows 11 without first learning that the OS must satisfy specific requirements. 

The rogue website advertising the false Windows 11 has official Microsoft logos, favicons, and a “Download Now” button. It looks legitimate at first glance, but the URL reveals the site as fraudulent. If visitors access the malicious website directly (download is not possible via TOR or VPN), they will receive an ISO file containing the executable for new information-stealing malware. 

The CloudSEK researchers named the new malware 'Inno Stealer' as it uses the Inno Setup Windows Installer. The researchers said that Inno Stealer has no code in common with other presently circulating info-stealers. Once active, the malware plants a pair of files that disable various Windows security measures, including those in the registry. They also wipe out software from anti-virus companies Emsisoft and ESET. 

Inno Stealer’s capabilities are typical for this kind of malware, including the ability to collect web browser cookies and passwords, data from cryptocurrency wallets, and data from the disk. The set of targeted browsers and crypto wallets is extensive, including Chrome, Edge, Brave, Opera, Vivaldi, 360 Browser, and Comodo. 

The malware can also steal extra payloads, an action only performed at night, potentially to take advantage of the victim’s absence from the computer. These additional Delphi payloads, which are TXT files, use the same Inno-based loader that fiddles with the host’s security tools and employs an identical persistence methodology. They also have the ability to grab clipboard data and exfiltrate directory enumeration data. 

To mitigate the risks, researchers recommended avoiding downloading ISO files from obscure sources and instead undertaking significant OS updates using the Windows 10 control panel or obtaining the installation files directly from the source. If you can’t upgrade to Windows 11, there’s no point in attempting to bypass the limitations manually since this will come with a slew of drawbacks and severe security risks.

Scammers are Using Novel Technique to Target iPhone and Android Users

 

Cybersecurity researchers have unearthed a new methodology employed by fraudsters to target iPhone and Android users by tricking them into installing malware via dubious apps and use it to swipe thousands of dollars.

According to researchers at cybersecurity firm Sophos, a scam campaign dubbed CryptoRom typically begins with social-engineering attack, in which a scammer befriends a victim through dating apps like Tinder, Bumble, or Facebook Dating.

The scammer then moves their conversation to messaging apps such as WhatsApp and asks the victim to install a cryptocurrency trading application that's designed to mimic popular brands and lock people out of their accounts and freeze their funds. In some cases, victims are forced to pay a “tax” to withdraw their money, which they learn by chatting with an in-app customer service representative who is part of the malicious campaign. 

"This style of cyber-fraud, known as sha zhu pan — literally 'pig butchering plate' — is a well-organized, syndicated scam operation that uses a combination of often romance-centered social engineering and fraudulent financial applications and websites to ensnare victims and steal their savings after gaining their confidence," stated Sophos analyst Jagadeesh Chandraiah. 

The malicious campaign exploits iOS TestFlight and Apple WebClip to deploy fake mobile apps and websites onto victims’ phones without being subject to the rigorous app store approval process. The malicious campaign was initially used in Asia but has hit the U.S. and European victims since October 2021. 

TestFlight is used for testing the beta version of apps before they head to the App Store. It is used for small internal tests, sent out to 100 users by email, and public beta tests distributed to up to 10,000 users. But the scammers exploit the TestFlight feature, which provides a way for users to download bogus apps outside of the App Store, researchers explained. 

Sophos researchers said some victims installed malicious versions of the legitimate BTCBOX Japanese crypto exchange app that were made available through the TestFlight feature. 

The fraudsters also employed iOS WebClips to trick iPhone users, as they were sent malicious URLs via the service. WebClips offers fast access to favorite webpages or links, as Apple highlights, with researchers stating that it can be employed to design fake apps to appear more authentic.

2,77,000 Routers Vulnerable to 'Eternal Silence' Assaults via UPnP

 

'Eternal Silence,' a malicious campaign, is exploiting Universal Plug and Play (UPnP), which switches the router into a proxy server used to execute nefarious assaults while obscuring the threat actors' location. 

UPnP is a connection protocol that enables additional devices on a network to establish port forwarding rules on a router automatically and is optionally available in most modern routers. This allows remote devices to use a certain software function or device as needed, with minimal user configuration. 

However, it is another technology that compromises security for convenience, particularly when the UPnP implementation is subject to attacks that enable remote attackers to add UPnP port-forwarding entries over a device's exposed WAN connection. 

Akamai researchers discovered attackers exploiting this flaw to build proxies that conceal their harmful operations and termed the attack UPnProxy. 

277,000 of the 3,500,000 UPnP routers detected online are vulnerable to UPnProxy, with 45,113 already infected by hackers. 

Analysts at Akamai believe the perpetrators are attempting to exploit EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) on unpatched Windows and Linux systems, respectively. 

Exploiting these holes can result in a variety of issues, such as resource-intensive cryptominer infections, destructive worm-like attacks that quickly spread across entire corporate networks, or gaining initial access to corporate networks. 

The hackers' new rulesets include the phrase 'galleta silenciosa,' which means 'silent cookie'. 

The injections try to expose TCP ports 139 and 445 on devices connected to the targeted router, which totals around 1,700,000 machines that use SMB services. 

Although Akamai is unaware of the campaign's success rate, it did notice a methodical approach to the scans, focusing on devices that use static ports and routes for their UPnP daemons to inject port forwards.  

The perpetrators may be attempting to exploit EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) on unpatched Windows and Linux systems, according to Akamai's experts. 

"Because there is a decent possibility that (vulnerable) machines unaffected by the first round of EternalBlue and EternalRed attacks were safe only because they weren't exposed directly to the internet. They were in a relatively safe harbor living behind the NAT," explains Akamai's report 

"The EternalSilence attacks remove this implied protection granted by the NAT from the equation entirely, possibly exposing a whole new set of victims to the same old exploits." 

'Eternal Silence' is a clever attack since it makes the practice of network segmentation ineffective and provides no sign of what is happening to the victim. 

Scanning all endpoints and auditing the NAT table entries is the best technique to see if the devices have been captured. There are a variety of ways to achieve this, but Akamai has made it simple by providing a bash script that can be used to test a potentially vulnerable URL. 

Disabling UPnP won't erase existing NAT injections if someone found a device infected with Eternal Silence. Users will have to reset or flash the device instead. 

Applying the most recent firmware update should also be a priority, since the device vendor may have resolved any UPnP implementation problems via the system update.

Autom Cryptomining Malware Employs Upgraded Evasion Techniques

 

The malicious Autom crypto mining campaign has upgraded its weapons while adding new defense evasion methods that allow attackers to fly under the radar of anti-virus scanning tools. 

According to researchers at DevSecOps and cloud security firm AquaSecurity, the malicious campaign was first identified in 2019, and since then a total of 84 attacks against researchers’ honeypot servers have been reported, four of these occurring in 2021.

Preliminary attacks of this campaign involved implementing a malicious command, once a user runs a vanilla image with the name "alpine:latest.” That action resulted in a shell script named "autom.sh." being downloaded on the device. 

"Adversaries commonly use vanilla images along with malicious commands to perform their attacks, because most organizations trust the official images and allow their use," the researchers explained in a blog post. "Over the years, the malicious command that was added to the official image to carry out the attack has barely changed. The main difference is the server from which the shell script autom.sh was downloaded."

The shell script initiates the attack sequence, allowing the attackers to create a new user account beneath the title "akay". Then, the account’s privileges are upgraded to a root user, enabling malicious actors to run arbitrary commands on the compromised machine and, eventually, abuse the available resources to mine crypto-currency. In the early stages of the 2019 campaign, there were no special methods to hide the mining activity, but the later versions depict the extreme measures its developers have taken to keep it hidden from scanning tools. 

The malicious campaigns carried out to hijack computers to mine cryptocurrencies have been dominated by several threat actors such as Kinsing, which has been spotted scanning the internet for misconfigured Docker servers to invade the unguarded hosts and install a previously undocumented coin miner strain. 

"Miners are a low-risk way for cybercriminals to turn a vulnerability into digital cash, with the greatest risk to their cash flow being competing miners discovering the same vulnerable servers," Sophos senior threat researcher Sean Gallagher explained in an analysis of a Tor2Mine mining campaign, which involves the use of a PowerShell script to disable malware protection, execute a miner payload, and harvest Windows credentials.

Threat Actors use MSBuild to Execute Cobalt Strike Beacons

 

Malicious campaigns have recently been spotted abusing Microsoft Build Engine (MSBuild) to execute a Cobalt Strike payload on vulnerable machines. MSBuild, which was designed for the construction of Windows applications, uses a project file element called 'Tasks' to designate components that are executed during project building, and threat actors are misusing these Tasks to launch malicious code disguised as MSBuild. Renato Marinho, a Morphus Labs security researcher, and SANS Internet Storm Center (ISC) handler claims that two different malicious campaigns have been discovered utilizing MSBuild for code execution in the last week. 

MSBuild is a build tool that aids in the automation of the software development process, including source code compilation, packaging, testing, deployment, and documentation creation. It is feasible to build Visual Studio projects and solutions with MSBuild even if the Visual Studio IDE is not installed. MSBuild is a free and open-source software. MSBuild was previously included with the.NET Framework; however, starting with Visual Studio 2013, it is now included with Visual Studio. MSBuild is a functional replacement for the nmake utility, which is still used in projects created with previous Visual Studio editions. 

MSBuild operates on MSBuild project files, which have an XML syntax comparable to Apache Ant or NAnt. Despite the fact that the syntax is based on a well-defined XML schema, the fundamental structure and operation are comparable to the traditional Unix make utility: the user specifies what will be used (typically source code files) and what the result should be (typically a static library, DLL, or executable application), but the utility decides what to do and in which order to carry out the build. 

Threat actors often obtain access to the target environment through the use of a genuine remote desktop protocol (RDP) account, then employ remote Windows Services (SCM) for lateral movement and MSBuild to execute the Cobalt Strike Beacon payload. The malicious MSBuild project was created to build and run certain C# code, which then decodes and executes Cobalt Strike. 

Marinho further claims that after confirming that Beacon was used in the attack, he was able to decrypt the SSL-encrypted communication with the command and control (C&C) server. To avoid such attacks, the researcher recommends that enterprises use the Windows Defender Application Control (WDAC) policy to restrict Microsoft-signed applications that potentially allow the execution of other malware. MSBuild generates a list of these apps. 

“There is a note for MSBuild.exe, though, that if the system is used in a development context to build managed applications, the recommendation is to allow MSBuild.exe in the code integrity policies,” Marinho concluded.

Emotet Installs Cobalt Strike for Rapid Attacks

 

The notorious Emotet malware is now directly installing Cobalt Strike beacons for rapid cyberattacks, rather than dropping an intermediate payload first. 

Attackers are using Cobalt Strike, a legitimate penetration testing tool, to spread laterally through a firm and deploy ransomware on their network. Earlier this month, the malware started analyzing the installation of Cobalt Strike beacons instead of conventional payloads on exploited devices. The test was short and soon after the attackers returned to distributing their typical payloads.

According to researchers, the attackers using Emotet suspended their phishing and spamming campaigns and since then, they have been quiet. However, researchers believe the attackers are installing Cobalt Strike beacons on already compromised devices. They install the Cobalt Strike modules straight from their command-and-control (C2) server and then execute the modules on the infected devices.

Installing Cobalt Strike directly eliminates the time between initial infection and subsequent installation of the pen testing tool, giving victims less time to detect and mitigate the infection prior to the execution of ransomware. 

The malware communicates with the attacker’s command and control servers via a fake ‘jquery-3.3.1.min.js’ file in a sample of the Cobalt Strike beacon provided with BleepingComputer. Each time the malware interacts with the C2, it will attempt to download the jQuery file, which will have a variable changed with new instructions. 

As most of the file is valid jQuery source code, and only some content is changed, it blends into legitimate traffic and makes it easier to evade security software. The quick deployment of Cobalt Strike via Emotet is an important development that should be noted by all Windows and network administrators, as well as security specialists. 

In previous attacks, defenders had more time to spot the presence of Emotet or Trickbot, or QakBot and remediate before the ransomware infection took place. But now, the timeline is compressed and the chances of identifying and removing Emotet or the Cobalt Strike beacon before a ransomware infection are much lesser. 

“The old Emotet also used a multilayer communication protocol for all communication performed by the infected victim and the C2. However, the old protocol required the loader to also enumerate the victim’s process list, which was sent to the C2 during check-in. New Emotet strips out this process checking functionality from initial check-in and places it into a new module focused on process list checking,” researchers at Intel 471 stated.

Threat Actors are Using Malicious Microsoft Excel files to Steal Banking Credentials

 

Threat actors are spreading Excel XLL files that download and install the RedLine password and information-stealing malware via website contact forms and discussion forums. 

RedLine is a credential-theft malware that steals cookies, user names and passwords, and banking details stored in web browsers, as well as FTP credentials and files from a compromised device. 

The malware can also implement commands, download and operate further malware, and take screenshots of the active Windows screen. The stolen data is sent back to the hackers to be sold on the dark web or used for other malicious activities. 

The XLL files are identical to dynamic hyperlink libraries (DLLs), with the addition of an ‘xlAutoOpen’ option run by Excel. This function (an add-in, basically) allows Excel to read and write data, import it from other sources, design custom functions and perform multiple tasks. 

However, if the DLL is implemented manually via regsvr32.exe command or the 'rundll32 name.xll, xlAutoOpen' command will extract the wget.exe program to the %UserProfile% folder and use it to download the RedLine binary from a remote site.

Once the malware is installed by the victim, it will look out for valuable information to steal, including credentials and credit cards stored in the Chrome, Edge, Firefox, Brave, and Opera browsers. Therefore, if you receive an email or other message distributing these types of files, simply delete the message and report it as spam. 

As XLL files are executables, threat actors can use them to perform a variety of malicious behavior on a device. Users should be careful when receiving these files and should make sure they are getting the files from a trusted source before proceeding and opening them. 

According to security experts, XLL files are rarely sent as attachments but instead installed through another program or via your Windows admin. Thus, any such file that comes in the mail should be handled with extra precaution. Aside from being vigilant with attachments and links in emails, users should also make sure to keep their endpoints secure with strong and refreshed passwords, as well as that their system runs safeguards, such as antivirus solutions and firewalls.

Android Devices being Targeted by Flubot

 

The National Cyber Security Centre of Finland (NCSC-FI) has recently released a "severe alert" over a major campaign targeting the nation's Android users with Flubot banking malware delivered through text messages sent out by hacked devices. 

This is the second greatest Flubot operation to strike Finland this year, with a previous set of cyberattacks SMS spamming thousands of Finns each day from early June to mid-August 2021. The latest spam campaign, like the previous one, has a voicemail theme, encouraging recipients to click a link that will enable them to retrieve a voicemail message or a message from the mobile operator. 

Rather than being made to open a voicemail, SMS recipients are led to malicious websites that push APK installers to install the Flubot banking virus on their Android devices. 

“According to our current estimate, approximately 70,000 messages have been sent in the last 24 hours. If the current campaign is as aggressive as the one in the summer, we expect the number of messages to increase to hundreds of thousands in the coming days. There are already dozens of confirmed cases where devices have been infected," the Finnish National Cyber Security Centre said in the alert issued on Friday. 

"We managed to almost eliminate FluBot from Finland at the end of summer thanks to cooperation among the authorities and telecommunications operators. The currently active malware campaign is a new one because the previously implemented control measures are not effective," said NCSC-FI information security adviser Aino-Maria Väyrynen. 

Those who have been affected should do a factory reset on their Android device to remove the virus. When iOS users get FluBot messages and click on the associated link, they will be forwarded to fraud and phishing websites rather than being forced to install an app. 

FluBot, once installed on a device, may browse the contacts list, spam texts to other individuals, read messages, steal credit card information and passwords as they are typed into apps, install other apps, and engage in other nefarious activities. Android users who get Flubot spam messages or emails should avoid opening attached links or downloading files shared through the link to their cellphones. 

The virus family has also been discovered on other websites, where anybody can come into contact with the harmful code. Netcraft, a provider of internet services, announced on Monday that it had discovered nearly 10,000 websites that were disseminating FluBot malware.

Over 300,000 Devices Compromised by Four Android Banking Trojans

 

Researchers at cybersecurity firm ThreatFabric have unearthed four different Android banking trojans that were distributed via Google play store between August and November 2021 and infected more than 300,000 devices through multiple dropper apps. 

According to Threatfabric analysts, the dropper apps were manufactured to distribute the Android banking trojan Anatsa, Alien, ERMAC, and Hydra, and the malware campaign was designed in such a refined way that payloads were installed only on smartphones devices from specific areas and restricting the malware from being downloaded during the publishing process. 

Once installed, this banking malware can perform classic overlay assaults to siphon user passwords and SMS-based two-factor authentication codes, keystrokes, screenshots, and even drain users' bank accounts without their knowledge by using a weapon called Automatic Transfer System (ATSs). The apps have since been removed from the Play Store. 

“To make themselves even more difficult to detect, the actors behind these dropper apps only manually activate the installation of the banking trojan on an infected device in case they desire more victims in a specific region of the world. This makes automated detection a much harder strategy to adopt by any organization,” reads the analysis published by the Threatfabric researchers. 

“VirusTotal does not showcase the evolution of detections of antivirus products over time, but almost all campaigns have or had a 0/62 FUD score on VirusTotal at some point in time, confirming the difficulty of detecting dropper apps with a minimal footprint.” 

The list of malicious dropper apps is below - 

• Two Factor Authenticator (com.flowdivison) 
• Protection Guard (com.protectionguard.app) 
• QR CreatorScanner (com.ready.qrscanner.mix) 
• Master Scanner Live (com.multifuction.combine.qr) 
• QR Scanner 2021 (com.qr.code.generate) 
• QR Scanner (com.qr.barqr.scangen) 
• PDF Document Scanner – Scan to PDF (com.xaviermuches.docscannerpro2) 
• PDF Document Scanner Free (com.doscanner.mobile) 
• CryptoTracker (cryptolistapp.app.com.cryptotracker) 
• Gym and Fitness Trainer (com.gym.trainer.jeux)

Additionally, researchers uncovered multiple samples dropped by the Brunhilda hacking group, which was also responsible for spreading the Vultur Trojan in July 2021. In one case, the researchers observed Brunhilda masquerading as a QR code creator app used to drop Hydra and Ermac malware targeting users in the United States, a market previously not targeted by the two malware families.

“In the span of only 4 months, 4 large Android families were spread via Google Play, resulting in 300.000+ infections via multiple dropper apps. A noticeable trend in the new dropper campaigns is that actors are focusing on loaders with a reduced malicious footprint in Google Play, considerably increasing the difficulties in detecting them with automation and machine learning techniques,” researchers concluded.

Attackers use ProxyLogon and ProxyShell Flaws to Hijack Email Threads

 

As part of an ongoing spam campaign that uses stolen email chains to bypass security protection and implant malware on vulnerable systems, threat actors are exploiting ProxyLogon and ProxyShell exploits in unpatched Microsoft Exchange Servers. Trend Micro's discoveries are the result of an investigation into a series of Middle Eastern intrusions that resulted in the dissemination of a never-before-seen loader known as SQUIRRELWAFFLE. The attacks, which were first publicly disclosed by Cisco Talos in mid-September 2021, are thought to have started with laced Microsoft Office documents. 

"It is known for sending its malicious emails as replies to pre-existing email chains, a tactic that lowers a victim's guard against malicious activities," researchers Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar said in a report published last week. "To be able to pull this off, we believe it involved the use of a chain of both ProxyLogon and ProxyShell exploits." 

According to Trend Micro, public exploits for CVE-2021-26855 (ProxyLogon), CVE-2021-34473, and CVE-2021-34523 (ProxyShell) were used on three of the Exchange servers that were compromised in separate intrusions, with the access being used to hijack legitimate email threads and send malicious spam messages as replies, increasing the likelihood that unsuspecting recipients will open the emails. 

Rogue email messages with a link that, when opened, drops a Microsoft Excel or Word file are part of the assault chain. When the recipient opens the document, the victim is prompted to allow macros, which leads to the download and execution of the SQUIRRELWAFFLE malware loader, which serves as a conduit for the final-stage payloads like Cobalt Strike and Qbot. 

Trend Micro's claim that SquirrelWaffle is operating as a malware dropper for Qbot or other malwares was disputed by Cryptolaemus researcher TheAnalyst. Rather, according to TheAnalyst on Friday, the threat actor is delivering both SquirrelWaffle and Qbot as separate payloads, with the most recent confirmed SquirrelWaffle drop occurring on Oct. 26. 

The actor/activity is recorded as tr01/TR (its QakBot affiliate ID) TA577 by Proofpoint and as ChaserLdr by Cryptolaemus, according to TheAnalyst, and the activity dates back to at least 2020. The actors are simple to follow, according to TheAnalyst, with minor adjustments to their tactics, techniques, and procedures (TTPs). According to TheAnalyst, one of tr01's favorite TTPs is including links to malicious documents in stolen reply chains. They stated the threat actor is notorious for delivering "a variety of malware," including QakBot, Gozi, IcedID, Cobalt Strike, and possibly more.

HSI San Antonio Issues a Public Warning on Spoofing Phone Calls

 

The Homeland Security Investigations (HSI) department of US Immigration and Customs Enforcement (ICE) in Texas has issued a warning about a new phone scam. Threat actors have been impersonating special agents at the San Antonio HSI to engage members of the public in the malicious campaign. The victims are informed that a problem with their passport has been discovered. The fake agent then threatens them with arrest unless they make a payment to the HSI. 

Officials with the San Antonio ICE said in a scam warning published November 4 that the scammers say the passport is linked to a crime and scare the caller by threatening to dispatch police to their home to arrest them. The fraudsters have devised a method of convincing the victim that the call is coming from the HSI San Antonio main phone number, 210-979-4500. 

HSI is a directorate of ICE and the primary investigative arm of the United States Department of Homeland Security (DHS). It is responsible for investigating transnational crime and threats, particularly those perpetrated by criminal organizations that take advantage of the global infrastructure that facilitates international trade, travel, and finance. HSI's overseas presence is DHS's largest investigative law enforcement presence abroad and one of US law enforcement's largest foreign footprints.

“HSI special agents and local police do not call people on the phone to warn them they are about to be arrested,” said HSI officials. “Agents neither request financial information, such as bank account and credit card account information, nor demand money from someone to dismiss an investigation or remove an arrest warrant.”

"If you receive a threatening call or message from the number, do not give the person any personal or financial information, try to collect any contact information from the caller, end the conversation immediately if threats and intimidation persist, report the incident to the ICE tip line at 1 (866) 347-2423," added HSI officials. 

International students studying in the United States on student visas were informed in July by ICE officials in Virginia that their phone number was being faked to fool them into making fraudulent payments and disclosing sensitive personal information. Scammers behind the campaign demanded Bitcoin payments from international students, a currency that the federal government does not recognize.

GriftHorse Malware has Infected More than 10 Million Android Devices

 

A new malware named GriftHorse is said to have infected over 10 million Android cell phones. According to the research at mobile security firm Zimperium, the threat group has been executing the campaign since November 2020. The GriftHorse malware was propagated through both Google Play and third-party application stores, according to the research group, and it stole "hundreds of millions of Euros" from victims. 

GriftHorse will produce a significant number of notifications and popups when a user downloads any of the malicious programmes, luring consumers in with exceptional discounts or prizes. People who click these are taken to a web page where they must authenticate their phone number in order to gain access to the promotion. 

In actuality, GriftHorse's victims are paying for premium SMS services that cost more than $35 per month. GriftHorse operators are thought to have made anywhere from $1.5 million to $4 million per month with this fraud, and their initial victims are thought to have lost more than $230 if they didn't stop the scam. 

GriftHorse malware has been tracked by Zimperium researchers Aazim Yaswant and Nipun Gupta for months, and they describe it as "one of the most widespread campaigns the zLabs threat research team has encountered in 2021." But, according to the two Zimperium researchers, the GriftHorse developers put a lot of effort into the quality of their malware, using a wide range of websites, malicious apps, and developer personas to infect victims and evade detection as much as possible.

“The level of sophistication, use of novel techniques, and determination displayed by the threat actors allowed them to stay undetected for several months,” Yaswant and Gupta explained. “In addition to a large number of applications, the distribution of the applications was extremely well-planned, spreading their apps across multiple, varied categories, widening the range of potential victims.” 

Handy Translator Pro, Heart Rate and Pulse Tracker, Geospot: GPS Location Tracker, iCare – Find Location, and My Chat Translator are among the popular apps infested with GriftHorse malware. Users in India are also affected, according to the firm. Zimperium, a member of the App Defense Alliance, claimed it alerted Google about all GriftHorse-infected apps, which have since been withdrawn from the Play Store. These apps may, however, still be available in third-party app stores.

Ficker – An Info-Stealer Malware Being Distributed by Russians

 

Threat actors are using the Malware-as-a-Service (MaaS) model to attack Windows users, according to researchers. The new info-stealer malware “Ficker” was discovered and is being disseminated via a Russian underground forum by threat actors. FickerStealer is a family of data-stealing malware that first appeared in the year 2020. It can steal sensitive data such as passwords, online browser passwords, cryptocurrency wallets, FTP client information, Windows Credential Manager information, and session information from various chat and email clients. 

Unlike in the past, when Ficker was spread via Trojanized web links and hacked websites, causing victims to unintentionally download the payload, the current outbreak is stealthy and uses the well-known malware downloader Hancitor to spread. 

Hancitor (also known as Chanitor) malware first appeared in the wild in 2013, relying on social engineering techniques such as posing as DocuSign, a genuine document signing service. This malware tricked users into allowing its harmful macro code to run, allowing it to infect the victim's computer. Hancitor will attempt to download a wide range of additional harmful components after connecting to its command-and-control (C2) infrastructure, depending on its operators' most recent malicious campaign. 

The attack begins with the attackers sending malicious spam emails with a weaponized Microsoft Word document attached, which is fully phoney yet masquerades as the real thing. Spam email content entices victims to open it, resulting in the execution of malicious macro code that allows Hancitor to communicate with the command and control server and get a malicious URL containing a Ficker sample.

It employs the evasion approach to avoid detection by injecting Ficker into an instance of svchost.exe on the victim's PC and concealing its activity. Threat actors routinely utilize svchost.exe to hide malware in the system process and avoid detection by typical antivirus software. 

Researchers also discovered that Ficker is heavily obfuscated, preventing it to execute in a virtual environment by employing multiple analysis checks. Malware authors also included an execution feature in the malware, preventing it from being executed in certain countries such as Russia, Uzbekistan, Belarus, Armenia, Kazakhstan, and Azerbaijan. 

According to the Blackberry report, “The malware also has screen-grab abilities, which allow the malware’s operator to remotely capture an image of the victim’s screen. The malware also enables file-grabbing and additional downloading capabilities once connection to its C2 is established.”

BazarLoader Malware: Abuses Slack and BaseCamp Clouds

 

The primary feature of the BazarLoader downloader, which is written in C++, is to download and execute additional modules. BazarLoader was first discovered in the wild last April, and researchers have discovered at least six variants since then “signaling active and ongoing development”.

According to researchers, the BazarLoader malware is leveraging worker trust in collaboration tools like Slack and BaseCamp, in email messages with links to malware payloads. The attackers have also added a voice-call feature to the attack chain in a secondary campaign targeted at consumers. 

“With a focus on targets in large enterprises, BazarLoader could potentially be used to mount a subsequent ransomware attack,” states Sophos advisory released on Thursday. Adversaries are targeting employees of large companies with emails that purport to provide valuable details related to contracts, customer care, invoices, or payroll, they added. 

Since the links in the emails are hosted on Slack or BaseCamp cloud storage, they can appear genuine if the target works for a company that uses one of those platforms. When a victim clicks on the link, BazarLoader downloads and executes on their device. 

Usually, the links point to a digitally signed executable with an Adobe PDF graphic as its symbol and the files have names like presentation-document.exe, preview-document-[number].exe, or annualreport.exe, according to the researchers. These executable files, when run, inject a DLL payload into a legitimate process, such as the Windows command shell, cmd.exe. 

“The malware, only running in memory, cannot be detected by an endpoint protection tool’s scans of the filesystem, as it never gets written to the filesystem.” Sophos discovered that the spam messages in the second campaign are devoid of anything suspicious: there are no personal details of any sort in the email body, no connection, and no file attachment.

“All the message claims is that a free trial for an online service the recipient claims to be using is about to expire in the next day or two, and it includes a phone number the recipient must call to opt-out of a costly, paid renewal,” researchers explained. 

If a potential victim picks up the call, a friendly person on the other end of the line sends them a website address where they can unsubscribe from the service. These websites bury an unsubscribe button in a page of frequently asked questions and clicking that button delivers a malicious Office document (either a Word doc or an Excel spreadsheet) that, when opened, infects the computer with the same BazarLoader malware. 

The messages claimed to come from a company named Medical Reminder Service and included a phone number as well as a street address for a real office building in Los Angeles. However, starting in mid-April, the messages began to use a ruse involving a fraudulent paying online lending library named BookPoint. 

Researchers have been suspecting that BazarLoader could be related or authored by the TrickBot operators. TrickBot is another first-stage loader malware often used in ransomware campaigns. 

BazarLoader seems to be in its initial developmental stage and isn't as advanced as more mature families like TrickBot, researchers added. “While early versions of the malware were not obfuscated,” they explained, “more recent samples appear to encrypt strings that could expose the malware's intended use.”

Spear-Phishing Campaigns Targeting Tibet and Taiwan

 

Tibetan community is being targeted by a Spear-phishing campaign; it is suspected that malicious actors behind these operations are the ones formerly involved in campaigns attacking Taiwanese legislators as discovered in May 2020 during an investigation. Reportedly, the group is employing a novel malware variant called MESSAGEMANIFOLD, similar to the one employed in the abovementioned campaigns, further solidifying the links discovered between both the campaigns. 

Several other overlaps have also been noted between both the activities, including the application of the same email themes and identical hosting provider. Furthermore,  both the campaigns made use of Google Drive links for downloading the malware. 

The campaigners are attacking strategic targets that somehow align with the Chinese Government’s affairs. The threat actors used spear-phishing emails with the theme ‘conference invitations’, which included a direct download Google Drive link. According to the researchers two Google Drive links were there, with the name “dalailama-Invitations [.]exe” file. 

About the Attacks

The dropped files (HTTP POST) were being used for the requests to communicate with the control and command server which uses a fixed URL pattern, and for the next stage, malware needs a specific response. Those domains were being used in both campaigns were organized on AS 42159 (Zemlyaniy Dmitro Leonidovich) and AS 42331 (PE Freehost). 

Recent cyberattacks on Taiwanese and Tibetan entities don't come as a surprise, it has been observed that Beijing-based malicious actors actively attack these states in accordance with their state interests. A recent study at IBM disclosed that an email phishing scheme attacking Germany and Italy based COVID-19 vaccine supply chains. Other targets included the Czech Republic and South Korea amid a few more. 

Given the highly customized nature of the attacks against particular targets chosen strategically, the activity could possibly be aligned with Chinese nation-backed attackers; however, as of now, the campaigns could not be affiliated to a recognized cyber threat group. Therefore, experts have recommended employing a trustworthy anti-malware solution. Users are also advised to avoid opening attachments from anonymous sources. 

Criminals sending malicious emails claiming to be from the rector of Moscow State University

A malicious program that steals passwords was sent out in mid-September by scammers in letters claiming to be from the rector of Moscow State University. The recipients were financial, industrial, and government organizations in Russia.

The mailing, as noted in the company Group-IB, was held in the period from 9 to 16 September.

"In the letter, the attackers, on behalf of rector Viktor Sadovnichy, ask recipients to read the attached document “ A description of the budget for 2020” and promptly send their commercial offer,” reported the company's press service.

The texts of the letters are illiterate and contain stylistic errors. In addition, the order of words and sentences indicates that fraudsters use an automatic translation program. The authors of the letter were too lazy to change or check all the links in the template before sending them out. Probably, similar attacks have already been carried out on behalf of other universities, most likely foreign ones.

The addresses of Moscow State University were indicated as the sender in the letters. In fact, the correspondence was sent from the hacked mail server of the Hotel Alfonso V in the Portuguese city of Aveiro. The hotel has already been notified of the break-in.

All the scammers’ emails contained an archive called "Request for a commercial offer" with an executable .exe file inside. After it was launched, a malicious program was installed on the user's device that could steal usernames and passwords.

"In the future, hackers can use them to gain access to email accounts or crypto wallets, for financial fraud, espionage, or sell stolen data on hacker forums,” said Group — IB.

According to Vasily Kuzmin, Deputy head of the information technology department of Moscow State University, neither the rector nor the University administration ever send letters with such content.

Welcome Chat App Harvesting User Data and Storing it in Unsecure Location


A messaging platform for Android, Welcome Chat spies upon its users and stores their data in an unsafe location that is accessible to the public. The authors of the app claim it to be available on the Google Play store, meanwhile, marketing it to be a secure platform for exchanging messages which however is not true by any means.

The website of the malicious 'Welcome Chat' app publicizes the platform as a secure communication Android solution, however, security researchers from ESET discovered the app being associated to a malicious operation having links to a Windows Trojan called 'BadPatch' which was employed by Gaza Hackers in a malicious campaign – a long-running cyber espionage campaign in the Middle-East. While the origins of the website advertising the app are unknown, the domain was registered by the developers in October 2019. Interestingly, the app doesn't only function as spyware but works perfectly as a chatting platform as well.

After downloading the app, users need to give permission for allowing installation from unknown sources as the app was not installed via the official app store. Once the Welcome Chat is activated, it asks permission to access the user's contacts, files, SMS, location details, and record audio. Although the list of permissions gets pretty exhaustive for a user to not doubt it, then again they are used to it, especially in case of a messaging platform.

As soon as the app receives all the permissions, it starts mining the victim's data which includes phone recordings, location details, SMS messages and sends it to the cybercriminals behind the malicious operation.

While giving insights about the app, Lukáš Štefanko, researcher at ESET, told, “In addition to Welcome Chat being an espionage tool, its operators left the data harvested from their victims freely available on the internet. And the app was never available on the official Android app store.”

“We did our best to discover a clean version of this app, to make its developer aware of the vulnerability. But our best guess is that no such app exists. Naturally, we made no effort to reach out to the malicious actors behind the espionage operation,” added Štefanko.