Search This Blog

Showing posts with label Trojan. Show all posts

This Banking Trojan is Targeting Users of Spanish Financial Services

 

A previously unreported Android banking trojan targeting users of the Spanish financial services business BBVA has been spotted in the wild. 

The malware, named 'Revive' by Italian cybersecurity firm Cleafy and believed to be in its early stages of development, was first discovered on June 15, 2022, and propagated via phishing operations. 

"The name Revive has been chosen since one of the functionality of the malware (called by the [threat actors] precisely 'revive') is restarting in case the malware stops working," Cleafy researchers Federico Valentini and Francesco Iubatti said in a Monday write-up. 

Downloadable from malicious phishing websites ("bbva.appsecureguide[.]com" or "bbva.european2fa[.]com"), the malware impersonates the bank's two-factor authentication (2FA) app as a bait to mislead users into installing the software and is reported to be inspired by open-source spyware dubbed Teardroid, with the authors altering the original source code to integrate new features.

In contrast to other banking malware that are known to target a wide range of financial apps, Revive is targeted for a single target, in this case, the BBVA bank. However, it is similar to its competitors in that it uses Android's accessibility services API to achieve its operational goals. 

Revive is primarily designed to gather the bank's login credentials via lookalike websites and allow account takeover attacks. It also has a keylogger module to record keystrokes and the ability to intercept SMS messages sent by the bank, particularly one-time passwords and two-factor authentication codes. 

"When the victim opens the malicious app for the first time, Revive asks to accept two permissions related to the SMS and phone calls. After that, a clone page (of the targeted bank) appears to the user and if the login credentials are inserted, they are sent to the [command-and-control server] of the TAs," the researchers further stated.

The findings emphasise the importance of exercising caution while installing software from unknown third-party sources.

New Emotet Variant Capturing Users' Credit Card Data from Google Chrome

 

The Emotet botnet is now attempting to infect potential victims with a credit card stealer module designed to capture credit card information from Google Chrome user accounts. 

After obtaining credit card information (such as name, expiration month and year, and card numbers), the malware will transfer it to command-and-control (C2) servers that are not the same as those used by the Emotet card stealer module. 

The Proofpoint Threat Insights team said, "On June 6th, Proofpoint observed a new Emotet module being dropped by the E4 botnet. To our surprise, it was a credit card stealer that was solely targeting the Chrome browser. Once card details were collected they were exfiltrated to different C2 servers than the module loader." 

This shift in behaviour follows an increase in activity in April and a move to 64-bit modules, as discovered by the Cryptolaemus security research group. One week later, Emotet began using Windows shortcut files (.LNK) to run PowerShell instructions on victims' devices, abandoning Microsoft Office macros, which were disabled by default beginning in early April 2022. 

The re-emergence of Emotet malware:

In 2014, the Emotet malware was created and used in assaults as a banking trojan. It has developed into a botnet used by the TA542 threat group (also known as Mummy Spider) to deliver second-stage payloads. 

It also enables its operators to steal user data, conduct reconnaissance on compromised networks, and migrate laterally to susceptible devices. Emotet is renowned for deploying Qbot and Trickbot malware trojan payloads on infected PCs, which are then used to spread more malware, such as Cobalt Strike beacons and ransomware like Ryuk and Conti. Emotet's infrastructure was destroyed in early 2021 as part of an international law enforcement operation that also resulted in the arrest of two people.

When Emotet research organisation Cryptolaemus, computer security firm GData, and cybersecurity firm Advanced Intel all spotted the TrickBot malware being used to deliver an Emotet loader in November 2021, the botnet returned utilising TrickBot's previously established infrastructure.

According to ESET, Emotet's activity has increased more than 100-fold since the beginning of the year, with its activity rising more than 100-fold against T3 2021.

 New Confluence Remote Code Execution Flaw is Exploited by Cryptocurrency Miners

 

Atlassian has issued a security advisory on a severe unpatched remote code execution vulnerability that affects Confluence Server and Data Center products and is being actively abused in the field, according to the company. The CVE-2022-26134 vulnerability was found as an extensively exploited zero-day towards the end of May, and the vendor issued a patch on June 3, 2022. 

Several proof-of-concept (PoC) exploits for the CVE-2022-26134 bug have been made public. Following the disclosure of the RCE, Check Point Research (CPR) researchers observed a large number of exploitation attempts, with some of the malicious payloads used in the attacks being used as part of the same campaign carried by a crypto mining gang known as the "8220 gang" by doing bulk net scans to discover vulnerable Windows and Linux endpoints to plant miners. 

Miners are special-purpose programs that mine cryptocurrency like Monero for the threat actor using the host's available computational capabilities. Reduced server performance, increase hardware wear, greater operating costs, and even business disruption are all direct consequences of this action. These actors can also improve their attack at any time and dump more potent payloads because they have access to the system.

Multiple infection chains are used to target Linux and Windows operating systems. The attack starts with a specially crafted HTTP request which exploits CVE-2022-26134 and dumps a base64-encoded payload on both Linux and Windows platforms. The payload then downloads an executable, a Linux malware injects script and a Windows child process spawner. Both scenarios try to set up reboot persistence, then delete all current devices before activating the miner. 

The miner will deplete all system resources in both circumstances, therefore the "8220 gang" is aiming for maximum profit until the malware is uprooted, rather than silently mining on infected servers and attempting to remain undiscovered by using only a portion of the available processing capacity. Eventually, the Linux script looks for SSH keys on the host in an attempt to expand to other computers nearby. 

The web shell is believed to have been used to distribute two further web shells to disk, namely China Chopper and a bespoke file upload shell for exfiltrating arbitrary files to a remote server. The news comes within a year of another severe remote code execution issue in Atlassian Confluence (CVE-2021-26084, CVSS score: 9.8) was actively exploited in the open to install cryptocurrency miners on compromised servers (CVE-2021-26084, CVSS score: 9.8). 

"Attackers can get direct access to highly valuable systems by exploiting such type of vulnerability," Volexity stated. "Furthermore, because they lack the necessary monitoring or logging capabilities, these systems can be difficult to investigate."

New Emotet Variant Capturing Users' Credit Card Data from Google Chrome

 

The infamous Emotet malware has deployed a new module aimed to steal credit card data saved in the Chrome web browser. According to corporate security firm Proofpoint, which discovered the component on June 6, the credit card stealer, which only targets Chrome, has the capacity to exfiltrate the acquired information to several remote command-and-control (C2) servers. 

The news comes amid a surge in Emotet activity since it was reactivated late last year after a 10-month pause caused by a law enforcement operation that destroyed its attack infrastructure in January 2021. Emotet, attributed to the threat actor TA542 (aka Mummy Spider or Gold Crestwood), is a sophisticated, self-propagating, and modular trojan that is distributed via email campaigns. 

According to Check Point, as of April 2022, Emotet is still the most renowned malware, with a global impact of 6% of organisations worldwide, followed by Formbook and Agent Tesla, with the malware testing new delivery methods using OneDrive URLs and PowerShell in.LNK attachments to circumvent Microsoft's macro restrictions. 

The steady increase in Emotet-related threats is further supported by the fact that the number of phishing emails, which frequently hijack existing correspondence, increased from 3,000 in February 2022 to approximately 30,000 in March, targeting organisations in various countries as part of a large-scale spam campaign. ESET stated that Emotet activity "shifted to a higher gear" in March and April 2022 and that detections increased 100-fold, indicating an 11,000 percent increase during the first four months of the year when compared to the preceding three-month period from September to December 2021. 

Japan, Italy, and Mexico have been frequent targets since the botnet's revival, according to the Slovak cybersecurity firm, with the largest wave recorded on March 16, 2022. 

Dušan Lacika, the senior detection engineer at Dušan Lacika, said, "The size of Emotet's latest LNK and XLL campaigns was significantly smaller than those distributed via compromised DOC files seen in March. This suggests that the operators are only using a fraction of the botnet's potential while testing new distribution vectors that could replace the now disabled-by-default VBA macros." 

Researchers from CyberArk also revealed a novel approach for extracting plaintext credentials directly from memory in Chromium-based web browsers. 

"Credential data is stored in Chrome's memory in cleartext format. In addition to data that is dynamically entered when signing into specific web applications, an attacker can cause the browser to load into memory all the passwords that are stored in the password manager," CyberArk's Zeev Ben Porat said.

This includes cookie-related information such as session cookies, which an attacker might harvest and utilise to hijack users' accounts even if they are secured by multi-factor authentication.

Report: Clipminer Botnet Operators Rake in $1.7 Million

 

According to Symantec security experts, cyber criminals operating the Clipminer botnet have made at least $1.7 million in illegal earnings to date. 

The Clipminer trojan spreads via trojanized cracked or pirated software and shares characteristics with the cryptomining trojan KryptoCibule, implying that it is either a copycat or a development of the latter. Clipminer was discovered around January 2021, shortly after KryptoCibule was revealed in an ESET research study, suggesting a probable rebranding of the same threat, according to Symantec. 

Once inside a machine, the malware may exploit its resources to mine for bitcoin, but it can also change clipboard data. When Symantec detects that a user has duplicated a cryptowallet address, it replaces it with the address of an attacker-controlled wallet in order to reroute cash there. 

“On each clipboard update, it scans the clipboard content for wallet addresses, recognizing address formats used by at least a dozen different cryptocurrencies. […] For the majority of the address formats, the attackers provide multiple replacement wallet addresses to choose from,” Symantec added. 

Within the malware, the researchers discovered a total of 4,375 distinct cryptowallet addresses, 3,677 of which are utilised for only three different types of Bitcoin addresses. Symantec discovered about 34.3 Bitcoin and 129.9 Ethereum in some of the attackers' addresses and stated that some other funds had already been moved to cryptocurrency mixing services. 

“If we include the funds transferred out to these services, the malware operators have potentially made at least $1.7 million from clipboard hijacking alone,” the researchers added.

Spanish FA Reported a Cyber Attack, Private Texts Seized

 

Police have been informed that the Royal Spanish Football Federation (RFEF) has witnessed a cyber attack. In recent months, top leaders of the union, particularly president Luis Rubiales, have had documents and information from private email accounts, private texts, and audio calls taken.

Headquartered in Las Rozas, La Ciudad del Ftbol, a community near Madrid, the Royal Spanish Football Federation is Spain's football regulating organization. The Spanish FA won the 2010 FIFA World Cup and two European Championships in a row as a result of these events. 

"It's likely this personally identifiable information, taken unlawfully and with clear criminal purpose, was provided to numerous media," the RFEF added. 

Before the publishing of the information, an unnamed journalist informed the RFEF claiming its media outlet had been provided access to illegally acquired material from an unknown source who communicated over an encrypted voice. 

"Through third parties, the media outlet in issue claimed to have obtained confidential contracts, private WhatsApp conversations, emails, and a variety of documents involving the RFEF management," the journalist told. "If accurate, it would be a crime of secret revelation and a breach of the people attacked's fundamental rights." 

The Spanish FA has condemned such "criminal and mafia" acts to all relevant organizations, as well as appointed a private firm to improve security and prevent future attacks.

Cyberattacks, like hacktivists, can be linked to cyber warfare or cyberterrorism. To put it another way, motivations can differ. And there are three basic types of motivations: criminal, political, and personal. Money theft, data theft, and company disruption are all options for criminally minded attackers.

Octo: A New Malware Strain that Targets Banking Institutions

 

Last year, an Android banking malware strain was found in the open, few organizations called it "Coper," belonging to a new family, however, ThreatFabric intelligence hinted it as a direct inheritance of the infamous malware family Exobot. Found in 2016, Exobot used to target financial institutions until 2018, these campaigns were focused in France, Turkey, Thailand, Germany, Japan, and Australia. Following the incident, another "lite" variant surfaced, named ExobotCompact by the developer famous as "Android" on the dark web. 

Analysts from ThreatFabric established a direct connection between ExobotCompact and the latest malware strain, named "ExobotCompact.B." The latest malware strain surfaced in November 2021, named ExobotCompact.D. "We would like to point out that these set of actions that the Trojan is able to perform on victim’s behalf is sufficient to implement (with certain updates made to the source code of the Trojan) an Automated Transfer System (ATS)," says ThreatFabric report. The recent actions by this malware family involve distribution via various malicious apps on Google Play Store. 

The apps were installed more than 50k times, targeting financial organizations around the world, including broad and generic campaigns having a high number of targets, along with focused and narrow campaigns across Europe. Earlier this year, experts noticed a post on a dark web forum, a user was looking for an Octo Android botnet. Later, a direct connection was found between ExobotCompact and Octo. Interestingly, ExobotCompact was updated with various features and rebranded as Octo, bringing remote access capability, therefore letting malicious actors behind the Trojan to perform on-device fraud (ODF). 

ODF is the riskiest, most dangerous fraud threat. Here, transactions begin from the same device that a target uses on a daily basis. Here, anti-fraud programmes are challenged to detect the scam activity with less in number malicious indicators and different fraud done via different channels. ThreatFabric reports, "to establish remote access to the infected device, ExobotCompact.D relies on built-in services that are part of Android OS: MediaProjection for screen streaming and AccessibilityService to perform actions remotely."

Hackers from China's 'Mustang Panda' were Utilizing New 'Hodur' Malware

 

Mustang Panda (a.k.a. Temp.Hex, HoneyMyte, TA416 or RedDelta), a China-based advanced persistent threat (APT), has been traced to an ongoing cyberattack campaign using a formerly undocumented variation of the PlugX remote access trojan on affected workstations mostly in and around Southeast Asia. For its similarities to another PlugX (aka Korplug) variation called THOR which surfaced in July 2021, slovak cybersecurity firm ESET termed the current version Hodur. 

Korplug is a proprietary virus used widely, it was initially uncovered in a 2020 investigation that looked into Chinese hackers' activities against Australian targets. Mustang Panda employs phishing lures with counterfeit papers to target European embassies, ISPs (Internet Service Providers), and research institutes in the most recent known campaign, according to cybersecurity firm ESET. "Anti-analysis measures and control-flow obfuscation are used at every level of the deployment process," the firm told.

Hodur is based on PlugX, a remote access tool that "allows remote users to steal data or take control of impacted systems without authorization. It can copy, move, rename, execute, and delete files, as well as log keystrokes and fingerprint the infected system." The infections end with the implementation of the Hodur backdoor on the infected Windows host, irrespective of the phishing lure used. 

As formerly stated, the campaign begins simply, with the group phishing its targets using current events. Proofpoint identified it using a NATO diplomat's email address to send out.ZIP and.EXE files labeled "Situation at the EU Borders with Ukraine" last month. If a victim accepts the bait, a legitimate, properly signed executable prone to DLL search-order hijacking will be delivered. Russia, Greece, Cyprus, South Africa, Vietnam, Mongolia, Myanmar, and South Sudan are the countries targeted in this campaign. 

ESET claims to have sampled sophisticated custom loaders as well as new Korplug (Hodur) versions still using DLL side-loading but has considerably more robust obfuscation and anti-analysis techniques across the infection chain. The side-loading custom DLL loader uses a digitally-signed genuine executable, in this case, a SmadAV file, and leverages a known flaw. Except for one, which loads the new Korplug variation, the loader's many functions are all fake. 

As it is a Chinese actor with a history of pursuing higher political espionage purposes, the scope of its targeting should be rather consistent.

BitRAT Malware Spreading Via Unofficial Microsoft Windows Activators

 

A new BitRAT malware distribution campaign is ongoing, targeting people who want to utilise unauthorised Microsoft licence activators to activate unlicensed Windows OS versions for free. 

BitRAT is a strong remote access trojan that can be purchased for as little as $20 (lifetime access) on cybercrime forums and dark web markets. As a result, each buyer has their own malware dissemination strategy, which may include phishing, watering holes, or trojanized software. Threat actors are delivering BitRAT malware as a Windows 10 Pro licence activator on webhards in a new BitRAT malware distribution campaign identified by AhnLab researchers. 

Webhards are popular online storage services in South Korea that receive a steady stream of visitors via direct download links posted on social media platforms or Discord. Threat actors are increasingly exploiting webhards to deliver malware due to their widespread use in the region. Based on some of the Korean characters in the code snippets and how it was distributed, the actor behind the current BitRAT campaign appears to be Korean. To use Windows 10, one must first purchase and activate a Microsoft licence. 

While there are ways to get Windows 10 for free, one must have a valid Windows 7 licence to do so. Those who don't want to deal with licencing concerns or who don't have a licence to upgrade frequently resort to pirating Windows 10 and using unapproved activators, many of which are infected with malware.'W10DigitalActiviation.exe' is the malicious file presented as a Windows 10 activator in this campaign, and it has a simple GUI with a button to "Activate Windows 10." 

Rather than activating the Windows licence on the host system, the "activator" will download malware from a threat actors' hardcoded command and control server. The retrieved payload is BitRAT, which is installed as 'Software Reporter Tool.exe' in the %TEMP% folder and added to the Startup folder. Exclusions for Windows Defender are also included by the downloader to guarantee that BitRAT is not detected. The downloader deletes itself from the system after the malware installation process is completed, leaving just BitRAT behind. 

BitRAT is marketed as a powerful, low-cost, and versatile malware that can steal a variety of sensitive data from the host computer.BitRAT includes features such as keylogging, clipboard monitoring, camera access, audio recording, credential theft through web browsers, and XMRig coin mining. 

 It also includes a remote control for Windows PCs, hidden virtual network computing (hVNC), and SOCKS4 and SOCKS5 reverse proxy (UDP). On that front, ASEC's investigators discovered considerable code similarities between TinyNuke and its derivative, AveMaria,(Warzone). The RATs' hidden desktop capability is so valuable that some hacking groups, such as the Kimsuky, have included them in their arsenal only to use the hVNC tool.

TrickBot Group Likely Moving Operations to Switch to New Malware

 

TrickBot, the notorious Windows crimeware-as-a-service (CaaS) solution used by several threat actors to distribute next-stage payloads like ransomware, looks to be in the midst of a transition, with no new activity since the beginning of the year. 

Researchers at Intel 471 stated in a study provided with The Hacker News that the slowdown in malware activities is partially due to a huge shift by Trickbot's operators, including working with the operators of Emotet. Even as the malware's command-and-control (C2) infrastructure continued to serve additional plugins and web injects to infected nodes in the botnet, the last round of TrickBot attacks was recorded on December 28, 2021. 

Surprisingly, the drop in campaign volume has coincided with the TrickBot gang collaborating closely with the operators of Emotet, which resurfaced late last year after a 10-month break due to law enforcement efforts to combat the malware. The attacks, which began in November 2021, comprised an infection sequence that utilized TrickBot to download and execute Emotet binaries, whereas Emotet binaries were frequently used to drop TrickBot samples previous to the shutdown. 

The researchers stated, "It's likely that the TrickBot operators have phased TrickBot malware out of their operations in favour of other platforms, such as Emotet. TrickBot, after all, is relatively old malware that hasn't been updated in a major way." 

Additionally, immediately after Emotet's comeback in November 2021, Intel 471 discovered instances of TrickBot sending Qbot installs to the infected systems, highlighting the possibility of a behind-the-scenes shake-up to relocate to other platforms. With TrickBot becoming more visible to law enforcement in 2021, it's not unexpected that the threat actor behind it is actively working to change tactics and modify their protective mechanisms. 

"Perhaps a combination of unwanted attention to TrickBot and the availability of newer, improved malware platforms has convinced the operators of TrickBot to abandon it. We suspect that the malware control infrastructure (C2) is being maintained because there is still some monetization value in the remaining bots," the researchers added.

According to a separate investigation published last week by Advanced Intelligence (AdvIntel), the Conti ransomware group is thought to have acqui-hired several elite TrickBot developers to deactivate the malware and replace it with improved variations like BazarBackdoor.

Hackers are Now Utilizing Office Documents to Launch the Regsvr32 Utility

 

Regsvr32, a Windows living-off-the-land binary (LOLBin) used to propagate trojans like Lokibot and Qbot, is seeing a surge in abuse recently, according to researchers. 

LOLBins are genuine, native utilities which are used on a regular basis in a variety of computing settings, yet are utilized by cybercriminals to avoid detection by merging in with typical traffic patterns. Regsvr32 is a Windows command-line program signed by Microsoft which lets users register and unregister DLLs (Dynamic Link Library). Information about a DLL file is uploaded to the centralized registry so the Windows may use it. 

This makes things simpler for other programs to take advantage of the DLLs' features. This broad reach is appealing to cybercriminals, who may exploit the utility through Squiblydoo, which has been a utilized malware by known APT groups, such as in spear-fishing efforts against Russian firms, and more recently in certain crypto mining events. 

Unlawful utilization of Regsvr32 has been on the rise recently in the Uptycs data, with cybercrooks attempting to register specifically. As a group, we. ActiveX controls are code blocks designed by Microsoft that allow applications to perform specified functions, such as showing a calendar, using OCX files. 

Uptycs EDR employs a multi-layered detection strategy that not only analyzes threats using the Squiblydoo technique but also prioritizes them according to a specific composite score and severity. This helps analysts focus on key situations first, reducing alert fatigue. 

The majority of such Microsoft Excel files found in the attacks have the.XLSM or.XLSB prefixes, which indicate files contain embedded macros. Using the formulas in the macros, hackers normally download or operate a malicious payload from the URL during the campaign. 

Conventional security systems and security personnel tracking this operation for malicious actions face a problem because regsvr32 is frequently utilized for regular daily tasks. The following aspects can be monitored by security teams: 

  • The parent/child program relations where regsvr32 is run alongside a Microsoft Word or Excel parent process. 
  • Locating  regsvr32.exe operations that load the scrobj.dll, which performs the COM scriptlet, to identify it.

The Hacking Group 'ModifiedElephant' Remained Undetected

 

SentinelLabs' IT security researchers have discovered information of growing cyber-attacks (APT) wherein the threat actors have been targeting human rights activists, free speech advocates, professors, and lawyers in India using readily available trojans via spear-phishing since 2012. The group known as ModifiedElephant has been found to be planting 'incriminating evidence' on the devices of its targets. 

"The goal for ModifiedElephant is long-term espionage which sometimes ends with the transmission of evidence – files that implicate the victim in criminal offenses – prior to conveniently synchronized arrests," stated Tom Hegel, a threat researcher at SentinelOne. According to the research, over the previous decade, ModifiedElephant hackers have been attacking their victims with spearphishing emails containing malicious file attachments, with their methods becoming more complex over time. 

Spearphishing is the technique of emailing victims that appear to come from a trustworthy source in order to either divulge sensitive information or install malware on their computers. ModifiedElephant usually uses infected Files to spread malware to its victims. The particular mechanism and content included in malicious files have varied over time, according to SentinelOne, the timeline has been given below: 
  • 2013 – An adversary sends malware via email attachments with phony double extensions (file.pdf.exe). 
  • 2015 – The group switches to encryption key RAR attachments including legitimate luring documents that hide malware execution signals. 
  • 2019 – Updated Elephant begins hosting malware-distribution sites and takes advantage of cloud hosting capabilities, transitioning from phony papers to malicious URLs.
  • 2020 – attackers circumvent identification by skipping scans by using big RAR files (300 MB).

The CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, and CVE-2015-1641 exploits, according to SentinelOne, were frequently utilized in luring documents, which attacked Microsoft Office Suite programs. 

Modified Elephant is not seen using any customized backdoors in its operational history, indicating the group isn't particularly sophisticated. NetWire and DarkComet, two publicly available remote access trojans extensively utilized by lower-tier hackers, were the principal malware used in the campaigns. 

ModifiedElephant's Visual Basic keylogger hasn't changed since 2012, and it's been open-source on hacking forums all that time. SentinelLabs remarks on the tool's history, pointing out that it no longer works on recent OS versions. The Android virus is likewise a commodity trojan that is distributed to users in order of an APK, luring them in by appearing like a news app or a secure messaging tool.

10K Victims Infested via Google Play 2FA App Loaded with Banking Trojan

 

The Vultur trojan obtains bank credentials but then requests authorization to inflict even more damage later. 

A fraudulent two-factor authentication (2FA) software has been deleted from Google Play after being available for more than two weeks — but not before it was downloaded more than 10,000 times. The Vultur stealer malware, which targets and swoops down on financial information, is put into the app, which is completely functioning as a 2FA authenticator. 

Researchers at Pradeo warn users who have the malicious app, just named "2FA Authenticator," to delete it straight away since they are still at risk — both from banking-login theft and other assaults made possible by the app's broad over permissions. 

Using open-source Aegis authentication code combined with malicious add-ons, the threat actors constructed an operable and convincing app to mask the malware dropper. According to a Pradeo analysis issued, this enabled it to proliferate unnoticed via Google Play. 

“As a result, the application is successfully disguised as an authentication tool, which ensures it maintains a low profile,” the report added. 

The Vultur banking trojan is installed once the software is downloaded, and it harvests financial and banking data from the affected smartphone, among other things. The Vultur remote access trojan (RAT) malware, initially discovered by ThreatFabric investigators in March, was the first of its type to employ keylogging and screen recording as its main approach for stealing banking data, allowing the organisation to systematize and expand the process of stealing credentials. 

“The actors chose to steer away from the common HTML overlay strategy we usually see in other Android banking trojans: this approach usually requires more time and effort from the actors to steal relevant information from the user. Instead, they chose to simply record what is shown on the screen, effectively obtaining the same end result,” ThreatFabric said at the time. 

According to the Pradeo team, the fake 2FA authenticator also requests device rights that aren't shown in the Google Play profile. The attackers can use those tricksy, enhanced privileges to do things like access user location data so attacks can be aimed at specific regions, disable device lock and password security, download third-party apps, and take control of the device even if the app is shut down, according to the report. 

Once the device is fully hacked, the app installs Vultur, “an advanced and relatively new kind of malware that mostly targets online banking interface to steal users’ credentials and other critical financial information,” the report said. 

Pradeo discovered another sneaky tactic used by the malicious 2FA by acquiring the SYSTEM ALERT WINDOW permission, which allows the application to modify the interfaces of other mobile apps. 

"Very few apps should use this permission; these windows are intended for system-level interaction with the OS," Google stated. 

Despite the fact that the researchers reported their disclosure to Google Play, the malicious 2FA Authenticator app loaded with the banking malware remained accessible for 15 days, according to the Pradeo team.

Threat Actors Blanket Androids with Flubot & Teabot Campaigns

 

Researchers have found a bundle of dynamic campaigns transmitting the Flubot and Teabot trojans through a variety of delivery strategies, with threat actors utilizing smishing and pernicious Google Play applications to target victims with fly-by assaults in different locations across the globe. 

Specialists from Bitdefender Labs said they have caught more than 100,000 malignant SMS messages attempting to transmit Flubot malware since the start of December, as indicated by a report distributed Wednesday. 

During their analysis of Flubot, the team additionally found a QR code-peruser application that has been downloaded more than 100,000 times from the Google Play store and which has disseminated 17 different Teabot variations, they said. 

Flubot and Teabot surfaced on the scene last year as somewhat clear financial trojans that take banking, contact, SMS and different kinds of private information from infected gadgets. Be that as it may, the administrators behind them have interesting strategies for spreading the malware, making them especially nasty and expansive. 
 
Flubot was first founded in April focusing on Android clients in the United Kingdom and Europe using noxious SMS messages that nudged recipients to introduce a "missed package delivery" application, exhibiting a component of the malware that allows attackers to utilize command and control (C2) to send messages to victims. 

This feature permits administrators to rapidly change targets and other malware highlights on the fly, augmenting their assault surface to a worldwide scale without requiring a complex framework. For sure, campaigns later in the year targeted Android users in New Zealand and Finland. 

“These threats survive because they come in waves with different messages and in different time zones,” Bitdefender researchers wrote in the report. 

“While the malware itself remains pretty static, the message used to carry it, the domains that host the droppers, and everything else is constantly changing. For example, in the month between Dec. 1 of last year and Jan. 2 of this year, the malware was highly active in Australia, Germany, Spain, Italy and a few other European countries.”   

Campaigns between Jan. 15 and Jan. 18 then, at that point, moved to different parts of the globe, including Romania, Poland, the Netherlands, Spain and even Thailand, they found. 
 
Attackers likewise spread out past attempting to fool users into thinking they missed a package delivery- what Bitdefender named "fake courier messages" - to disseminate Flubot. However this strategy was available in almost 52% of campaigns specialists noticed, they likewise utilized a trick named "is this you in this video" that is a take-off of a credential-stealing campaign that has been streaming steadily via web-based media in around 25% of noticed missions, analysts wrote. 

“When the victim clicks on the link, it usually redirects them to a fake Facebook login that gives attackers direct access to credentials,” researchers explained. 

Flubot administrators have gotten on this trick and are involving a variety of it in one of the smishing efforts noticed, with clients getting an SMS message that inquires, "Is this you in this video?" researchers noted. In any case, the objective of the mission is very similar: to some way or another trick users into installing the software under some cover. 

“This new vector for banking trojans shows that attackers are looking to expand past the regular malicious SMS messages.”
  
Among different lures, Flubot administrators likewise utilized SMS messages utilizing counterfeit program updates and phoney phone message notices in around 8% of noticed campaigns, separately, analysts stated.

Anubis Trojan Targeted 400 Banks’ Customers

 

A malicious app disguised as the official account management portal for French telecom giant Orange S.A. is targeting customers of Chase, Wells Fargo, Bank of America, and Capital One, as well as almost 400 other financial institutions. 

According to researchers, this is only the beginning. Researchers at Lookout cautioned in a recent report that once downloaded, the malware - a version of banking trojan Anubis – collects the user's personal data and uses it to mislead them. And it's not just huge bank customers that are at risk, according to the researchers: Crypto wallets and virtual payment networks are also being targeted.

The Lookout report stated, “As a banking trojan malware, Anubis’ goal is to collect significant data about the victim from their mobile device for financial gain.”

“This is done by intercepting SMSs, keylogging, file exfiltration, screen monitoring, GPS data collection, and abuse of the device’s accessibility services.” 

The malicious version of the Orange Telecom account management software was uploaded to the Google Play store in July 2021 and then removed, but analysts believe this was only a test of Google's antivirus defences and that it could reappear shortly. 

The report added, “We found that obfuscation efforts were only partially implemented within the app and that there were additional developments still occurring with its command-and-control (C2) server. We expect more heavily obfuscated distributions will be submitted in the future.” 

New Anubis Tricks 

The malicious version of the Orange Telecom account management software was uploaded to the Google Play store in July 2021 and then removed, but analysts believe this was only a test of Google's antivirus defences and that it could reappear shortly. 

The banking trojan connects to the command-and-control (C2) server after being downloaded on the device and downloads another application to start the SOCKS5 proxy. 

“This proxy allows the attacker to enforce authentication for clients communicating with their server and mask communications between the client and C2. Once retrieved and decrypted, the APK is saved as ‘FR.apk’ in ‘/data/data/fr.orange.serviceapp/app_apk,'” the researchers stated.

The user is then prompted to disable Google Play Protect, giving the attacker complete control, according to the research. Banks, reloadable card businesses, and cryptocurrency wallets are among the 394 apps targeted by fr.orange.serviceapp, according to the researchers. 

The Anubis client was linked back to a half-completed crypto trading platform, according to the Lookout team. 

Anubis, which was first discovered in 2016, is freely available as open-source code on underground forums, along with instructions for budding banking trojan criminals, according to the research. 

According to Lookout, the basic banking trojan has added a credential stealer to the mix in this current edition of Anubis code, putting logins for cloud-based platforms like Microsoft 365 in danger. 

As per Kristina Balaam, a security researcher with Lookout, the Lookout team was unable to discover any successful attacks linked to the Orange S.A. campaign. 

“While we can’t be certain whether the app has been used in a successful attack, we do know they are targeting U.S. banks including Bank of America, U.S. Bank, Capital One, Chase, SunTrust and Wells Fargo,” Balaam stated.

Dridex Targeted Employees with Fake Job Termination Emails

 

A new Dridex malware phishing campaign is using fake employee termination as a lure to open a malicious Excel document, which then trolls them with a season's greeting message.

TheAnalyst, a threat researcher, shared a screenshot of the false employment termination notice on December 22, linking it to a Dridex affiliate. The suspicious email informed the target that their employment will end on December 24, and also that the decision could not be reversed. A password-protected Excel file attached offered further information. 

When a receiver accessed the file, a blurred form with a button to "Enable Content" appeared, allowing the file to run an automated script through its macros function, a technology designed to aid automation that has been misused for years for harmful purposes. After clicking the button, a pop-up window displayed with the words "Merry X-Mas Dear Employees!" 

Dridex is a trojan that was first discovered in 2014 and is related to credential theft. It spreads via email phishing campaigns. According to the US Treasury Department, it has been used to steal more than $100 million from banking institutions in 40 nations. 

Dridex is thought to have been created by Evil Corp., a Russian hacker gang that has become one of the most notorious and prolific cybercrime organizations in recent years. In December 2019, the US government sanctioned the organization and indicted its alleged founders, Maksim Yakubets and Igor Turashev, for their roles in developing Bugat, the predecessor malware to Dridex. 

A response to TheAnalyst's tweet including the false termination notice observed that in some copies of the email, the "Merry X-Mas" pop-up replaced the word "Employees" with racial insults. The racist content with this particular Dridex campaign extends back to a few months, according to TheAnalyst. 

For example, a phishing email sent out to targets during Black Friday mentioned shooting "black protesters" with a license. "If you find this message to be inappropriate or offensive, please click the complaint button in the attached document and we will never contact you again," the message stated. 

According to TheAnalyst, cybercriminals frequently insert racist email addresses inside the malware payloads to insult researchers. This element of the campaign is not visible to the campaign's targets, but it is visible to researchers who seek out, study, and expose phishing campaigns.

This Decade-old Malware has Picked Some Nasty New Tactics

 

Qakbot, a popular trojan for stealing bank credentials, has recently started delivering ransomware, making it more difficult for network defenders to identify what is and isn't a Qakbot attack. 

Qakbot is a particularly versatile piece of malware that has been active for over a decade and has survived despite Microsoft and other security firms' multi-year attempts to eliminate it. In 2017, Qakbot adopted WannaCry's lateral movement techniques, such as infecting all network shares and drives, brute-forcing Active Directory accounts, and creating copies of itself using the SMB file-sharing protocol. 

According to Kaspersky's new investigation of Qakbot, it is unlikely to go away very soon. As per its detection statistics for Qakbot, it infected 65 per cent more PCs between January and July 2021 than it did the previous year. As a result, it is becoming increasingly dangerous. 

Qakbot is modular, as per Microsoft, allowing it to masquerade as unique attacks on each device on a network, making it tough to identify, prevent, and remove by defenders and security tools. 

The Microsoft 365 Defender Threat Intelligence Team stated in its report, "Due to Qakbot's high likelihood of transitioning to human-operated attack behaviours including data exfiltration, lateral movement, and ransomware by multiple actors, the detections seen after infection can vary widely." 

Given the difficulty in identifying a common Qakbot campaign, the Microsoft team has profiled the malware's approaches and behaviours to aid security analysts in detecting it. Emailed attachments, links, or embedded images are the most common distribution methods. It is also known to attack machines using Visual Basic for Applications (VBA) macros and legacy Excel 4.0 macros. In July, TrendMicro examined a significant Qakbot campaign that employed this tactic. 

Qakbot hides harmful processes using process injection, creates scheduled activities that stay on the machine, and manipulates the Windows registry. Once installed on an infected system, it uses a variety of lateral movement techniques, as well as the Cobalt Strike penetration-testing framework and ransomware. 

Last year, the FBI warned that Qakbot trojans were spreading ProLock, a type of "human-operated ransomware." It was a concerning discovery since machines infected with Qakbot on a network must be separated because they act as a ransomware attack's bridge. Microsoft noted that Qakbot has used MSRA.exe and Mobsync.exe for process injection to conduct various network 'discovery' commands and steal Windows credentials and browser data. 

Other criminal groups can use Qakbot's Cobalt Strike module to deploy their own payloads, such as ransomware. As per Trend Micro, Qakbot has delivered MegaCortex and PwndLocker (2019), Egregor, and ProLock (2020), and Sodinokibi/REvil (2021).

"Qakbot has a Cobalt Strike module, and actors who purchase access to machines with prior Qakbot infections may also drop their own Cobalt Strike beacons and additional payloads," Microsoft noted. 

"Using Cobalt Strike lets attackers have full hands-on-keyboard access to the affected devices, enabling them to perform additional discovery, find high-value targets on the network, move laterally, and drop additional payloads, especially human-operated ransomware variants such as Conti and Egregor." 

Activating Office 365 phishing protection, enabling SmartScreen and network in the Edge browser, and ensuring runtime macro scanning by turning on Windows Antimalware Scan Interface (AMSI) is among Microsoft's recommended mitigations to reduce Qakbot's impact. Microsoft Defender antivirus and other third-party antivirus vendors support AMSI. AMSI support for Excel 4.0 macros was added in March, so it's still a new feature.

Mekotio Banking Trojan Resurfaces with Tweaked Code

 

On November 3, Check Point Research (CPR) released research on Mekotio, a modular banking Remote Access Trojan (RAT) that targets victims in Brazil, Chile, Mexico, Spain, and Peru, and it's now back with new techniques for evading detection. 

In October, 16 people were arrested across Spain in connection with Mekotio and the Grandoreiro Trojans. The individuals are suspected of sending hundreds of phishing emails to spread the Trojan, which was then used to steal banking and financial information. As per local media sources, 276,470 euros were stolen, but 3,500,000 euros worth of transfer attempts were made, which were luckily blocked. 

According to CPR researchers Arie Olshtein and Abedalla Hadra, the arrests simply delayed the transmission of the malware across Spain, and the malware is still spreading since the group probably partnered with other criminal organisations. Mekotio's developers, suspected of being based in Brazil, quickly rehashed their malware with new characteristics aimed to prevent detection after the arrests were revealed by the Spanish Civil Guard. 

The infection vector of Mekotio has remained the same, including phishing emails containing either links to or malicious code. The payload is contained in a ZIP archive attached. However, an examination of more than 100 recent attacks indicated the use of a simple obfuscation approach and a substitution cypher to avoid detection by antivirus software. 

In addition, the developers have included a redesigned batch file with numerous levels of obfuscation, a new PowerShell script that runs in memory to conduct malicious actions, and the use of Themida to safeguard the final Trojan payload — a legitimate application that prevents cracking or reverse engineering. 

Mekotio attempts to exfiltrate login credentials for banks and financial services once it has been installed on a vulnerable machine and will send them to a command-and-control (C2) server controlled by its operators. 

The researchers stated, "One of the characteristics of those bankers, such as Mekotio, is the modular attack which gives the attackers the ability to change only a small part of the whole in order to avoid detection. CPR sees a lot of old malicious code used for a long time, and yet the attacks manage to stay under the radar of AVs and EDR solutions by changing packers or obfuscation techniques such as a substitution cipher."

Threat Actors Abuse Discord to Push Malware

 

Cybercriminals are using Discord, a popular VoIP, instant chat, and digital distribution network used by 140 million users in 2021, to disseminate malware files. 

Discord servers can be organised into topic-based channels where users can share text or audio files. Within the text-based channels, they can attach any form of material, including photos, document files, and executables. These files are maintained on the Content Delivery Network (CDN) servers of Discord. 

However, many files transferred over the Discord network are malicious, indicating that actors are abusing the site's self-hosted CDN by forming channels with the sole aim of distributing these harmful files. Although Discord was designed for the gaming community initially, many corporations are now adopting it for office communication. Many businesses may be permitting this unwanted traffic onto their network as a result of these malicious code files placed on Discord's CDN. 

Exploiting Discord channels 

RiskIQ researchers looked deeper into how Discord CDN utilises a Discord domain through links that use [hxxps://cdn.discordapp[.]com/attachments/{ChannelID}/{AttachmentID}/{filename}] as the format to discover malware. 

According to the researchers, they spotted links and queried Discord channel IDs used in these links, enabling them to identify domains comprising web pages that connect to a Discord CDN link with a certain channel ID. 

“For example, the RiskIQ platform can query the channel IDs associated with zoom[-]download[.]ml,” researchers explained. “This domain attempts to spoof users into downloading a Zoom plug-in for Microsoft Outlook and instead delivers the Dcstl password stealer hosted on Discord’s CDN.” 

In another case, RiskIQ determined that the channel ID for a URL containing a Raccoon password stealer file returned a domain for Taplink, a  site that offers users micro landing pages to send them to their Instagram and other social media accounts. 

According to the researchers, the approach allowed them to discover the day and time Discord channels were launched, connecting those generated within a few days after the first observation of a file in VirusTotal to channels with the sole purpose of disseminating malware. They eventually discovered and cataloged 27 distinct malware types hosted on Discord's CDN. 

About the malware 

Discord CDN URLs containing.exe, DLL, and different document and compressed files were detected by RiskIQ. It was discovered that more than 100 of the hashes on VirusTotal were transmitting malicious information. 

RiskIQ discovered more than eighty files from seventeen malware families, however, Trojans were the most frequent malware found on Discord's CDN. For most malware found on Discord's CDN, RiskIQ noticed a single file per channel ID. 

According to Microsoft's identification of the files and further research, there are a total of 27 distinct malware families, divided into four types: 
• Backdoors, e.g., AsyncRat 
• Password Stealers, e.g., DarkStealer 
• Spyware, e.g., Raccoon Stealer 
• Trojans, e.g., AgentTesla 

The exploitation of Discord's infrastructure throws light on the rising problem of CDN abuse by malicious attackers across the web. Using internet-wide visibility to identify malware in CDN infrastructure is significant to limiting the damage these valuable malware delivery techniques might have on the firm.

Hydra Malware Targets Germany's Second Largest Bank Customers

 

The Hydra banking trojan has resurfaced to target European e-banking platform users, especially Commerzbank customers, Germany's second-largest financial institution. 

MalwareHunterTeam discovered the two-year-old virus in a fresh dissemination operation that targets German users with a malicious APK called 'Commerzbank Security' with a lookalike icon to the legitimate application. 

This grabbed the attention of Cyble researchers, who sampled the file for a more in-depth study, revealing a sophisticated phishing tool with broad rights access. 

According to Cyble experts, Hydra is still evolving; the variations used in the latest campaign include TeamViewer features, similar to the S.O.V.A. Android banking Trojan, and utilize various encryption methods to avoid detection, as well as Tor for communication. 

The latest version additionally allows to turn off the Play Protect Android security function. The virus demands two very hazardous permissions, BIND_ACCESSIBILITY_PERMISSION and BIND_DEVICE_ADMIN, according to the experts. 

The Accessibility Service is a background service that assists users with disabilities, and the BIND_ACCESSIBILITY_SERVICE permission permits the app to access it. 

The analysis published by Cyble states, “Malware authors abuse this service to intercept and monitor all activities happening on the device’s screen. For example, using Accessibility Service, malware authors can intercept the credentials entered on another app.” 

“BIND_DEVICE_ADMIN is a permission that allows fake apps to get admin privileges on the infected device. Hydra can abuse this permission to lock the device, modify or reset the screen lock PIN, etc.” 

Other rights are requested by the malware to carry out harmful activities such as accessing SMS content, sending SMSs, making calls, modifying device settings, spying on user activity, and sending bulk SMSs to the victim's contacts: 
  • CHANGE_WIFI_STATE : Modify Device’s Wi-Fi settings 
  • READ_CONTACTS: Access to phone contacts 
  • READ_EXTERNAL_STORAGE: Access device external storage 
  • WRITE_EXTERNAL_STORAGE: Modify device external storage 
  • READ_PHONE_STATE: Access phone state and information 
  • CALL_PHONE: Perform call without user intervention 
  • READ_SMS : Access user’s SMSs stored in the device 
  • REQUEST_INSTALL_PACKAGES : Install applications without user interaction 
  • SEND_SMS: This allows the app to send SMS messages 
  • SYSTEM_ALERT_WINDOW: The display of system alerts over other apps 
The code analysis shows that many classes are missing from the APK file. To avoid signature-based detection, the malicious code uses a custom packer. 

Cyble concluded, “We have also observed that the malware authors of Hydra are incorporating new technology to steal information and money from its victims. Alongside these features, the recent trojans have incorporated sophisticated features. We observed the new variants have TeamViewer or VNC functionality and TOR for communication, which shows that TAs are enhancing their TTPs.” 

“Based on this pattern that we have observed, malware authors are constantly adding new features to the banking trojans to evade detection by security software and to entice cybercriminals to buy the malware. To protect themselves from these threats, users should only install applications from the official Google Play Store.” 

18 million potential targets

Commerzbank has 13 million German clients and another 5 million in Central and Eastern Europe. This amounts to a total of 18 million potential targets, which is always an important factor for malware distributors. 

Typically, threat actors utilise SMS, social media, and forum postings to direct potential victims to malicious landing pages that install the APK on German devices. 

If anyone believes they have already fallen into Hydra's trap, it is suggested that they clean their device with a trustworthy vendor's security tool and then do a factory reset.