Complex new SMS malware discovered
Cell phone users in Canada and the United States are being targeted by a new and advanced form of SMS malware that lures victims with COVID-19-related content.
This complex malware named Tanglebot by Cloudmark threat analysis because of its multiple levels of obfuscation, can directly obtain personal information, control device interaction with apps and overlay screens, and steal account information from financial activities initiated on the device.
How it works?
TangleBot sends SMS text messages themed around coronavirus regulations and third doses of COVID vaccines known as booster shots to entice users into downloading malware. Victims who take the lure unwittingly download malware that compromises the security of their device and configures the system so that confidential information can be exfiltrated to systems controlled by the attacker(s).
TangleBot can overlay banking or financial apps and directly steal the victim’s account credentials.
TangleBot can use the victim’s device to message other mobile devices, spreading throughout the mobile network.
Complete control over the infected device
The malware allows the threat actor(s) to control everything including contacts, SMS and phone capabilities, call logs, internet access, and camera and microphone on an infected device and employs multiple levels of obfuscation to keep its presence hidden from the device's user.
Examples of few SMS messages
The messages sent as part of the malware campaign appear to be warnings or appointment notifications. One such SMS contained the text "New regulations about COVID-19 in your region. Read here:" followed by a malicious link.
Another preceded a malicious link with the statement: "You have received the appointment for the 3rd dose. For more information visit:"
Users who click on the link are taken to a website where they are notified that the Adobe Flash Player software on their device is out of date and must be updated for them to proceed. If the user clicks on the subsequent dialog boxes, TangleBot malware is installed on the Android device.
https://www.infosecurity-magazine.com/news/complex-new-sms-malware-discovered/
#tanglebot #malware #sms #covid
Cell phone users in Canada and the United States are being targeted by a new and advanced form of SMS malware that lures victims with COVID-19-related content.
This complex malware named Tanglebot by Cloudmark threat analysis because of its multiple levels of obfuscation, can directly obtain personal information, control device interaction with apps and overlay screens, and steal account information from financial activities initiated on the device.
How it works?
TangleBot sends SMS text messages themed around coronavirus regulations and third doses of COVID vaccines known as booster shots to entice users into downloading malware. Victims who take the lure unwittingly download malware that compromises the security of their device and configures the system so that confidential information can be exfiltrated to systems controlled by the attacker(s).
TangleBot can overlay banking or financial apps and directly steal the victim’s account credentials.
TangleBot can use the victim’s device to message other mobile devices, spreading throughout the mobile network.
Complete control over the infected device
The malware allows the threat actor(s) to control everything including contacts, SMS and phone capabilities, call logs, internet access, and camera and microphone on an infected device and employs multiple levels of obfuscation to keep its presence hidden from the device's user.
Examples of few SMS messages
The messages sent as part of the malware campaign appear to be warnings or appointment notifications. One such SMS contained the text "New regulations about COVID-19 in your region. Read here:" followed by a malicious link.
Another preceded a malicious link with the statement: "You have received the appointment for the 3rd dose. For more information visit:"
Users who click on the link are taken to a website where they are notified that the Adobe Flash Player software on their device is out of date and must be updated for them to proceed. If the user clicks on the subsequent dialog boxes, TangleBot malware is installed on the Android device.
https://www.infosecurity-magazine.com/news/complex-new-sms-malware-discovered/
#tanglebot #malware #sms #covid
Infosecurity Magazine
Complex New SMS Malware Discovered
Researchers detect advanced SMS malware targeting cell phone users with COVID-19 lures
FinSpy: unseen findings
FinSpy, also known as FinFisher or Wingbird, is an infamous surveillance toolset. Kaspersky has been tracking deployments of this spyware since 2011. Historically, its Windows implant was distributed through a single-stage installer. This version was detected and researched several times up to 2018. Since that year, we observed a decreasing detection rate of FinSpy for Windows. While the nature of this anomaly remained unknown, we began detecting some suspicious installers of legitimate applications, backdoored with a relatively small obfuscated downloader. We were unable to cluster those packages until the middle of 2019 when we found a host that served these installers among FinSpy Mobile implants for Android. Over the course of our investigation, we found out that the backdoored installers are nothing more than first stage implants that are used to download and deploy further payloads before the actual FinSpy Trojan.
Apart from the Trojanized installers, we also observed infections involving usage of a UEFI or MBR bootkit. While the MBR infection has been known since at least 2014, details on the UEFI bootkit are publicly revealed in this article for the first time.
We decided to share some of our unseen findings about the actual state of FinSpy implants. We will cover not only the version for Windows, but also the Linux and macOS versions, since they have a lot of internal structure and code similarities.
The full details of this research, as well as future updates on FinSpy, are available to customers of the APT reporting service through our Threat Intelligence Portal.
https://securelist.com/finspy-unseen-findings/104322/
#FinSpy #FinFisher #Wingbird #surveillance #malware #trojan
FinSpy, also known as FinFisher or Wingbird, is an infamous surveillance toolset. Kaspersky has been tracking deployments of this spyware since 2011. Historically, its Windows implant was distributed through a single-stage installer. This version was detected and researched several times up to 2018. Since that year, we observed a decreasing detection rate of FinSpy for Windows. While the nature of this anomaly remained unknown, we began detecting some suspicious installers of legitimate applications, backdoored with a relatively small obfuscated downloader. We were unable to cluster those packages until the middle of 2019 when we found a host that served these installers among FinSpy Mobile implants for Android. Over the course of our investigation, we found out that the backdoored installers are nothing more than first stage implants that are used to download and deploy further payloads before the actual FinSpy Trojan.
Apart from the Trojanized installers, we also observed infections involving usage of a UEFI or MBR bootkit. While the MBR infection has been known since at least 2014, details on the UEFI bootkit are publicly revealed in this article for the first time.
We decided to share some of our unseen findings about the actual state of FinSpy implants. We will cover not only the version for Windows, but also the Linux and macOS versions, since they have a lot of internal structure and code similarities.
The full details of this research, as well as future updates on FinSpy, are available to customers of the APT reporting service through our Threat Intelligence Portal.
https://securelist.com/finspy-unseen-findings/104322/
#FinSpy #FinFisher #Wingbird #surveillance #malware #trojan
Securelist
FinSpy: unseen findings
FinSpy, also known as FinFisher or Wingbird, is an infamous surveillance toolset that has been tracking since 2011. We decided to share our unseen findings about the actual state of FinSpy implants.