Emotet - Takedown

What the fuck is this week? Lazarus Group targeting researchers, iPhone exploits, Chrome 0days, sudo 0days, and now Emotet is taken down? Holy christ...

https://nitter.net/vxunderground/status/1354411600367808518#m

#malware #botnet #emotet #bka #europol #busted #takedown #video
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag

New Advanced Android Malware Posing as “System Update”

Another week, and another major mobile security risk. A few weeks ago, Zimperium zLabs researchers disclosed unsecured cloud configurations exposing information in thousands of legitimate iOS and Android apps (you can read more about it in our blog). This week, zLabs is warning Android users about a sophisticated new malicious app.

The new malware disguises itself as a System Update application, and is stealing data, messages, images and taking control of Android phones. Once in control, hackers can record audio and phone calls, take photos, review browser history, access WhatsApp messages, and more (a complete list is below).

https://blog.zimperium.com/new-advanced-android-malware-posing-as-system-update/

#android #malware #alert
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Complex new SMS malware discovered

Cell phone users in Canada and the United States are being targeted by a new and advanced form of SMS malware that lures victims with COVID-19-related content.

This complex malware named Tanglebot by Cloudmark threat analysis because of its multiple levels of obfuscation, can directly obtain personal information, control device interaction with apps and overlay screens, and steal account information from financial activities initiated on the device.

How it works?

TangleBot sends SMS text messages themed around coronavirus regulations and third doses of COVID vaccines known as booster shots to entice users into downloading malware. Victims who take the lure unwittingly download malware that compromises the security of their device and configures the system so that confidential information can be exfiltrated to systems controlled by the attacker(s).

TangleBot can overlay banking or financial apps and directly steal the victim’s account credentials.

TangleBot can use the victim’s device to message other mobile devices, spreading throughout the mobile network.

Complete control over the infected device

The malware allows the threat actor(s) to control everything including contacts, SMS and phone capabilities, call logs, internet access, and camera and microphone on an infected device and employs multiple levels of obfuscation to keep its presence hidden from the device's user.

Examples of few SMS messages

The messages sent as part of the malware campaign appear to be warnings or appointment notifications. One such SMS contained the text "New regulations about COVID-19 in your region. Read here:" followed by a malicious link.

Another preceded a malicious link with the statement: "You have received the appointment for the 3rd dose. For more information visit:"

Users who click on the link are taken to a website where they are notified that the Adobe Flash Player software on their device is out of date and must be updated for them to proceed. If the user clicks on the subsequent dialog boxes, TangleBot malware is installed on the Android device.


https://www.infosecurity-magazine.com/news/complex-new-sms-malware-discovered/

#tanglebot #malware #sms #covid

FinSpy: unseen findings

FinSpy, also known as FinFisher or Wingbird, is an infamous surveillance toolset. Kaspersky has been tracking deployments of this spyware since 2011. Historically, its Windows implant was distributed through a single-stage installer. This version was detected and researched several times up to 2018. Since that year, we observed a decreasing detection rate of FinSpy for Windows. While the nature of this anomaly remained unknown, we began detecting some suspicious installers of legitimate applications, backdoored with a relatively small obfuscated downloader. We were unable to cluster those packages until the middle of 2019 when we found a host that served these installers among FinSpy Mobile implants for Android. Over the course of our investigation, we found out that the backdoored installers are nothing more than first stage implants that are used to download and deploy further payloads before the actual FinSpy Trojan.

Apart from the Trojanized installers, we also observed infections involving usage of a UEFI or MBR bootkit. While the MBR infection has been known since at least 2014, details on the UEFI bootkit are publicly revealed in this article for the first time.

We decided to share some of our unseen findings about the actual state of FinSpy implants. We will cover not only the version for Windows, but also the Linux and macOS versions, since they have a lot of internal structure and code similarities.

The full details of this research, as well as future updates on FinSpy, are available to customers of the APT reporting service through our Threat Intelligence Portal.

https://securelist.com/finspy-unseen-findings/104322/


#FinSpy #FinFisher #Wingbird #surveillance #malware #trojan

This new Linux malware is 'almost impossible' to detect

Symbiote is parasitic malware that provides rootkit-level functionality

A joint research effort has led to the discovery of Symbiote, a new form of Linux malware that is "almost impossible" to detect.

Symbiote has several interesting features. For example, the malware uses Berkeley Packet Filter (BPF) hooking, a function designed to hide malicious traffic on an infected machine. BPF is also used by malware developed by the Equation Group.

The malware is pre-loaded before other shared objects, allowing it to hook specific functions – including libc and libpcap – to hide its presence. Other files associated with Symbiote are also concealed and its network entries are continually scrubbed.

https://www.zdnet.com/article/this-new-linux-malware-is-almost-impossible-to-detect/

#linux #symbiote #malware

Paragon Graphite is a Pegasus spyware clone used in the US –

The US government banned the use of NSO’s Pegasus spyware 18 months ago, but a new report today says that at least one government agency is using very similar malware from a rival company: Paragon Graphite.

According to four [industry figures], the US Drug Enforcement and Administration Agency is among the top customers for Paragon’s signature product nicknamed Graphite.

The #malware surreptitiously pierces the protections of modern smartphones and evades the encryption of messaging apps like #Signal or #WhatsApp, sometimes harvesting the data from cloud backups – much like Pegasus does.

#spyware #US #Clone #Pegasus #NSO #DEA #ParagonGraphite #Paragon

Mystic Stealer | Zscaler – June 2023

Mystic Stealer, a fresh stealer lurking in the cyber sphere, noted for its data theft capabilities, obfuscation, and an encrypted binary protocol to enable it to stay under the radar and evade defenses.

Key data theft functionality includes the ability to capture history and auto-fill data, bookmarks, cookies, and stored credentials from nearly 40 different web browsers. In addition, it collects Steam and Telegram credentials as well as data related to installed cryptocurrency wallets. The malware targets more than 70 web browser extensions for cryptocurrency theft and uses the same functionality to target two-factor authentication (2FA) applications. The approach used by Mystic Stealer is similar to what was reported for Arkei Stealer.

#Malware #MysticStealer #Trojan

Millions of mobile phones come pre-infected with malware • The Register – May 2023

The malware turns the devices into proxies which are used to steal and sell SMS messages, take over social media and online messaging accounts, and used as monetization opportunities via adverts and click fraud.

Through telemetry data, the researchers estimated that at least millions of infected devices exist globally, but are centralized in Southeast Asia and Eastern Europe. A statistic self-reported by the criminals themselves, said the researchers, was around 8.9 million.

Lemon Group’s Cybercriminal Businesses Built on Preinfected Devices – Trendmicro - May 2023

An overview of the Lemon Group’s use of preinfected mobile devices, and how this scheme is potentially being developed and expanded to other internet of things (IoT) devices. This research was presented in full at the Black Hat Asia 2023 Conference in Singapore in May 2023


#LemonGroup #Guerrila #Malware

Stealth Soldier Backdoor Used in Targeted Espionage Attacks in North Africa - Check Point Research – June 2023

Check Point Research observed a wave of highly-targeted espionage attacks in Libya that utilize a new custom modular backdoor.
Stealth Soldier malware is an undocumented backdoor that primarily operates surveillance functions such as file exfiltration, screen and microphone recording, keystroke logging and stealing browser information.

The Stealth Soldier infrastructure has some overlaps with infrastructure the The Eye on the Nile which operated against Egyptian civilian society in 2019. This is the first possible re-appearance of this threat actor since then.

Phishing attacks using third-party applications against Egyptian civil society organizations - Amnesty International – 2019

#StealthSoldier #EyeOnTheNile
#Backdoor #espionage #malware #Egypt #Libya

Fortinet Reverses Flutter-based Android Malware “Fluhorse” | FortiGuard Labs – June 2023

Android/Fluhorse is a recently discovered malware family that emerged in May 2023. What sets this malware apart is its utilization of Flutter, an open-source SDK (software development kit) renowned among developers for its ability to build applications compatible with Android, iOS, Linux, and Windows platforms using a single codebase. While previous instances of threat actors using Flutter for malware exist, such as MoneyMonger, they actually used Flutter for its cross-platform UI elements without carrying the actual malicious payload. So, despite Flutter application reversing being notoriously difficult, MoneyMonger can actually be quite easily reversed with the usual Android reversing techniques.

Eastern Asian Android Assault - FluHorse - Check Point Research – May 2023

#FluHorse #Malware #Flutter #EastAsia

Beyond the Horizon: Traveling the World on Camaro Dragon’s USB Flash Drives - Check Point Research – June 2023

In early 2023, the Check Point Incident Response Team (CPIRT) team investigated a malware incident at a European healthcare institution involving a set of tools mentioned in the Avast report in late 2022. The incident was attributed to Camaro Dragon, a Chinese-based espionage threat actor whose activities overlap with activities tracked by different researchers as Mustang Panda and LuminousMoth, whose focus is primarily on Southeast Asian countries and their close peers.


#CamaroDragon #USB #Flashdrive #MustangPanda #LuminousMoth #espionage #malware #China #Asia

0xor0ne@infosec.exchange - Very cool series about persistence in Linux environments

Persistence map: https://pberba.github.io/assets/posts/common/20220201-linux-persistence.pdf

Auditd, Sysmon, Osquery: https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persistence-sysmon-auditd-webshell/

Account Creation and Manipulation: https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/

Systemd, Timers, and Cron: https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/

Initialization Scripts and Shell Configuration: https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/

Systemd Generators: https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/

#Linux #kernel #malware #cybersecurity #infosec

When Governments Attack: Nation-State Malware Exposed – 2015

Cyberwar takes place every single day, all around us. We don't see it and we're not always directly affected by it, but we share the cost of every attack. Be that through monetary loss, services we cannot use, or even with the omnipresent backdrop that something might go down somewhere, malicious cyber activities perpetrated by nation-state threat-actors are on the rise.
It makes sense, really. You see how stupendously effective "regular" malware is. How easy is it to pick up an infection from an errant spam email, or for someone to plug an infected USB stick into a computer?
It stands to reason that governments with access to vast pools of knowledge, colossal funding, and an insurmountable desire to be one step ahead of both ally and enemy would realize the value in deploying incredible sophisticated spyware and malware variants.
Let's take a look at some of the most famous nation-state threats we're aware of.

#spyware #malware #trojan
#cyberwar

Chinese Hackers Using Never-Before-Seen Tactics for Critical Infrastructure Attacks – TheHackerNews - June 2023

The newly discovered Chinese nation-state actor known as Volt Typhoon has been observed to be active in the wild since at least mid-2020, with the hacking crew linked to never-before-seen tradecraft to retain remote access to targets of interest.

The findings come from CrowdStrike, which is tracking the adversary under the name Vanguard Panda.

"The adversary consistently employed ManageEngine Self-service Plus exploits to gain initial access, followed by custom web shells for persistent access, and living-off-the-land (LotL) techniques for lateral movement,"

Falcon Complete MDR Thwarts VANGUARD PANDA Tradecraft – CrowdStrike - June 2023

#VoltTyphoon #VanguarPanda #China #espionage #spyware #malware

Securonix Threat Labs Security Advisory: New MULTI#STORM Attack Campaign Involving Python-based Loader Masquerading as OneDrive Utilities Dropping Multiple RAT Payloads Using Security Analytics - Securonix – June 2023

An interesting phishing campaign was recently analyzed by the Securonix Threat Research Team. The attack kicks off when the user clicks on a heavily obfuscated JavaScript file contained in a password protected zip file. Some of the victims targeted by the MULTI#STORM campaign appear to be in the US and India.

The attack chain ends with the victim machine infected with multiple unique RAT (remote access trojan) malware instances, such as Warzone RAT and Quasar RAT. Both are used for command and control during different stages of the infection chain.

#RAT #MultiStorm #Trojan #JS #Python #malware #India #US

How the Malware-as-a-Service market works | Securelist – June 2023

Money is the root of all evil, including cybercrime. Thus, it was inevitable that malware creators would one day begin not only to distribute malicious programs themselves, but also to sell them to less technically proficient attackers, thereby lowering the threshold for entering the cybercriminal community. The Malware-as-a-Service (MaaS) business model emerged as a result of this, allowing malware developers to share the spoils of affiliate attacks and lowering the bar even further. We have analyzed how MaaS is organized, which malware is most often distributed through this model, and how the MaaS market depends on external events.
Results of the research
We studied data from various sources, including the dark web, identified 97 families spread by the MaaS model from 2015, and broke these down into five categories by purpose: ransomware, infostealers, loaders, backdoors, and botnets.


https://arxiv.org/pdf/2207.00890
#Maas #malware

Malware as a service - ANSSI / EN - 2021 - EMOTET
#Maas #malware

Kaspersky reveals new method to detect Pegasus spyware | Kaspersky –

Kaspersky's Global Research and Analysis Team (GReAT) has developed a lightweight method to detect indicators of infection from sophisticated iOS spyware such as #Pegasus, #Reign, and #Predator through analyzing Shutdown.log, a previously unexplored #forensic artifact.

The company’s experts discovered Pegasus infections leave traces in the unexpected system log, Shutdown.log, stored within any mobile #iOS device’s sysdiagnose archive. This archive retains information from each reboot session, meaning anomalies associated with the Pegasus malware become apparent in the log if an infected user reboots their device.

Among those identified were instances of ”sticky“ processes impeding reboots, particularly those linked to Pegasus, along with infection traces discovered through cybersecurity community observations.

#Pegasus #NSO #Reign #Predador #iOS #Spyware #Malware #Kapersky #MobileForensics #CyberSec

Coper / Octo - A Conductor for Mobile Mayhem… With Eight Limbs? | Team Cymru

Coper, a descendant of the Exobot malware family, was first observed in the wild in July 2021, targeting Colombian Android users. At that time, Coper (the Spanish translation of “Copper”) was distributed as a fake version of Bancolombia’s “Personas'' application.

The malware offers a variety of advanced features, including keylogging, interception of SMS messages and push notifications, and control over the device's screen. It employs various injects to steal sensitive information, such as passwords and login credentials, by displaying fake screens or overlays. Additionally, it utilizes VNC (Virtual Network Computing) for remote access to devices, enhancing its surveillance capabilities.

#Android #MAS #Exobot #Keylogging #Malware #RemoteAccess #SMS #Coper #Octo

Android Malware Vultur Expands Its Wingspan | NCC Group Research Blog

The authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely interact with the victim’s mobile device.

Vultur has also started masquerading more of its malicious activity by encrypting its C2 communication, using multiple encrypted payloads that are decrypted on the fly, and using the guise of legitimate applications to carry out its malicious actions.

Via @androidMalware
#Android #Malware #Vultur