Tag Archive for: Campaign

XPhase Clipper Malware Campaign Targets Crypto Users

/in


A new strain of malware dubbed XPhase Clipper has been stealthily targeting cryptocurrency users. This Clipper malware infiltrates unsuspecting victims’ systems through deceptive websites masquerading as authentic cryptocurrency platforms. 

XPhase Clipper Malware
Source: Cyble

Cybersecurity experts at Cyble Research and Intelligence Labs (CRIL) have found this concerning trend where a large-scale operation is using cloned YouTube videos to target unsuspecting victims on the internet.

This is a churned-down version of the report, shedding light on its modus operandi and the infection chain of XPhase Clipper malware. 

Understanding the XPhase Clipper Malware Campaign

XPhase Clipper Malware Campaign
Source: Cyble

Clipper malware poses a serious threat to cryptocurrency users by pilfering sensitive information, particularly cryptocurrency wallet addresses, from the clipboard. 

With the increasing popularity of cryptocurrencies like Bitcoin and Ethereum, cybercriminals are increasingly exploiting users to abscond with their funds.

XPhase Clipper represents a sophisticated iteration of this malware strain, designed to intercept and manipulate copied cryptocurrency wallet addresses, rerouting funds to the attackers’ accounts. 

The threat actors behind the XPhase Clipper malware campaign are exclusively targeting cryptocurrency users worldwide, deploying a series of deceptive tactics to ensnare victims. 

XPhase Clipper Malware Campaign
Source: Cyble

Notably, phishing sites impersonating reputable platforms such as Metamask and Wazirx have emerged as conduits for spreading the XPhase Clipper payload.

XPhase Clipper
Source: Cyble

These malicious sites lure users into downloading a zip file housing an array of malicious components, including a dropper executable, VB Script, and Batch script files, culminating in the execution of the clipper payload in the form of a DLL file.

Clipper Malware
Source: Cyble

XPhase Clipper Malware Targets Indian Crypto Users 

Upon closer examination, CRIL found that the infection chain is meticulously orchestrated, with each stage serving to conceal the malicious activities of the XPhase Clipper. 

The VB Script plays an important role in facilitating the download and execution of the clipper payload, while the Batch script ensures persistence by adding a registry…

Source…

Ars Technica used in malware campaign with never-before-seen obfuscation

/in


Ars Technica used in malware campaign with never-before-seen obfuscation

Getty Images

Ars Technica was recently used to serve second-stage malware in a campaign that used a never-before-seen attack chain to cleverly cover its tracks, researchers from security firm Mandiant reported Tuesday.

A benign image of a pizza was uploaded to a third-party website and was then linked with a URL pasted into the “about” page of a registered Ars user. Buried in that URL was a string of characters that appeared to be random—but were actually a payload. The campaign also targeted the video-sharing site Vimeo, where a benign video was uploaded and a malicious string was included in the video description. The string was generated using a technique known as Base 64 encoding. Base 64 converts text into a printable ASCII string format to represent binary data. Devices already infected with the first-stage malware used in the campaign automatically retrieved these strings and installed the second stage.

Not typically seen

“This is a different and novel way we’re seeing abuse that can be pretty hard to detect,” Mandiant researcher Yash Gupta said in an interview. “This is something in malware we have not typically seen. It’s pretty interesting for us and something we wanted to call out.”

The image posted on Ars appeared in the about profile of a user who created an account on November 23. An Ars representative said the photo, showing a pizza and captioned “I love pizza,” was removed by Ars staff on December 16 after being tipped off by email from an unknown party. The Ars profile used an embedded URL that pointed to the image, which was automatically populated into the about page. The malicious base 64 encoding appeared immediately following the legitimate part of the URL. The string didn’t generate any errors or prevent the page from loading.

Pizza image posted by user.
Enlarge / Pizza image posted by user.
Malicious string in URL
Enlarge / Malicious string in URL

Mandiant researchers said there were no consequences for people who may have viewed the image, either as displayed on the Ars page or on the website that hosted it. It’s also not clear that any Ars users visited the about page.

Source…

‘Bigpanzi’ Botnet Campaign Targets Android TVs, Set-Top Boxes

/in


When asked about smart home devices, cybersecurity experts will generally say to be wary of them, or at least make sure they’re segmented from the home’s main network or on a VLAN. And, when asked about which devices gives them most pause, they will largely agree that smart TVs are the most insecure devices that can appear on a home’s network. Now, a Chinese cybersecurity firm is confirming those suspicions and is sounding the alarm on a large botnet campaign called “Bigpanzi” that is targeting Android OS smart TVs and set-top boxes and has been active since 2015.

QiAnXin, a cybersecurity service and anti-virus software firm says the hackers entice users to install free or cheap audiovisual apps for firmware updates and embed backdoor components to transform those devices into part of the Bigpanzi botnet to carry out further malicious activity, such as traffic proxying, DDoS attacks, OTT content provision and pirating traffic.

Unlike a typical botnet, Bigpanzi’s activities extend far beyond DDoS attacks, using Android TVs and set-top boxes to disseminate visual or audio content.

One example was a network attack on set-top boxes in the United Arab Emirates in which attackers substituted regular broadcasts with footage of the Israel-Palestine conflict, according to QiAnXin.

“The potential for Bigpanzi-controlled TVs and STBs to broadcast violent, terroristic, or pornographic content, or to employ increasingly convincing AI-generated videos for political propaganda, poses a significant threat to social order and stability,” company researchers write in a blog.

Researchers say the hacking group, which has successfully hidden themselves for eight years, infects user devices via pirated movie and TV apps on Android devices, backdoored generic OTA firmware on Android devices, and backdoored “SmartUpTool” firmware on eCos devices.

Researchers say the peak daily active bots in the campaign were around 170,000, primarily in Brazil. Nodes are primarily distributed across Brazil, amazing over 1.3 million distinct IPs since August, the company says.

While a botnet of that size is alarming enough,…

Source…

Security Report Blows The Whistle On A Massive Android TV Botnet Campaign

/in


security report blows the whistle on a massive android tv botnet campaign

Botnet activities are usually sniffed out and found fairly routinely, but it seems that a previously unknown cybercrime gang named Bigpanzi has been laying low and getting away with it. New reports suggest that this gang has amassed a 170,000-device-strong botnet since 2015, developing along with it an admittedly impressively vast infrastructure network.

This week, researchers out of Qianxin Xlabs, a Chinese research group, published a report on the threat group Bigpanzi. This discovery began with the finding of a virus sample called pandoraspear, which contained nine hardcoded C2 domain names. Two of these domain names were expired, so the researchers elected to register the domains and determine the botnet’s size. This allowed them to find that the network had 170,000 daily active bots which are primarily based out of Brazil.

apps security report blows the whistle on a massive android tv botnet campaign
Examples of some of the sites for the malicious apps.

While the Bigpanzi gang went after the researchers after they made this discovery, the investigation continued. This allowed them to find several download scripts and other information, further revealing the threat actor group’s infrastructure and motives. Namely, it is noted that the group “primarily targets Android OS TVs and set-top boxes, as well as eCos OS set-top boxes.” This is based on getting users to install apps or updates to gain control of the systems rather than relying on leveraging vulnerabilities.

map security report blows the whistle on a massive android tv botnet campaign

Beyond standard botnet activities like distributed denial-of-service (DDoS), this network can “disseminate any form of visual or audio content, unbound by legal constraints.” The concern is that the botnet could “broadcast violent, terroristic, or pornographic content, or to employ increasingly convincing AI-generated videos for political propaganda, poses a significant threat to social order and stability.”

How this group operates and its potential capabilities are rather interesting, as this is something that has yet to be seen. Further, it is fascinating that they have been able to lay low for so long without discovery while being so widespread. You can see the full coverage of the group on the Xlabs site, but perhaps the key takeaway is that one should not just install…

Source…