Tag Archive for: legitimate

Legitimate Android app transforms into data-snooping malware

/in


ESET researchers have discovered a trojanized Android app named iRecorder – Screen Recorder. It was available on Google Play as a legitimate app in September 2021, with malicious functionality most likely added in August 2022. During its existence, the app was installed on more than 50,000 devices.

iRecorder

Trojanized iRecorder app

The malicious code that was added to the clean version of iRecorder is based on the open-source AhMyth Android RAT (remote access trojan) and has been customized into what ESET named AhRat. The malicious app is capable of recording audio using the device’s microphone and stealing files, suggesting it might be part of an espionage campaign.

Besides the Google Play Store, ESET Research has not detected AhRat anywhere else in the wild. However, this is not the first time that AhMyth-based Android malware has been available on the official store; ESET previously published research on such a trojanized app in 2019. Back then, the spyware, built on the foundations of AhMyth, circumvented Google’s app-vetting process twice, as a malicious app providing radio streaming. However, the iRecorder app can also be found on alternative and unofficial Android markets, and the developer also provides other applications on Google Play, but they don’t contain malicious code.

“The AhRat research case serves as a good example of how an initially legitimate application can transform into a malicious one, even after many months, spying on its users and compromising their privacy. While it is possible that the app developer had intended to build up a user base before compromising their Android devices through an update or that a malicious actor introduced this change in the app; so far, we have no evidence for either of these hypotheses,” explains ESET researcher Lukáš Štefanko, who discovered and investigated the threat.

The remotely controlled AhRat is a customization of the open-source AhMyth RAT, which means that the authors of the malicious app invested significant effort into understanding the code of both the app and the back end, ultimately adapting it to suit their own needs.

Aside from providing legitimate screen recording functionality, the…

Source…

Hackers used legitimate remote help-desk tools to scam multiple US federal agencies

/in


TL;DR: The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint warning that threat actors (TA) are ramping up a hacking/phishing campaign employing legitimate remote monitoring and management (RMM) software. The CISA notes that it has discovered multiple attacks within federal civilian executive branch (FCEB) networks.

In September 2022, the CISA performed audits on several FCEB networks and found them to have been victim to a “widespread, financially motivated phishing campaign.” A month later, security researchers at Silent Push reported on a “typosquatting” trojan campaign involving several trusted domains, including PayPal, Microsoft, Geek Squad, and Amazon. On Wednesday, CISA confirmed several federal staff members had fallen for the help-desk-themed phishing campaign.

“[We] assess that since at least June 2022, cyber criminal actors have sent help desk-themed phishing emails to FCEB federal staff’s personal, and government email addresses,” the alert reads.

The scams are a bit more sophisticated than the typical phishing emails most people ignore. Dubbed “callback phishing,” emails are sent out that appear legitimate, like the one above from “Geek Squad.” The emails take the form of a high-priced subscription auto-renewal notice and list a number to call to cancel the automatic charge or a link to a “first-stage malicious domain.” These are pages that mimic legitimate businesses like PayPal. The URLs are also disguised, for example, paypalsec.com.

When targets call the number or visit the domain, they are convinced to download legitimate RMM help-desk software form a second stage domain, the CISA specifically named ScreenConnect and AnyDesk. The bad actors use portable executables to bypass security protections preventing employees from installing software. Portable executables are .exe files that will run without being installed on the computer, and most desktop-sharing software have these.

Once the TAs have access to the target through the RMM software, they attempt to execute a refund scam. This attack involves convincing the…

Source…

Godfather Banking Trojan Masquerades as Legitimate Google Play App

/in


A type of Android malware that’s been targeting banking users worldwide since March has resurfaced with advanced obfuscation methods, masquerading as a legitimate application on the Google Play store with more than 10 million downloads, researchers have found.

Godfather is a banking Trojan that is best known for targeting banking users in European countries, but its latest activity shows an increased sophistication in its ability to fly under the radar of common malware-detection methods, researchers from Cyble Research & Intelligence Labs (CRIL) said in a blog post on Dec. 20.

Once it’s successfully installed on a victim’s device, Godfather initiates a series of typical banking Trojan behaviors, including stealing banking and crypto-exchange credentials, the researchers said. But it also steals sensitive data such as SMSs, basic device details — including data from installed applications — and the device’s phone number, and it can perform a number of nefarious actions silently in the background.

“Apart from these, it can also control the device screen using VNC [virtual network computing], forwarding incoming calls of the victim’s device and injecting banking URLs,” the Cyble researchers wrote.

The latest sample of Godfather that researchers discovered was encrypted using custom encryption techniques that could evade detection by common antivirus products — a new tactic of the threat actors behind the malware, the researchers said.

Targeting Businesses & Consumers

Upon further examination, the researchers found that the malware was using an icon and name similar to the legitimate Google Play app MYT Music, which already has logged more than 10 million downloads. Indeed, threat actors often hide malware on Google Play, despite Google’s best efforts in the last several years to keep bad apps off its store before users are affected by it.

MYT Music was written in the Turkish language and thus researchers assume the Godfather sample they discovered is targeting Android users in Turkey. However, they suspect other versions of the malware continue to be active and targeting banking users worldwide.

Though banking Trojans tend to affect consumers more than the enterprise, business…

Source…

Hack Backs: A Legitimate Tactic or Counter-Productive?

/in


The prolific LockBit ransomware gang was subject to a DDoS attack that resulted in its data leak site being shut down temporarily, according to recent reports that emerged in mid-August 2022. Typically, it is threat-actors leveraging DDoS attacks as an easy, cheap and effective tactic, capable of causing enormous disruption and loss of business to victims. To witness a notorious cyber-criminal gang targeted in this way would likely have been satisfying to many who observe, and are impacted by, the damage groups like LockBit cause.

Reports of the DDoS attack came shortly after LockBit claimed responsibility for an attack on cybersecurity vendor Entrust in June, after which the gang failed to secure a ransom.

The company confirmed in July that threat actors had breached its network and exfiltrated data from its internal systems. Shortly after allegedly leaking data stolen from Entrust on August 19, LockBit’s leak site was disrupted by a DDoS attack, which it now appears to be recovering from.

Unsurprisingly, there are suggestions the two incidents are linked, with some surmising that the perpetrator of the DDoS strikes against LockBit were seeking revenge for the ransomware and/or preventing the stolen data from being leaked. However, at this time, there is no clear evidence showing who targeted LockBit.

“There is no tangible evidence that suggests Entrust was behind the retaliatory attack,” Tom Huckle, director of information security & compliance at BlueVoyant, told Infosecurity. “Despite the DDoS HTTPS requests seemingly pointing to the perpetrator being Entrust, this is merely circumstantial evidence and not definitive. This could be an unaffiliated company or individual working on behalf of Entrust, or it could be a rival to the LockBit gang using this as an opportunity to attack its infrastructure.”

Brian Honan, CEO of BH Consulting, concurred: “Just because a company’s name is mentioned as part of the message with the attack does not mean that company is actually behind the attack. As with all cyber-attacks, attribution is not as simple as it seems and more details and analysis are required to determine who is behind an…

Source…