A New Malware Working On Windows, Linux, and MacOS Targets Your Cryptocurrency: Report

A recent report informed of a new type of malicious operation that has been active for over a year and has targeted thousands of cryptocurrency users. Dubbed ElectroRAT, it’s written from scratch to work on various operating systems and promoted via dedicated forums and marketing campaigns.

A New Threat For Crypto Users

The cybersecurity company Intezer issued a report describing the latest threat for cryptocurrency users. It reads that the firm discovered the operation in December 2020, but it has been active for at least a year.

The paper described it as a composition of a “full-fledged marketing campaign, custom cryptocurrency-related applications, and a new Remote Access Tool (RAT) written from scratch.”

The company admitted that while it’s common for such information stealers to try to collect private keys to access victims’ wallets, ElectroRAT had a few fundamental differences. The latest malicious operation was reportedly built from scratch in a way to target multiple operating systems at once. Namely, those are Windows, Linux, and macOS.

The malicious operation was typically promoted as a very successful trading instrument or a tool for multiple exchange transactions on one interface.

How Does It Work And Number Of Victims

The report highlighted that the attackers behind the malicious threat used several well-known blockchain and cryptocurrency forums to promote their operation, including bitcointalk and SteemCoinPan.

The perpetrators had set up fake user accounts and published multiple false success stories, tempting readers to browse the applications’ web page. Victims were able to download the app from an external page without realizing that it’s malware.

Furthermore, the attackers created Twitter and Telegram accounts for a “DaoPoker” application and paid a cryptocurrency medial influencer for advertisement.

If the victim indeed falls for the malicious attack and installs the app on his device, the perpetrators receive access to his personal information, accounts, and private keys for crypto wallets. Once they have this data, they could execute transfers from hot wallets.

Ultimately, the cybersecurity company estimated that the number of victims that downloaded…


WAPDropper Android Malware Targets Southeast Asia Users, Experts Warn

Security firm Check Point discovers a new malware called WAPDropper that spreads through malicious apps and targets users in Southeast Asia.

The malware victims are charged for expensive premium mobile services once they downloaded the apps. The attack is similar to the ones that became popular in the late 2000s.

WAPDropper Malware

(Photo : Jonah Pettrich/Unsplash)
WAPDropper Malware

How WAPDropper Malware works?

Check Point security researchers said the new Android malware are acquired using malicious apps from third-party app stores. Once the malware gets through, it signs up users for premium phone numbers, which charge huge fees for different services. Meanwhile, a CAPTCHA step is sometimes required to finalize the subscription.

This results to large phone bills every month until they contact their mobile provider to file a report about the issue or unsubscribe from the premium number.

This kind of attack became popular in the late 2000s, but vanished later as smartphones came out. However, it managed to return in the early 2010s after cyberattackers found that there are numerous telephone companies and modern phones that still used the older WAP standard.

WAPDropper Malware: Security Researchers Discovers Mobile Malware Targeting Southeast Asia Users

(Photo : Check Point)
WAPDropper Malware: Security Researchers Discovers Mobile Malware Targeting Southeast Asia Users

According to Check Point, the WAPDropper operated using two modules: the dropper and the component that implemented the actual WAP fraud.

The first module was packed inside the malicious apps, which reduces the fingerprint and size of malicious code. Once victims downloaded these apps and installed them on the device, the module would download the second component, which would begin swindling the users.

Read also: Cybercriminals Now Target Google Workspace Tools: 5 Phishing Campaigns Use Form, Docs, and Sites

WAPDropper Malware attackers from Southeast Asia

Check Point researchers claim that upon checking the premium phone numbers that were used in this malware scheme, the cybercriminals are likely to be from Malaysia or Thailand. It is also possible that they are working with people from these countries.

Researchers said the attack is a numbers game, in which more revenue is…


Hacking group Lazarus targets South Korean supply chains

Seoul, Nov 16 : Hackers associated with the infamous Lazarus group, which is suspected of being tied to North Korea, are now targeting South Korean supply chains, cybersecurity researchers from ESET warned on Monday.

The attackers abused legitimate South Korean security software and digital certificates stolen from two different companies to deploy their malware, the researchers said.

The Lazarus Group’s activities were widely reported after it was blamed for the 2014 cyber attack on Sony Pictures Entertainment and the 2017 WannaCry ransomware attack on countries including the US and Britain.

Malware researchers Anton Cherepanov and Peter Kalnai wrote that the hackers are particularly interested in supply chain attacks, because they allow them to covertly deploy malware on many computers at the same time.

“We can safely predict that the number of supply-chain attacks will increase in the future, especially against companies whose services are popular in specific regions or in specific industry verticals,” the researchers wrote in a post detailing how ESET researchers discovered attempts to deploy Lazarus malware via a supply chain attack in South Korea.

The researchers explained that Internet users in South Korea are often asked to install additional security software when visiting government or Internet banking websites.

WIZVERA VeraPort is a South Korean application that helps manage such additional security software.

After installing this application on their devices, users receive and install all necessarily software required by a specific website with VeraPort.

The attackers abused this mechanism in order to deliver Lazarus malware from a legitimate but compromised website, according to the ESET researchers.

Disclaimer: This story is auto-generated from IANS service.

Subscribe us on The Siasat Daily - Google News


Kaspersky discovers Ghimob banking malware targets mobile users worldwide – Back End News

When monitoring a Windows campaign from Guildma banking malware, Kaspersky researchers found URLs distributing not only a malicious .ZIP file for Windows, but also a malicious file that appeared to be a downloader to install Ghimob, a new banking Trojan.

Upon infiltrating Accessibility Mode, Ghimob can gain persistence and disable manual uninstallation, capture data, manipulate screen content, and provide full remote control to the actors behind it. According to experts, the developers of this “very typical” mobile Remote Access Trojan (RAT) are heavily focused on users in Brazil but have big plans to expand across the globe. The campaign is still active.

“Latin American cybercriminals’ desire for a mobile banking Trojan with a worldwide reach has a long history,” said Fabio Assolini, security expert at Kaspersky. “We have already seen Basbanke, then BRata, but both were heavily focused on the Brazilian market. In fact, Ghimob is the first Brazilian mobile banking Trojan ready for international expansion.”

Kaspersky explains threats in APAC’s manufacturing industry

Kaspersky’s report shows phishing rampant on social media, messaging apps

Guildma, a threat actor, which is part of the infamous Tétrade series, known for its scalable malicious activities both in Latin America and other parts of the world, has been working actively on new techniques, developing malware, and targeting fresh victims.

Spying on 153 mobile apps

Its new creation — the Ghimob banking Trojan — lures victims into installing the malicious file through an email which suggests that the person receiving it has some kind of debt. The email also includes a link for the victim to click on so they can find out more information. Once the RAT is installed, the malware sends a message about the successful infection to its server. The message includes the phone model, whether it has lock screen security, and a list of all installed apps that the malware can target. In total, Ghimob can spy on 153 mobile apps, mainly from banks, fintech companies, cryptocurrencies, and exchanges.

When it comes to functions, Ghimob is a spy in the victim’s pocket. Developers can remotely…