Tag Archive for: Variant

GravityRAT Android Malware Variant Steals WhatsApp Backups

/in


Heads up, Android users! The latest GravityRAT malware variant now targets Android devices and steals WhatsApp chat backups. The malware reaches the devices by posing as a chat app. Again, this highlights the essentiality of downloading only known apps from trusted sources.

GravityRAT Android Malware Steals WhatsApp Backups

According to a recent report from ESET, a new GravityRAT malware variant has been actively targeting Android devices.

GravityRAT is a spyware known since 2015 as a potent remote access trojan targeting Windows, macOS, and Android systems. It has run numerous malicious campaigns with different iterations, each bearing more advanced malicious capabilities.

The recent GravityRAT variant targets Android devices and steals various files, including WhatsApp backups. To achieve this goal, the threat actors rolled out “BingeChat,” – a supposed chat app. The app offers numerous attractive features, including end-to-end encryption, voice chats, file sharing, an easy user interface, and free availability to lure users.

To further instigate curiosity and add a sense of legitimacy to the app, the threat actors have restricted the app download to an “invite-only” mode with registration requirements. This seemingly prevents the app analysis from potential researchers and ensures a targeted victim base.

Apparently, the app functions usually because the threat actors have developed it on the open-source Android messenger OMEMO IM. That’s how it avoids alarming users about the embedded GravityRAT malware in this trojanized app.

After being downloaded and installed, the app requests risky permissions, which any legit messaging app would request. These include access to SMS messages, contact lists, call logs, location, and device details. Once obtained, the app transmits all this information to the attackers’ C&C.

Alongside these capabilities, the new GravityRAT malware hidden inside the BingeChat app also receives commands regarding file deletion, call log deletion, and contact list deletion. Moreover, it steals files with various extensions, including crypt14, crypt12, crypt13, and crypt18 extensions that often represent WhatsApp chat

Source…

Hack-for-Hire Group Targets Travel and Financial Entities with New Janicab Malware Variant

/in


Dec 10, 2022Ravie LakshmananHack-for-Hire / Threat Intelligence

Hack-for-Hire Group

Travel agencies have emerged as the target of a hack-for-hire group dubbed Evilnum as part of a broader campaign aimed at legal and financial investment institutions in the Middle East and Europe.

The attacks targeting law firms throughout 2020 and 2021 involved a revamped variant of a malware called Janicab that leverages a number of public services like YouTube as dead drop resolvers, Kaspersky said in a technical report published this week.

Janicab infections comprise a diverse set of victims located in Egypt, Georgia, Saudi Arabia, the UAE, and the U.K. The development marks the first time legal organizations in Saudi Arabia have been targeted by this group.

Also tracked as DeathStalker, the threat actor is known to deploy backdoors like Janicab, Evilnum, Powersing, and PowerPepper to exfiltrate confidential corporate information.

CyberSecurity

“Their interest in gathering sensitive business information leads us to believe that DeathStalker is a group of mercenaries offering hacking-for-hire services, or acting as some sort of information broker in financial circles,” the Russian cybersecurity company noted in August 2020.

According to ESET, the hacking crew has a pattern of harvesting internal company presentations, software licenses, email credentials, and documents containing customer lists, investments and trading operations.

Earlier this year, Zscaler and Proofpoint uncovered fresh attacks orchestrated by Evilnum that have been directed against companies in the crypto and fintech verticals since late 2021.

Hack-for-Hire Group

Kaspersky’s analysis of the DeathStalker intrusions has revealed the use of an LNK-based dropper embedded inside a ZIP archive for initial access by means of a spear-phishing attack.

The lure attachment purports to be a corporate profile document related to power hydraulics that, when opened, leads to the deployment of the VBScript-based Janicab implant, which is capable of command execution and deploying more tools.

Newer versions of the modular malware have simultaneously removed audio recording features and added a keylogger module that shares overlaps with prior Powersing attacks. Other functions include…

Source…

New ‘BianLian’ Ransomware Variant on the Rise

/in


Cybercriminals are swarming to deploy an emerging ransomware variant called BianLian that was written in Go, the Google-created open source programming language.

BianLian has been rising popularity since it was first outed in mid-July, according to researchers at Cyble Research Labs, which published details on their study of the ransomware in a blog post last week. Threat actors so far have cast a wide net with the novel BianLian malware, which counts organizations in media and entertainment; manufacturing; education; healthcare; and banking, financial services, and insurance (BFSI) among its victims so far.

Specifically, the media and entertainment sector has taken the brunt of BianLian attacks, with 25% of victims in this industry so far, and 12.5% each in the professional services, manufacturing, healthcare, energy and utilities, and education sectors, according to Cyble.

Attackers using BianLian typically demand unusually high ransoms, and they utilize a unique encryption style that divides the file content into chunks of 10 bytes to evade detection by antivirus products, the researchers said. “First, it reads 10 bytes from the original file, then encrypts the bytes and writes the encrypted data into the target file,” the Cybel researchers wrote in the post.

BianLian’s operators also use double-extortion methods, threatening to leak key stolen data — such as financial, client, business, technical, and personal files — online if ransom demands aren’t met within 10 days. They maintain an onion leak site for this purpose.

How the Ransomware Variant Works

BianLian functions similarly to other ransomware types in that it encrypts files once it infects a targeted system and sends a ransomware note to its victims letting them know how to contact the operators.

Upon execution of the ransomware, BianLian attempts to identify if the file is running in a WINE environment by checking the wine_get_version() function via the GetProcAddress() API, the researchers said. Then, the ransomware creates multiple threads using the CreateThread() API function to perform faster file encryption, which also makes reverse engineering the malware more difficult, they said.

The malware then identifies the…

Source…

Fresh RapperBot Malware Variant Brute-Forces Its Way Into SSH Servers

/in


Tracked by analysts since mid-June, RapperBot malware has spread through brute-force attacks on SSH servers. The IoT botnet targets devices running on ARM, MIPS, SCARC, and x86 architectures, researchers warn.

The malware is a Mirai variant with a few notable, novel features, including ditching the typical Telnet server brute-force approach in favor of attacking SSH servers instead. Fortinet Labs analysts said that since July, RapperBot has changed up its approach from infecting as many servers as possible to maintaining remote access to those compromised SSH servers.

The malware gets its name from a URL that led to a YouTube rap video in early versions, the researchers explained.

“Due to some significant and curious changes that RapperBot has undergone, its primary motivation is still a bit of a mystery,” the Fortinet advisory on RapperBot said. “Regardless, since its primary propagation method is brute forcing SSH credentials, this threat can easily be mitigated by setting strong passwords for devices or disabling password authentication for SSH (where possible).”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Source…