Laptops given to British schools came preloaded with malware and talked to Russia when booted

Department for Education says: 'We believe this is not widespread'

A shipment of laptops supplied to British schools by the Department for Education to help kids learn under lockdown came preloaded with malware, The Register can reveal.

The affected laptops, distributed to schools under the UK government's Get Help With Technology (GHWT) scheme, which started last year, came bundled with the Gamarue nasty – an old remote access worm from the 2010s.

The Register understands that a batch of 23,000 computers, the GeoBook 1E running Windows 10, made by Shenzhen-headquartered Tactus Group, contained the units that were loaded with malware. A spokesperson for the manufacturer was not available for comment.

https://www.theregister.com/2021/01/21/dept_education_school_laptops_malware/

#Europe #UK #education #school #laptop #malware

Malware "Emotet" dismantled

German investigators have taken over and smashed the infrastructure of the "Emotet" malware, which is considered the most dangerous in the world. The software had also attacked the IT infrastructure of government agencies and hospitals.

German investigators have taken over and smashed the infrastructure of the "Emotet" malware, which is considered the world's most dangerous. This was achieved on Tuesday as part of an internationally concerted action, the BKA announced.

"Emotet" had caused considerable damage to the Berlin Court of Appeal, the Fürth Clinic and the Frankfurt am Main city administration, among others - and also to tens of thousands of private individuals.

https://www.tagesschau.de/wirtschaft/emotet-bka-101.html

#malware #emotet #bka #germany #busted
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag

Emotet - Takedown

What the fuck is this week? Lazarus Group targeting researchers, iPhone exploits, Chrome 0days, sudo 0days, and now Emotet is taken down? Holy christ...

https://nitter.net/vxunderground/status/1354411600367808518#m

#malware #botnet #emotet #bka #europol #busted #takedown #video
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag

New Advanced Android Malware Posing as “System Update”

Another week, and another major mobile security risk. A few weeks ago, Zimperium zLabs researchers disclosed unsecured cloud configurations exposing information in thousands of legitimate iOS and Android apps (you can read more about it in our blog). This week, zLabs is warning Android users about a sophisticated new malicious app.

The new malware disguises itself as a System Update application, and is stealing data, messages, images and taking control of Android phones. Once in control, hackers can record audio and phone calls, take photos, review browser history, access WhatsApp messages, and more (a complete list is below).

https://blog.zimperium.com/new-advanced-android-malware-posing-as-system-update/

#android #malware #alert
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Complex new SMS malware discovered

Cell phone users in Canada and the United States are being targeted by a new and advanced form of SMS malware that lures victims with COVID-19-related content.

This complex malware named Tanglebot by Cloudmark threat analysis because of its multiple levels of obfuscation, can directly obtain personal information, control device interaction with apps and overlay screens, and steal account information from financial activities initiated on the device.

How it works?

TangleBot sends SMS text messages themed around coronavirus regulations and third doses of COVID vaccines known as booster shots to entice users into downloading malware. Victims who take the lure unwittingly download malware that compromises the security of their device and configures the system so that confidential information can be exfiltrated to systems controlled by the attacker(s).

TangleBot can overlay banking or financial apps and directly steal the victim’s account credentials.

TangleBot can use the victim’s device to message other mobile devices, spreading throughout the mobile network.

Complete control over the infected device

The malware allows the threat actor(s) to control everything including contacts, SMS and phone capabilities, call logs, internet access, and camera and microphone on an infected device and employs multiple levels of obfuscation to keep its presence hidden from the device's user.

Examples of few SMS messages

The messages sent as part of the malware campaign appear to be warnings or appointment notifications. One such SMS contained the text "New regulations about COVID-19 in your region. Read here:" followed by a malicious link.

Another preceded a malicious link with the statement: "You have received the appointment for the 3rd dose. For more information visit:"

Users who click on the link are taken to a website where they are notified that the Adobe Flash Player software on their device is out of date and must be updated for them to proceed. If the user clicks on the subsequent dialog boxes, TangleBot malware is installed on the Android device.


https://www.infosecurity-magazine.com/news/complex-new-sms-malware-discovered/

#tanglebot #malware #sms #covid

FinSpy: unseen findings

FinSpy, also known as FinFisher or Wingbird, is an infamous surveillance toolset. Kaspersky has been tracking deployments of this spyware since 2011. Historically, its Windows implant was distributed through a single-stage installer. This version was detected and researched several times up to 2018. Since that year, we observed a decreasing detection rate of FinSpy for Windows. While the nature of this anomaly remained unknown, we began detecting some suspicious installers of legitimate applications, backdoored with a relatively small obfuscated downloader. We were unable to cluster those packages until the middle of 2019 when we found a host that served these installers among FinSpy Mobile implants for Android. Over the course of our investigation, we found out that the backdoored installers are nothing more than first stage implants that are used to download and deploy further payloads before the actual FinSpy Trojan.

Apart from the Trojanized installers, we also observed infections involving usage of a UEFI or MBR bootkit. While the MBR infection has been known since at least 2014, details on the UEFI bootkit are publicly revealed in this article for the first time.

We decided to share some of our unseen findings about the actual state of FinSpy implants. We will cover not only the version for Windows, but also the Linux and macOS versions, since they have a lot of internal structure and code similarities.

The full details of this research, as well as future updates on FinSpy, are available to customers of the APT reporting service through our Threat Intelligence Portal.

https://securelist.com/finspy-unseen-findings/104322/


#FinSpy #FinFisher #Wingbird #surveillance #malware #trojan

This new Linux malware is 'almost impossible' to detect

Symbiote is parasitic malware that provides rootkit-level functionality

A joint research effort has led to the discovery of Symbiote, a new form of Linux malware that is "almost impossible" to detect.

Symbiote has several interesting features. For example, the malware uses Berkeley Packet Filter (BPF) hooking, a function designed to hide malicious traffic on an infected machine. BPF is also used by malware developed by the Equation Group.

The malware is pre-loaded before other shared objects, allowing it to hook specific functions – including libc and libpcap – to hide its presence. Other files associated with Symbiote are also concealed and its network entries are continually scrubbed.

https://www.zdnet.com/article/this-new-linux-malware-is-almost-impossible-to-detect/

#linux #symbiote #malware

Paragon Graphite is a Pegasus spyware clone used in the US –

The US government banned the use of NSO’s Pegasus spyware 18 months ago, but a new report today says that at least one government agency is using very similar malware from a rival company: Paragon Graphite.

According to four [industry figures], the US Drug Enforcement and Administration Agency is among the top customers for Paragon’s signature product nicknamed Graphite.

The #malware surreptitiously pierces the protections of modern smartphones and evades the encryption of messaging apps like #Signal or #WhatsApp, sometimes harvesting the data from cloud backups – much like Pegasus does.

#spyware #US #Clone #Pegasus #NSO #DEA #ParagonGraphite #Paragon

Mystic Stealer | Zscaler – June 2023

Mystic Stealer, a fresh stealer lurking in the cyber sphere, noted for its data theft capabilities, obfuscation, and an encrypted binary protocol to enable it to stay under the radar and evade defenses.

Key data theft functionality includes the ability to capture history and auto-fill data, bookmarks, cookies, and stored credentials from nearly 40 different web browsers. In addition, it collects Steam and Telegram credentials as well as data related to installed cryptocurrency wallets. The malware targets more than 70 web browser extensions for cryptocurrency theft and uses the same functionality to target two-factor authentication (2FA) applications. The approach used by Mystic Stealer is similar to what was reported for Arkei Stealer.

#Malware #MysticStealer #Trojan

Millions of mobile phones come pre-infected with malware • The Register – May 2023

The malware turns the devices into proxies which are used to steal and sell SMS messages, take over social media and online messaging accounts, and used as monetization opportunities via adverts and click fraud.

Through telemetry data, the researchers estimated that at least millions of infected devices exist globally, but are centralized in Southeast Asia and Eastern Europe. A statistic self-reported by the criminals themselves, said the researchers, was around 8.9 million.

Lemon Group’s Cybercriminal Businesses Built on Preinfected Devices – Trendmicro - May 2023

An overview of the Lemon Group’s use of preinfected mobile devices, and how this scheme is potentially being developed and expanded to other internet of things (IoT) devices. This research was presented in full at the Black Hat Asia 2023 Conference in Singapore in May 2023


#LemonGroup #Guerrila #Malware

Stealth Soldier Backdoor Used in Targeted Espionage Attacks in North Africa - Check Point Research – June 2023

Check Point Research observed a wave of highly-targeted espionage attacks in Libya that utilize a new custom modular backdoor.
Stealth Soldier malware is an undocumented backdoor that primarily operates surveillance functions such as file exfiltration, screen and microphone recording, keystroke logging and stealing browser information.

The Stealth Soldier infrastructure has some overlaps with infrastructure the The Eye on the Nile which operated against Egyptian civilian society in 2019. This is the first possible re-appearance of this threat actor since then.

Phishing attacks using third-party applications against Egyptian civil society organizations - Amnesty International – 2019

#StealthSoldier #EyeOnTheNile
#Backdoor #espionage #malware #Egypt #Libya

Fortinet Reverses Flutter-based Android Malware “Fluhorse” | FortiGuard Labs – June 2023

Android/Fluhorse is a recently discovered malware family that emerged in May 2023. What sets this malware apart is its utilization of Flutter, an open-source SDK (software development kit) renowned among developers for its ability to build applications compatible with Android, iOS, Linux, and Windows platforms using a single codebase. While previous instances of threat actors using Flutter for malware exist, such as MoneyMonger, they actually used Flutter for its cross-platform UI elements without carrying the actual malicious payload. So, despite Flutter application reversing being notoriously difficult, MoneyMonger can actually be quite easily reversed with the usual Android reversing techniques.

Eastern Asian Android Assault - FluHorse - Check Point Research – May 2023

#FluHorse #Malware #Flutter #EastAsia

Beyond the Horizon: Traveling the World on Camaro Dragon’s USB Flash Drives - Check Point Research – June 2023

In early 2023, the Check Point Incident Response Team (CPIRT) team investigated a malware incident at a European healthcare institution involving a set of tools mentioned in the Avast report in late 2022. The incident was attributed to Camaro Dragon, a Chinese-based espionage threat actor whose activities overlap with activities tracked by different researchers as Mustang Panda and LuminousMoth, whose focus is primarily on Southeast Asian countries and their close peers.


#CamaroDragon #USB #Flashdrive #MustangPanda #LuminousMoth #espionage #malware #China #Asia

0xor0ne@infosec.exchange - Very cool series about persistence in Linux environments

Persistence map: https://pberba.github.io/assets/posts/common/20220201-linux-persistence.pdf

Auditd, Sysmon, Osquery: https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persistence-sysmon-auditd-webshell/

Account Creation and Manipulation: https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/

Systemd, Timers, and Cron: https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/

Initialization Scripts and Shell Configuration: https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/

Systemd Generators: https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/

#Linux #kernel #malware #cybersecurity #infosec

When Governments Attack: Nation-State Malware Exposed – 2015

Cyberwar takes place every single day, all around us. We don't see it and we're not always directly affected by it, but we share the cost of every attack. Be that through monetary loss, services we cannot use, or even with the omnipresent backdrop that something might go down somewhere, malicious cyber activities perpetrated by nation-state threat-actors are on the rise.
It makes sense, really. You see how stupendously effective "regular" malware is. How easy is it to pick up an infection from an errant spam email, or for someone to plug an infected USB stick into a computer?
It stands to reason that governments with access to vast pools of knowledge, colossal funding, and an insurmountable desire to be one step ahead of both ally and enemy would realize the value in deploying incredible sophisticated spyware and malware variants.
Let's take a look at some of the most famous nation-state threats we're aware of.

#spyware #malware #trojan
#cyberwar

Chinese Hackers Using Never-Before-Seen Tactics for Critical Infrastructure Attacks – TheHackerNews - June 2023

The newly discovered Chinese nation-state actor known as Volt Typhoon has been observed to be active in the wild since at least mid-2020, with the hacking crew linked to never-before-seen tradecraft to retain remote access to targets of interest.

The findings come from CrowdStrike, which is tracking the adversary under the name Vanguard Panda.

"The adversary consistently employed ManageEngine Self-service Plus exploits to gain initial access, followed by custom web shells for persistent access, and living-off-the-land (LotL) techniques for lateral movement,"

Falcon Complete MDR Thwarts VANGUARD PANDA Tradecraft – CrowdStrike - June 2023

#VoltTyphoon #VanguarPanda #China #espionage #spyware #malware