Millions of mobile phones come pre-infected with malware • The Register – May 2023

The malware turns the devices into proxies which are used to steal and sell SMS messages, take over social media and online messaging accounts, and used as monetization opportunities via adverts and click fraud.

Through telemetry data, the researchers estimated that at least millions of infected devices exist globally, but are centralized in Southeast Asia and Eastern Europe. A statistic self-reported by the criminals themselves, said the researchers, was around 8.9 million.

Lemon Group’s Cybercriminal Businesses Built on Preinfected Devices – Trendmicro - May 2023

An overview of the Lemon Group’s use of preinfected mobile devices, and how this scheme is potentially being developed and expanded to other internet of things (IoT) devices. This research was presented in full at the Black Hat Asia 2023 Conference in Singapore in May 2023


#LemonGroup #Guerrila #Malware

Stealth Soldier Backdoor Used in Targeted Espionage Attacks in North Africa - Check Point Research – June 2023

Check Point Research observed a wave of highly-targeted espionage attacks in Libya that utilize a new custom modular backdoor.
Stealth Soldier malware is an undocumented backdoor that primarily operates surveillance functions such as file exfiltration, screen and microphone recording, keystroke logging and stealing browser information.

The Stealth Soldier infrastructure has some overlaps with infrastructure the The Eye on the Nile which operated against Egyptian civilian society in 2019. This is the first possible re-appearance of this threat actor since then.

Phishing attacks using third-party applications against Egyptian civil society organizations - Amnesty International – 2019

#StealthSoldier #EyeOnTheNile
#Backdoor #espionage #malware #Egypt #Libya

Fortinet Reverses Flutter-based Android Malware “Fluhorse” | FortiGuard Labs – June 2023

Android/Fluhorse is a recently discovered malware family that emerged in May 2023. What sets this malware apart is its utilization of Flutter, an open-source SDK (software development kit) renowned among developers for its ability to build applications compatible with Android, iOS, Linux, and Windows platforms using a single codebase. While previous instances of threat actors using Flutter for malware exist, such as MoneyMonger, they actually used Flutter for its cross-platform UI elements without carrying the actual malicious payload. So, despite Flutter application reversing being notoriously difficult, MoneyMonger can actually be quite easily reversed with the usual Android reversing techniques.

Eastern Asian Android Assault - FluHorse - Check Point Research – May 2023

#FluHorse #Malware #Flutter #EastAsia

Beyond the Horizon: Traveling the World on Camaro Dragon’s USB Flash Drives - Check Point Research – June 2023

In early 2023, the Check Point Incident Response Team (CPIRT) team investigated a malware incident at a European healthcare institution involving a set of tools mentioned in the Avast report in late 2022. The incident was attributed to Camaro Dragon, a Chinese-based espionage threat actor whose activities overlap with activities tracked by different researchers as Mustang Panda and LuminousMoth, whose focus is primarily on Southeast Asian countries and their close peers.


#CamaroDragon #USB #Flashdrive #MustangPanda #LuminousMoth #espionage #malware #China #Asia

0xor0ne@infosec.exchange - Very cool series about persistence in Linux environments

Persistence map: https://pberba.github.io/assets/posts/common/20220201-linux-persistence.pdf

Auditd, Sysmon, Osquery: https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persistence-sysmon-auditd-webshell/

Account Creation and Manipulation: https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/

Systemd, Timers, and Cron: https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/

Initialization Scripts and Shell Configuration: https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/

Systemd Generators: https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/

#Linux #kernel #malware #cybersecurity #infosec

When Governments Attack: Nation-State Malware Exposed – 2015

Cyberwar takes place every single day, all around us. We don't see it and we're not always directly affected by it, but we share the cost of every attack. Be that through monetary loss, services we cannot use, or even with the omnipresent backdrop that something might go down somewhere, malicious cyber activities perpetrated by nation-state threat-actors are on the rise.
It makes sense, really. You see how stupendously effective "regular" malware is. How easy is it to pick up an infection from an errant spam email, or for someone to plug an infected USB stick into a computer?
It stands to reason that governments with access to vast pools of knowledge, colossal funding, and an insurmountable desire to be one step ahead of both ally and enemy would realize the value in deploying incredible sophisticated spyware and malware variants.
Let's take a look at some of the most famous nation-state threats we're aware of.

#spyware #malware #trojan
#cyberwar

Chinese Hackers Using Never-Before-Seen Tactics for Critical Infrastructure Attacks – TheHackerNews - June 2023

The newly discovered Chinese nation-state actor known as Volt Typhoon has been observed to be active in the wild since at least mid-2020, with the hacking crew linked to never-before-seen tradecraft to retain remote access to targets of interest.

The findings come from CrowdStrike, which is tracking the adversary under the name Vanguard Panda.

"The adversary consistently employed ManageEngine Self-service Plus exploits to gain initial access, followed by custom web shells for persistent access, and living-off-the-land (LotL) techniques for lateral movement,"

Falcon Complete MDR Thwarts VANGUARD PANDA Tradecraft – CrowdStrike - June 2023

#VoltTyphoon #VanguarPanda #China #espionage #spyware #malware

Securonix Threat Labs Security Advisory: New MULTI#STORM Attack Campaign Involving Python-based Loader Masquerading as OneDrive Utilities Dropping Multiple RAT Payloads Using Security Analytics - Securonix – June 2023

An interesting phishing campaign was recently analyzed by the Securonix Threat Research Team. The attack kicks off when the user clicks on a heavily obfuscated JavaScript file contained in a password protected zip file. Some of the victims targeted by the MULTI#STORM campaign appear to be in the US and India.

The attack chain ends with the victim machine infected with multiple unique RAT (remote access trojan) malware instances, such as Warzone RAT and Quasar RAT. Both are used for command and control during different stages of the infection chain.

#RAT #MultiStorm #Trojan #JS #Python #malware #India #US

How the Malware-as-a-Service market works | Securelist – June 2023

Money is the root of all evil, including cybercrime. Thus, it was inevitable that malware creators would one day begin not only to distribute malicious programs themselves, but also to sell them to less technically proficient attackers, thereby lowering the threshold for entering the cybercriminal community. The Malware-as-a-Service (MaaS) business model emerged as a result of this, allowing malware developers to share the spoils of affiliate attacks and lowering the bar even further. We have analyzed how MaaS is organized, which malware is most often distributed through this model, and how the MaaS market depends on external events.
Results of the research
We studied data from various sources, including the dark web, identified 97 families spread by the MaaS model from 2015, and broke these down into five categories by purpose: ransomware, infostealers, loaders, backdoors, and botnets.


https://arxiv.org/pdf/2207.00890
#Maas #malware

Malware as a service - ANSSI / EN - 2021 - EMOTET
#Maas #malware

Kaspersky reveals new method to detect Pegasus spyware | Kaspersky –

Kaspersky's Global Research and Analysis Team (GReAT) has developed a lightweight method to detect indicators of infection from sophisticated iOS spyware such as #Pegasus, #Reign, and #Predator through analyzing Shutdown.log, a previously unexplored #forensic artifact.

The company’s experts discovered Pegasus infections leave traces in the unexpected system log, Shutdown.log, stored within any mobile #iOS device’s sysdiagnose archive. This archive retains information from each reboot session, meaning anomalies associated with the Pegasus malware become apparent in the log if an infected user reboots their device.

Among those identified were instances of ”sticky“ processes impeding reboots, particularly those linked to Pegasus, along with infection traces discovered through cybersecurity community observations.

#Pegasus #NSO #Reign #Predador #iOS #Spyware #Malware #Kapersky #MobileForensics #CyberSec

Coper / Octo - A Conductor for Mobile Mayhem… With Eight Limbs? | Team Cymru

Coper, a descendant of the Exobot malware family, was first observed in the wild in July 2021, targeting Colombian Android users. At that time, Coper (the Spanish translation of “Copper”) was distributed as a fake version of Bancolombia’s “Personas'' application.

The malware offers a variety of advanced features, including keylogging, interception of SMS messages and push notifications, and control over the device's screen. It employs various injects to steal sensitive information, such as passwords and login credentials, by displaying fake screens or overlays. Additionally, it utilizes VNC (Virtual Network Computing) for remote access to devices, enhancing its surveillance capabilities.

#Android #MAS #Exobot #Keylogging #Malware #RemoteAccess #SMS #Coper #Octo

Android Malware Vultur Expands Its Wingspan | NCC Group Research Blog

The authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely interact with the victim’s mobile device.

Vultur has also started masquerading more of its malicious activity by encrypting its C2 communication, using multiple encrypted payloads that are decrypted on the fly, and using the guise of legitimate applications to carry out its malicious actions.

Via @androidMalware
#Android #Malware #Vultur

Beware of Snowblind: A new Android malware

Snowblind : A new Android malware abuses security feature to bypass security

In early 2024, our partner i-Sprint provided a sample of a new Android banking trojan we have named Snowblind. Our analysis of Snowblind found that it uses a novel technique to attack Android apps based on the Linux kernel feature seccomp. Android uses seccomp to sandbox applications and limit the system calls they can make. This is intended as security feature that makes it harder for malicious apps to compromise the device.

However, Snowblind misuses seccomp as an attack vector to be able to attack applications. We have not seen seccomp being used as an attack vector before and we were surprised how powerful and versatile it can be if used maliciously. 

Demo : YT link ( Invidious is broken !)
Via @androidmalware
#Android #Malware #Snowblind #Trojan