For years, chatbots have been a useful tool to help automate customer-facing applications. But what happens if the chatbot goes rogue?

Recent reports have revealed that this may have happened to the Comcast / Xfinity chatbot. First, there were incidents of Xfinity email outages. Next, some reported that if you try to resolve the issue via chat, a rogue chatbot may engage with you. The impersonator chatbot then tries to redirect you to a malicious page that asks you to divulge your credit card number.

Could this be related to the massive breach that involved 35.9 million Comcast Xfinity broadband entertainment platform customers? While this story is still developing, it wouldn’t be the first time chatbots were recruited for online scams.

There are a variety of ways chatbots are being used to spread malware and/or obtain sensitive information. Here’s what to watch out for.

Hacking Bing

Bing Chat has quickly become one of the world’s leading AI chatbots. Millions of people use it every day. One feature of Bing Chat is that ads can be inserted into the conversation. For example, a user can hover over a link and then an ad is displayed.

Malwarebytes reported on a case where Bing Chat ads were being hijacked by nefarious actors. In this scam, when the user’s cursor hovers over a legitimate link, a dialog box appears showing a malicious ad:

Image source Malwarebytes

Clicking on the malicious ad leads users to a website (mynetfoldersip[.]cfd) that can identify real victims and filter out bots, sandboxes or security researchers. Filtering works by checking IP addresses, time zones and other system settings, such as web rendering that identifies virtual machines.

Actual human users are eventually redirected to another fake site (advenced-ip-scanner[.]com) that mimics an official page, while others are sent to a decoy page. Victims are then invited to download malware that looks like legitimate software.

Fake AI chatbot scams

Scammers are also taking advantage of the rising popularity of AI chatbots, like Google’s Bard. It’s easy to miss these hacks as they easily blend in with the tsunami of AI-related products and services offered now.

According to Google, two different scammer groups created social media pages and ran ads that encouraged people to “download” Bard. But Bard is a freely available generative AI tool that does not need to be downloaded.

Scammers used Google’s logos, trademarks and product names as part of their scheme. The ads lure targets to a phony website designed to look like it’s affiliated with Google. On the site, visitors are encouraged to download software to use Bard, but it’s really malware.

It’s worth noting that Google is suing the bad actors instead of just reporting them to the authorities. The company says that “lawsuits are an effective tool for establishing a legal precedent, disrupting the tools used by scammers, and raising the consequences for bad actors.” According to Google, they have filed roughly 300 takedowns related to this group of bad actors.

Other chatbot scams

Some chatbot-based scams aren’t really chatbots at all. In one scam, criminals sent phishing emails impersonating DHL.

Image source: Trustwave

From there, the malicious link connected to a fake chatbot that eventually requested sensitive information like the user’s email and password:

Image source: Trustwave

And credit card data, of course…

Image source: Trustwave

A similar scam has also been luring Facebook users under the guise of an account cancellation message. In this case, an actual Facebook chatbot is used, which then redirects targets to a fake site that asks for sensitive information.

Image source: Trustwave

Here’s how they try to get users to give up their passwords:

Image sources Trustwave

Use chatbots with caution

As with any online engagement, interacting with a chatbot should be done with the utmost caution. Always think twice, or even three times, before you click, download or provide private personal information.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

The post Beware of rogue chatbot hacking incidents appeared first on Security Intelligence.

Bug bounty numbers have never been better. In 2022, Google rewarded the efforts of over 700 researchers from 68 different countries who helped improve the security of the company’s products and services. The total amount of awards grew from $8.7 million paid in 2021 to $12 million in 2022, a nearly 38% increase.

Over the past few years, bug bounty programs have gained significant traction. Companies have been lured in by the potential to identify vulnerabilities quickly, enhance product security and outsource solutions cost-effectively. However, organizations have also encountered unforeseen vulnerabilities and threats due to these programs.

Are bug bounty programs worth it? If so, what are the risks, and how do you minimize them?

Google makes good use of bug bounties

Google reported that it resolved over 2,900 problems in its products in the previous year thanks to security researchers. The tech giant disbursed a total of $4.8 million via the Android Vulnerability Reward Program (VRP), with one reward of $605,000. Google has offered up to $1 million for detecting remote code execution vulnerabilities related to the Pixel Titan M secure chip. In 2022, the company also offered a maximum of $750,000 for data exfiltration flaws in Titan M.

Out of the total sum, $486,000 was paid out under the Android Chipset Security Reward Program (ACSRP), which is run by Google in collaboration with Android chipset manufacturers. This program generated over 700 valid security reports.

Google also compensated bug hunters through the Chrome VRP, paying out a total of $4 million, including $3.5 million for 363 vulnerabilities detected in the Chrome browser. Nearly $500,000 was awarded for 110 bugs detected in ChromeOS. In 2023, Google plans to experiment with the Chrome VRP and has notified bounty hunters of potential bonus opportunities for Chrome Browser and ChromeOS security bugs.

Even threat actors use bug bounty programs

One year after the emergence of the dangerous LockBit 2.0, the ransomware gang’s developers introduced a new and improved version, LockBit 3.0. This latest strain employs novel ransomware tactics and, notably, features a bug bounty program for the first time ever in the LockBit Ransomware-as-a-Service operation.

LockBit has become the pioneering ransomware outfit offering rewards to researchers and developers who identify security loopholes. Rewards range from $1,000 to $1 million for detecting bugs in various aspects of the website, such as cross-site scripting or XSS, encryption and vulnerabilities in Tox messenger and the Tor Network.

The bug bounty’s not-so-hidden liabilities

Despite Google’s and LockBit’s enthusiasm, some security experts like Joseph Neumann, Cyber Executive Advisor at Coalfire, warn about bug bounty program risks. Given increasingly complex validation requirements and the growing fatigue from compliance framework audits, bug bounty programs require careful and strategic thought. Organizations cannot afford to ignore the risks lurking beneath the surface.

As per Neumann, bug bounty programs do not serve as accredited third-party attestations and may not satisfy regulatory compliance requirements. Although they can identify vulnerabilities promptly, bug bounties may not offer comprehensive testing or assess the complete attack surface. And what’s the biggest potential risk? Ethical hackers can get access to source code, which might open doors for malicious actors to discover and exploit vulnerabilities.

How much do bug bounties cost?

Google praised the higher bug bounty payout from last year. But is that necessarily a good thing? Bug bounty programs can contain an often overlooked pitfall: namely, the potential for costs to spiral out of control. Neumann cites costs generated by bug bounty programs might include:

• The unlimited number of vulnerabilities that could be discovered (bounty payout)
• Vulnerabilities that malicious actors can leverage in data breaches
• Development resources wasted on fixing non-harmful vulnerabilities
• Possible legal consequences due to delays in remediating vulnerabilities.

Beware of the bugs in bug bounty

Top-level management officials often view bug bounty programs as quick and efficient solutions to reveal security weaknesses through an outsourced, on-demand payment system. Also, some programs place an exaggerated emphasis on the value of bounties within a comprehensive security approach. However, decision-makers might hastily approve such programs without careful consideration.

Bug bounty programs are fully dependent on participants’ trustworthiness and capabilities. According to Neumann, this raises a plethora of concerns. What if you hire an ethical hacker who turns out to be unethical? Or what if a careless bounty hunter overlooks a critical bug that could lead to a catastrophic breach? What happens if a company becomes too reliant on bug bounty programs for testing purposes and neglects to comply with essential regulatory frameworks like PCI or FedRAMP?

As per Neumann, a recent forensic examination brought to light a scenario where a bug hunter neglected to report a vulnerability. An attacker then exploited that vulnerability two months down the line. That oversight resulted in a massive theft of sensitive client information.

The very program that strove to prevent such a security compromise had failed. This left the company and its clients vulnerable to untold damage.

Bug bounty might attract attackers

Neumann also states that Fortune 500 companies are seeing more attacks on the applications they’ve protected with bug bounties. As the rewards for discovering vulnerabilities increase and the targets become more prominent, the attack surfaces in these high-volume environments are also growing. Unfortunately, this increase in quantity also increases the potential for “white-hat cheating”. This could lead to unauthorized access by both internal and external malicious actors lurking in the shadows.

Making bug bounty work

If you are going to use bug bounties, Neumann has some recommendations to follow:

• Include a layer of legal protection. Have your internal counsel review the program and determine if an external counsel is required so that your organization is protected with legal privilege.
• Use bug bounty programs as an augmentation to a comprehensive, dynamic and scalable security strategy. Don’t become over-reliant on your bug hunters.
• Ensure that your bug bounty program and vulnerability remediation processes work closely together.

Bug bounty programs certainly can provide value. However, you must establish a sound approach to any program’s management before going bug hunting.

The post Google’s bug bounty hits $12 million: What about the risks? appeared first on Security Intelligence.

Google’s Threat Analysis Group (TAG) recently released a report about growing hack-for-hire activity. In contrast to Malware-as-a-Service (MaaS), hack-for-hire firms conduct sophisticated, hands-on attacks. They target a wide range of users and exploit known security flaws when executing their campaigns.

“We have seen hack-for-hire groups target human rights and political activists, journalists and other high-risk users around the world, putting their privacy, safety and security at risk,” Google TAG says. “They also conduct corporate espionage, handily obscuring their clients’ role.”

The level of detailed information these groups can access is astonishing. Here’s what organizations need to know about this emerging threat to data security.

Hack-for-hire not as-a-Service

The recent rise in Ransomware-as-a-Service has alarmed security experts across the globe. Unlike MaaS, hack-for-hire activity appears to be much more targeted. For example, Reuters recently reported on thousands of email records exposing an Indian hack-for-hire group. These actors were called upon to interfere in lawsuits all over the world. The cyber spies work for litigants seeking to gain an edge.

The Reuters report quoted Anthony Upward, managing director of Cognition Intelligence, a U.K.-based countersurveillance firm saying, “It is an open secret that there are some private investigators who use Indian hacker groups to target opposition in litigation battles.”

Reuters reported that at least 75 U.S. and European companies, three dozen advocacy and media groups and numerous Western business executives were the subjects of the Indian hack-for-hire attempts.

This is a far cry from a MaaS portal that sells online subscriptions for malicious services. MaaS groups increasingly look a lot like SaaS brands. Some MaaS groups have openly accessible websites, monthly newsletters, marketing campaigns, video tutorials, white papers and Twitter accounts.

While hack-for-hire groups may advertise, they aren’t usually helping clients get a cryptocurrency payout. And you can’t sign up for a subscription service. It’s more than likely that hack-for-hire clients have a specific target and goal in mind. And it frequently involves espionage. They even say so right on their websites:

Source: Google TAG

Deathstalker and dead drop resolvers

While hunting for evidence of the hack-for-hire Deathstalker group intrusions, Kaspersky identified a new variant of the Janicab malware. The group used Janicab to target legal entities in the Middle East throughout 2020 and possibly during 2021. The group’s activity may even have extended back to early 2015 and has targeted legal, financial and travel agencies in the Middle East and Europe.

It appears that Deathstalker was using YouTube, Google+ and WordPress web services as dead drop resolvers (DDRs).  Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Actors can post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victim computers will reach out to and be redirected by these resolvers.

Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that network hosts are already communicating with them prior to a compromise. Common services, such as those offered by YouTube, Reddit, GitHub, Google or Twitter, can be used in DDR. This enables adversaries to blend in with normal traffic. What’s more, web service providers commonly use SSL/TLS encryption which gives intruders an added level of protection.

Hack-for-hire motives

Unlike ransomware gangs which typically seek a quick cryptocurrency payout, hack-for-hire groups specialize in espionage or the targeting of individuals. This means they attempt to infect computers, systems and networks while remaining hidden for long periods of time. And they frequently target emails. What could their motives be? Kaspersky offered several hypotheses as to what might be Deathstalker’s motives, such as:

• Legal disputes involving VIPs
• Legal disputes involving financial assets
• Intent to blackmail VIPs
• Tracking financial assets of/for VIPs
• Competitive/business intelligence for medium/large companies
• Intelligence on medium/large mergers and acquisitions.

Meanwhile, Trend Micro reported that cyber mercenaries are being used to attack political opposition, dissidents, journalists and human rights activists. Malicious tools are used to spy on these targets, and the consequences can be devastating. For example, some politicians and journalists that must flee their home countries become the target of aggressive cyberattacks.

As per Trend Micro, one Russian-based hack-for-hire group named Rockethack will steal highly sensitive information from individuals and businesses on demand. But the group also seems to crave data itself. Before a customer even asks for a new service, the hackers may already be thinking about and collecting troves of personal and private data. The Russian-based hack-for-hire group targets key employees of corporations who have access to large amounts of personal data.

A trove of exfiltrated data

What kind of data does Rockethack have up for sale? It sounds like something out of a spy novel. Trend Micro reported that Rockethack can dig up data such as:

• Information on Russian passports, foreign passports and marriage certificates
• Information on purchased tickets where a passport is needed (train, bus, airlines and ferries)
• Border data on individual persons
• Data on passengers arriving at Russian airports
• Data on passengers of Russian long-distance train stations
• Interpol records
• Criminal records
• Traffic safety records
• Migrant permits
• Traffic camera shots
• Traffic police data (fines, registration of cars)
• Weapon registration
• Federal tax service records
• Credit history records
• Bank account balance
• Bank account statements
• Phone number(s) associated with bank account
• Banking card registration data
• Reason and date for account blocking
• The phone number and passport information
• Phone call and SMS records with/without cell tower locations
• Blocked phone numbers
• Map where calls were located
• Location of phone/SIM card
• Printout of an SMS message.

Exposing the hidden threat

Hack-for-hire groups might go undetected for months, or even years, while highly sensitive and detailed information is exfiltrated. For this reason, more advanced tools are required, especially at the enterprise level.

Solutions such as Security Information and Event Management (SIEM) can correlate hybrid cloud data sources to reveal an attacker’s path. Meanwhile, threat intelligence can be used to validate the source of the attack as a known command and control center.

When threat actors trigger multiple detection analytics, move across the network or change their behaviors, SIEM can track them. More importantly, SIEM can correlate, track and identify related activities throughout a kill chain with built-in automated prioritization.

Hack-for-hire groups don’t seem to get many headlines. Perhaps it’s because they aren’t easily discovered. Maybe, businesses should start looking harder.

The post Hack-for-hire groups may be the new face of cybercrime appeared first on Security Intelligence.

Every tweet, text, bank transaction, Google search and DoorDash order is part of your digital shadow. We all have one, and the contents of your shadow aren’t always private. For example, in April 2021 attackers leaked data containing the personal information of over 533 million Facebook users from 106 countries.

Sure, you might want your tweet to be seen all over the world. But what about your phone number, social media name, full name, location, birthdate and email address? How conscious are you of your digital exposure? And how do employee digital shadows affect the companies they work for?

What is a digital shadow?

Anything you post or capture in digital format is technically part of your digital shadow or digital footprint. It’s obvious that social media posts and tweets are parts of your digital shadow, but you might be surprised about other elements. For instance, texts leave a digital trail as well. You can even read someone’s text messages without access to their phone.

Think your photos are safe in Google Drive? While Google’s security is certainly robust, if someone steals your credentials, they could log in and see all your files. Even your bank transactions and social security number could be leaked. Any type of communication or information sent or saved using a digital device could end up in the wrong hands.

How long of a digital shadow do you cast?

In 2020, over 3.6 billion people were using social media worldwide. This number is projected to increase to almost 4.41 billion in 2025. People post all kinds of information about their lives and work online.

Unfortunately, all this data can be used for nefarious purposes. For example, you might get an invite from a threat actor mimicking a close contact. After accepting the invite, they have access to all the information you share online. By using social engineering techniques, they can then trick you to click on malicious links or downloading malware.

Other criminals will impersonate executives. They deceive employees or business partners into giving up sensitive information or making unauthorized financial transactions. The more information you post online, the more information threat actors can leverage against you.

Diverse social engineering schemes

Social engineering has become one of the leading types of cyber crime. One of the reasons is the diversity of social engineering methods. For example, phishing might be considered a type of social engineering as fake emails attempt to mimic trusted sources.

Meanwhile, thread-jacking (or thread hijacking) is a particularly nasty form of phishing since it hijacks email messages that are part of an ongoing thread. Broad damage occurs as the attacker sends emails to targets within the affected organization and beyond. This strategy can lead to a highly infectious spread of malware since the level of trust is high within email threads.

The social engineering varieties go on and on. Recruitment fraud, for example, involves the offer of fictitious job opportunities through unsolicited emails, online recruitment services, bogus websites and text messages claiming to be job recruiters. These scams are much more effective if the actor knows something about you and your preferences.

Data is the most valuable asset

Data (especially personal data) has tremendous value. This doesn’t apply only to darknet markets that deal in stolen data. There’s a reason companies pay massive sums to collect data about their customers and visitors. And evidence shows an increasing number of people browse with cookies enabled, which keeps the data flow going strong.

The more a company (or a criminal) knows about you, the better chance they have of making money (or stealing) from you. Here the techniques used by marketers overlap with those of cyber criminals using the same tools.

Powered with AI, phishing messages can be highly personalized to target employees or individual executives. This type of hyper-personalization has long been used in digital marketing to capture more business. We’ve all received personalized emails from marketing engines. And now, criminals use the same tactics with data harvested from your digital shadow.

Like gold, data is a commodity with a market value. And this value applies to both legitimate markets and dark markets.

How to minimize your digital footprint

The truly best way to minimize your digital exposure is to spend less time online. Still, there are other ways to reduce your digital footprint without going off-grid. For business owners, team awareness is essential. For example, social media hygiene goes a long way. Some tips include:

• Examine every friend request with the highest scrutiny. If it’s a close friend or associate, consider confirming the invite through a secure channel.
• Do not post images of your workplace. If you take a photo at happy hour, make sure to remove your employee ID badge.
• Never download files or click on links transmitted by social media messages. If you must search for the site on a web browser. Be aware that you could be visiting a fake website as well.
• Don’t ever share sensitive information on social media chats.

Other ways to reduce your digital footprint include:

• Delete old shopping, social media and email accounts
• Review your social media privacy settings; only share with close contacts
• When you don’t need GPS support, disable location tracking
• Conduct searches in incognito mode or from a private browser, such as Apple Safari, Avast Secure, Brave Privacy, Bromite or DuckDuckGo.

Trust no one. Secure everything.

While employee training is part of any strong security plan, human error is inevitable. With the growing number of devices (including Internet of Things), every company’s attack surface increases every day. While attempts to manage digital shadows are helpful, digital expansion is too fast to keep up with on our own.

The vulnerability of data combined with rising attack rates generates substantial downside risk. Effective security tools aren’t an option anymore. The good news is that security teams can enforce rules according to the who, what, where and when surrounding access to sensitive data.

For example, zero trust models demand verification for each and every connection and endpoint. From there, every request for access is granted the least amount of privilege. With zero trust, resources are restricted by default, even for connections inside the perimeter.

The only way to face rising threats, without living in the woods, is through a multi-pronged approach. Modify behavior, stay alert and protect your assets with the best tools available.

The post Digital shadows weaken your attack surface appeared first on Security Intelligence.

Contributed to this research: Segev Fogel, Amir Gendler and Nethanella Messer.

IBM Trusteer researchers continually monitor the evolution and attack tactics in the banking sector. In a recent analysis, our team found that an Ursnif (aka Gozi) banking Trojan variant is being used in the wild to target online banking users in Italy with mobile malware. Aside from the Ursnif infection on the victim’s desktop, the malware tricks victims into fetching a mobile app from a fake Google Play page and infects their mobile device with the Cerberus Android malware.

The Cerberus malware component of the attack is used by Ursnif’s operators to receive two-factor authentication codes sent by banks to their users when account updates and money transfer transactions are being confirmed in real-time. Cerberus also possesses other features and can enable the attacker to obtain the lock-screen code and remotely control the device.

Cerberus is an overlay-type mobile malware that emerged in mid-2019 but initially lacked advanced capabilities. It has evolved over time to eventually feature the ability to hijack SMS content and control devices remotely, alongside other sophisticated data theft features. Cerberus was peddled in the underground as commodity malware until the summer of 2020, taking over the market share of Anubis, a previous pay-per-use malware.

In September 2020, Cerberus’ development team decided to disband, spurring an auction attempt that aimed to sell off the source code to the highest bidder, starting at $100,000. The code did not sell but was instead shared with the malware’s customer base, which meant it was publicly leaked. That intentional release of the source code gave rise to numerous malware campaigns involving Cerberus and likely also led to this combined attack with the Ursnif banking Trojan.

A Combination Attack From Desktop to Smartphone

Ursnif is a very long-standing staple in the cybercrime arena, possibly the oldest banking Trojan that’s still active today. Recent campaigns featuring this malware have been most notable in Italy, where it is typically delivered to business email recipients in attachments that purport to carry invoices, delivery notices or other business correspondence. The infection chain commonly involves poisoned macros, getting past email controls by featuring productivity files most organizations use. In some campaigns, the attackers keep access to the infection zone limited to Italian-based IP addresses only.

Once infected by the Ursnif malware and upon attempting to access their online banking account, victims are advised, via web injection, that they won’t be able to continue to use their bank’s services without downloading a security app. To obtain that app, they are shown a QR code and instructed to scan it with their phone’s camera.

Figure 1: Web injection instructing infected users to download a mobile app

Looking into the QR code provided through the injection, we found a Base64 encoded string with the details.

Figure 2: Malicious QR code’s content is a Base64-encoded string

If users scan the QR code, they will open a web page on their smartphone and be sent to a fake Google Play page featuring a corresponding banking app logo of the banking brand the victim originally attempted to access. The campaign, in this case, included a number of domains that were most likely registered for that purpose and reported in other malicious activity in the past, such as hxxps://play.google.servlce.store/store/apps/details.php?id=it.[BANK BRAND].

Each of the domains hosting the fake Google Play pages used similar words or typo-squatting to appear legitimate. Some examples are:

• google.servlce.store
• gooogle.services
• goooogle.services
• play.google.servlce.store
• play.gooogle.services
• play.goooogle.services.

These malicious domains have been flagged on VirusTotal for a few months, with more reports accumulating over time. Reports on the malicious Android Packages (APKs) that conceal the Cerberus malware spread in this campaign have been flagging it since at least late-2020.

In cases of users who do not successfully scan the QR code, they are asked to provide their telephone number and subsequently receive an SMS message with a download link to fetch the malicious application, which warns users about a potential service interruption if they fail to obtain the app.

Figure 3: Web injection instructing infected users to provide their phone number

In the background, the injection’s code couples the phone number inserted by the victim with the bot ID the Ursnif malware assigned to that infected desktop, the bank’s name the victim uses and their login credentials as grabbed by Ursnif.

Notice the use of the word ‘Jambo’ in parts of the code. It is most likely that Ursnif’s operators wrote a jQuery library to simplify HTML Document Object Model tree traversal and manipulation, using it to orchestrate their injections. Fraudsters can use the library to define the amounts to transfer from accounts and other parameters of the fraudulent transaction.

Figure 4: Injection code sending Cerberus infection URL to Ursnif-infected victims

If the victims submit their phone number on the web injection, the remote server will send back a download URL for them to unknowingly download the Cerberus malware. This injection also keeps the victims’ device identifiers linked to their bot ID and account credentials.

Figure 5: Injection code sending Cerberus infection URL to Ursnif-infected victims, additional view

Cerberus in Action

Cerberus campaigns have already been detected spreading through the official Google Play store in the past, but this distribution attempts to land on victim devices through a third-party source — the attacker’s domains. The option to sideload APKs is not enabled by default on Android devices, and the choice to deliver the malware from a non-official source may have limited the spread of the campaign to a larger number of devices.

When Cerberus is downloaded to a new device, it takes into account the original bank name the victim attempted to access when the infection process was initiated. A JavaScript function includes those details and ensures the victim continues to see a consistent message.

Here too, the ‘Jambo’ word repeats throughout the function, calling into action the jQuery library that orchestrates the malware’s script-based activity.

Figure 6: JavaScript function fetches Cerberus malware

Cerberus is being used here only as the component that allows the attackers to bypass the bank’s SMS-code verification challenge. The fraudulent transaction itself takes place on the victims’ infected desktops (Windows-based devices). While most fraud is in-session using Gozi SOCK proxy capability, some access to the victim’s account came from other devices.

Ursnif’s C2 Communications

The basics of Ursnif’s command and control (C2) communications are also carried out through the same channels. Jambo.getScript sends information to srv_dom, which is the malware’s injection server in this case, used to manage the man-in-the-browser activity.

Figure 7: Injection server communications

The core commands botmasters can launch come in where string ‘step=’ appears. Some of the available bot actions are:

IBAN Swapping Back in Style

On the infected desktop, we are back to seeing familiar activity from the Ursnif Trojan. Since it hooks the internet browser, it takes different steps to manipulate what victims see on their screens and have them click on elements that launch the Trojan’s resources into action.

One of the actions Ursnif wishes to take here is to automate transactions that start on the desktop’s browser. To do that, it is designed to swap the international bank account number (IBAN) and bank identifier code (BIC) numbers from legitimate transactions for an IBAN of an account the fraudster controls.

To launch its fraudulent transaction flow, Ursnif needs to start a function that would be clicked by the infected victim. It, therefore, attempts to replace a login button from the original bank’s webpage and plant its own button that the victim will click. The function launched is named ‘hookPay()’:

Figure 8: hookPay() function – Ursnif replaces IBAN number in legitimate transactions

The function being used to swap the IBAN and plan the transaction parameters is called ‘makeTrf()’. The amount being transferred is set to move forward if the account’s balance is higher than €3,000.

Figure 9: makeTrf() function – Ursnif sets up the fraudulent transaction’s parameters

Injections Adapt to Security Challenge

The configuration file in this campaign targeted the customers of banking institutions in Italy, specifically business banking services. On top of that, the attackers were after e-wallet and e-commerce credentials.

Web injections were adapted to each target’s security challenge; for example, an injection instructing victims to provide numbers from a hard token.

Figure 10: Adapting web injection social engineering to security challenge

Victims are asked to enter the code they received into the web injection and are given a 90-second time-lapse to do that, likely also adapted to the time allotted by the targeted bank or service provider:

Figure 11: Adapting web injection social engineering to security challenge, additional view

After receiving the data from the victim, the malware sends data to the C2 server, including authorization token, SMS content, telephone number and account login information. It then shows a .gif file that makes it appear as if the web browser is loading something. After a couple of seconds, the .gif file is hidden, and the malware continues the login process in the background.

To prevent victims from accessing the account and discovering the fraudulent activity before it is finalized, Ursnif presents a maintenance notice on the account. This notice can effectively prevent the victim from accessing the account from the infected device.

Figure 12: Victims are denied access to their bank account to hide fraudulent activity

Something Old, Something New — The Ursnif-Cerberus Combo

Banking Trojan operators have always been fans of fraud they can automate. The rollout of two-factor authentication and strong transaction authorization schemes by online banking services across the globe have caused this entire threat actor class to rethink their tactics, techniques and procedures. Over time, the incorporation of mobile malware into the overall scheme of banking Trojan fraud has become a must, since it is the only way to complete transactions. The hindrance remains that malware operators have to continue to find ways to infect more mobile devices, especially when getting into official app stores has been getting harder. Also, activating the victim for the initial setup of the automation process is another place where the criminal can fail. Fortunately, these are also the places where defenders can help prevent fraud.

Seeing Ursnif using Cerberus as its mobile malware component is new, but it is not surprising in the banking Trojan arena. Banking Trojan operators are constantly shifting tactics, but the strategy remains the same — they have to gain access to victims’ smartphones if they hope to get through security controls applied to banking and other services consumed online. Using Cerberus is also expected since the code was leaked and gave the option to any malware operator to make use of it against unsuspecting victims.

IBM Security Trusteer helps organizations detect fraud, authenticate users and establish identity trust across the omnichannel customer journey. Through cloud-based intelligence, backed by artificial intelligence and patented machine learning, Trusteer provides a holistic approach to identifying new and existing customers, while improving the user experience. More than 500 leading organizations rely on Trusteer to help secure their customers’ digital journey and support business growth. To learn more visit: https://www.ibm.com/security/fraud-protection/trusteer

To keep malware off your mobile devices, follow some security hygiene basics:

• Don’t jailbreak a smartphone
• Only download apps from Google Play’s official store
• If you download from a URL, get your bank’s application via your bank’s website
• Don’t enable sideloading; your bank or service provider will not ask you to load applications from unofficial sources
• Check who is the developer of the app you are downloading; if it does not look right, abort the download
• Be wary of excessive app permissions: Only allow apps to use your device for the purpose you require and not for unrelated activities
• If it looks like there’s a new security requirement from your bank, close the browser window and call your bank with the number on the back of your card to verify what’s needed
• If a transaction you attempted to carry out is stopped by an apparent ‘maintenance’ issue, attempt to access the account from a different device or call your bank.

IOCs

C2 Servers

*/statppaa/*

hxxp://sanpoloanalytics[.]org/pp_am/

*/statmoflsa/*

hxxp://sanpoloanalytics[.]org/lancher/

MD5 Gozi: b6921ce0f1b94a938acb6896cc8daeba
MD5 Cerberus + APK:
40b8a8fd2f4743534ad184be95299a8e17d029a7ce5bc9eaeb28c5401152460d

Phishing domains and C&C servers:

C&C:
hxxps://ecertificateboly.us/lancher/
hxxp://sanpoloanalytics.org/lancher/

Phishing:
hxxps://play.google.servlce.store/store/apps/details.php?id=it.phoenixspa.inbank
hxxps://play.gooogle.services/store/apps/details.php?id=com.paypal.android.p2pmobile
hxxps://google.servlce.store
hxxps://gooogle.services
hxxps://goooogle.services
hxxps://play.google.servlce.store
hxxps://play.gooogle.services
hxxps://play.goooogle.services

IP addresses:

SOCKS Proxy:
37.120.222.138:9955

VNC:
194.76.225.91

The post Ursnif Leverages Cerberus to Automate Fraudulent Bank Transfers in Italy appeared first on Security Intelligence.

Clast82, a malware dropper that helps attackers spread the AlienBot mobile remote access Trojan and malware-as-a-service, has been detected on Google’s Play Store. After Clast82 sought to evade Google’s detection, it was patched in February. Read on to find how enterprise can protect employees against this and other types of malware.

Inside the Malicious Dropper

Check Point found that the Clast82 malware dropper inserted malicious code into Android apps on Google Play.

Those apps started a service from MainActivity upon launch in order to start a dropping flow known as LoaderService. It also started a foreground service to drop the mobile remote access Trojan. As part of this process, Clast82 had to get around the need to show an ongoing notification to a user. It did so by displaying a ‘neutral’ notification, such as ‘GooglePlayServices,’ with no other text.

From there, two of Clast82’s evasion techniques took effect. First, the malware dropper used Firebase as a command-and-control communication platform. Firebase responded with a configuration containing an ‘enable’ parameter whose value determined whether Clast82 triggered. By default, that parameter read ‘false.’ It changed to ‘true’ after Google published the malware dropper on its Play Store.

Second, Firebase received a payload path from GitHub and called the ‘installApp’ method to finalize and launch the payload.

Some affected devices block installations from unknown sources. In those cases, Clast82 prompted the user to allow installation every five seconds under the guise of ‘Google Play Services.’

Check Point’s researchers learned that that the threat actor behind Clast82 created a new developer user for each new app on Google’s Play Store. They also created a new repository on their GitHub account. That let the attackers serve up different payloads, including the remote access Trojan.

Following their initial report on Jan. 27, Check Point notified Google about the malicious apps a day later. The tech giant confirmed on Feb. 9 that it had removed the affected apps from its Play Store.

The AlienBot Remote Access Trojan

The researchers at Check Point observed Clast82 dropping over 100 different samples of AlienBot. This mobile remote access Trojan is known for targeting financial apps with malicious code in order to steal credentials and two-factor authentication codes. At that point, the malware-as-a-service can then empty the victim’s banking account, install malicious apps and/or control the infected device with TeamViewer.

AlienBot isn’t a new malware. ThreatFabric examined the mobile remote access Trojan and found that it included a fork of the first variant of Cerberus. The people behind Cerberus shut it down in 2020, after which fraudsters began switching to Alien as their preferred Android-based MaaS tool.

How to Defend Against Clast82

Organizations need to defend themselves and their users against Clast82 or another mobile remote access Trojan. They can do this by using mobile device management to limit or terminate the use of some mobile apps installed on devices that interact with corporate data. At the same time, they should consider using threat intelligence to track new digital threats and implement defensive measures as a precaution.

The post Google Blocks Remote Access Trojan Targeting Android appeared first on Security Intelligence.

Security researchers observed the Trickbot operators using a new backdoor called “BazarBackdoor” to gain full access to targeted networks.

Panda Security explained that Trickbot’s attempts to deliver BazarBackdoor began with a spear phishing campaign. That operation’s attack emails leveraged employee termination notices, customer complaints and other themes to trick recipients into clicking on a link for a file hosted on Google Docs. The links redirected victims to a website that informed the recipient that they needed to download the file directly in order to view it correctly.

When downloaded, the documents ran hidden executable code to call a loader. This asset remained quiet for a time before connecting with a command-and-control (C&C) server for the purpose of downloading BazarBackdoor. This malware shared parts of the same code along with delivery and operation methods employed by Trickbot, similarities that led Panda Security to speculate that the same actors were responsible for developing both threats.

Trickbot’s Activity Involving Other Backdoors

BazarBackdoor didn’t mark the first time that Trickbot has leveraged a backdoor in its attack efforts. Back in April 2019, Cybereason detected an attack campaign in which Emotet loaded Trickbot as a means to deploy Ryuk ransomware. In that attack, Trickbot used its reverse shell module, “dll.dll,” to perform reconnaissance so that it could eventually launch the Empire backdoor. In January 2020, Sentinel Labs observed Trickbot using “PowerTrick,” a backdoor that helped the malware conduct reconnaissance of and remain persistent on the networks of targeted financial institutions.

Defend Against BazarBackdoor

Security professionals can help defend their organizations against phishing attacks carrying BazarBackdoor by making sure that there’s an incident response (IR) plan in place that provides guidance on how to remediate a successful phishing attack. Having a plan is not enough; teams should also regularly test this strategy to ensure the plan works ahead of an attack. Additionally, infosec personnel should leverage ongoing phishing simulations to strengthen their employees’ defenses against email attacks.

The post Trickbot Using BazarBackdoor to Gain Full Access to Targeted Networks appeared first on Security Intelligence.

A new variant of the Astaroth Trojan family employed YouTube channels for command-and-control (C&C) functionality in order to evade detection.

Cisco Talos detected a new Astaroth attack campaign targeting users in Brazil. The operation began when a user received an email written in Portuguese that resorted to a car rental service as a lure in order to trick the user into clicking on a link that masqueraded as an overdue invoice. In actuality, that link redirected the user to Google Drive for the purpose of downloading a malicious ZIP file.

The downloaded ZIP file contained a number of malicious Microsoft Windows shortcut (LNK) files that were responsible for initiating the infection process. This step led the campaign to its second stage of infection. At this point, the operation leveraged multiple layers of obfuscation before using LoLBins to advance itself. It then employed evasion checks and anti-analysis processes, steps that included the use of YouTube channels as its primary C&C infrastructure, to deliver Astaroth as its final payload.

A Look Back at Other Astaroth Attacks

Back in February 2019, Cybereason detected a campaign in which the malware disguised itself as JPEG, GIF and extension-less files in order to evade detection and prey upon Brazilian users. A few months later, the Microsoft Defender APT Research Team spotted an operation in which the malware used only system tools to perform a complex attack chain. Then, in September 2019, Cofense witnessed a phishing campaign where the threat relied on both Facebook profiles and YouTube channels to prey upon Brazilians.

Defend Against Evasive Malware

Security professionals can help defend their organizations against evasive malware like Astaroth by training their machine learning (ML) models to spot evasive tactics, specifically by training models to be familiar with all different types of adversarial techniques. At the same time, infosec personnel should use relevance scoring to fine-tune their threat intelligence for the purpose of improving their defenses against evasive campaigns that pose the greatest threat to them.

The post Astaroth Trojan Employed YouTube Channels as C&C to Evade Detection appeared first on Security Intelligence.

During the past few months, IBM X-Force researchers have noticed a familiar malware threat that typically affects bank customers in Brazil has spread to attack banks in Spain. The rise in campaigns prompted us to look into it further.

Grandoreiro, a remote-overlay banking Trojan, has migrated to Spain without significant modification, proving that attackers who know the malware from its Brazilian origins are either collaborating with attackers in Spain or have themselves spread the attacks to the region. Remote-overlay Trojans are easy to find and purchase in underground and dark web markets.

A recent campaign delivered Grandoreiro using COVID-19-themed videos to trick users into running a concealed executable, infecting their devices with a remote-access tool (RAT) designed to empty their bank accounts.

The Remote-Overlay Threat in a Nutshell

The remote-overlay malware trend is highly prolific across Latin America. While it began trending in Brazil circa 2014, this simple malware attack continues to gain popularity among local cybercriminals and is considered the top financial malware threat in the region.

There is a large variety of remote-overlay malware codes active in the wild, each featuring similar code with a modified deployment process and infection mechanism.

Users become infected via malspam, phishing pages or malicious attachments. Once installed on a target device, the malware goes into action upon access to a hardcoded list of entities, mostly local banks.

Once the user enters the targeted website, the attacker is notified and can take over the device remotely. As the victim accesses their online banking account, the attacker can display full-screen overlay images (hence the name “remote overlay”) designed to appear like they are part of the bank’s website. These pages can either block the victim’s access to the site, allowing the attacker to move money after initial authentication, or include additional data fields that the user is prompted to fill out.

In the background, the attacker initiates a fraudulent money transfer from the compromised account and leverages the victim’s presence in real time to obtain any required information to complete it.

Grandoreiro’s Delivery and Infection Routine

X-Force researchers who analyzed recent Grandoreiro attacks note the following observations:

• The malware is typically spread via malspam campaigns containing a URL that directs recipients to an infection zone.
• The first stage of infection is a loader component. Our team located a number of loaders used by Grandoreiro attackers masked as invoice files with a .msi extension and placed into an easily accessible GitHub repository.
• The second stage of the infection fetches the Grandoreiro payload via a hardcoded URL within the loader’s code.
• Grandoreiro is executed and infects the device.

The Grandoreiro executable is initially a standalone dropper without additional modules. After its execution, it writes a run key based on the location where it was executed.

Figure 1: Grandoreiro run key

Some sample images from Grandoreiro attacks show that it informs victims they need to install a supposed security application.

Bot-C&C Communications

Grandoreiro’s bot communication with its command-and-control (C&C) server is encrypted and transmitted over SSL protocol. As an operational security feature on the attacker’s side, the infected device’s set date has to match with a recent campaign date in order to successfully connect to the C&C server. This is verified by an algorithm that would otherwise direct the communication to localhost as shown in the image below.

Figure 2: Grandoreiro bot communication pattern via HTTP POST request

Once there is a match with the communication algorithm, communication packages will be sent and receive info through sites.google.com/view/. This is only part of the URL, and it is hardcoded into the malicious code. To complete the URL path, information on the infected device needs to match with the attacker’s communication algorithm, which generates the second part of the path. For example:

hxxps://sites.google[.]com/view/brezasq12xwuy

Once the connection is established, the malware will likely use it to send notifications to the attacker when a victim accesses a banking site. Machine information, clipboard data and remote-access capabilities are also facilitated via the C&C.

Setting Up a Fake Browser Extension

After execution, the sample runs for about six minutes, at which point the machine will abruptly reboot. A few minutes after the boot, the malware writes a compressed archive file named ext.zip from which it will extract additional files, placing them into a directory under C:/%user%/*extension folder*/*.

The extracted files are modified versions of an existing, legitimate Google Chrome browser extension called Edit This Cookie.

In the next step, the dropper writes a new chrome .lnk or Windows OS shortcut file extension file or replaces the original if one already exists.

The new Chrome browser shortcut contains a “—load-extension” parameter to load the new extension upon starting the browser.

Figure 3: Fake browser extension created by Grandoreiro

Here is an example of a target path from our analysis:

“C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” –load-extension=”%userprofile%\F162FD4091BD6D9759E60C3″

If Chrome was already open before the infection started unfolding, the malware will force closure of all chrome.exe threads to kill the process. This will also force the victim to re-open the browser using the newly written .lnk file, which is now loaded with Grandoreiro’s malicious extension. This extension will load on every browser startup using this specific .lnk file.

Note that the browser itself is not hooked. Executing the browser from any other Chrome shortcut link will start and run it normally without the malicious extension, canceling out the malware’s ability to control what the victim does.

Since this malicious extension is trying to pass for a legitimate Chrome plugin, Grandoreiro’s developer named it “Google Plugin” version 1.5.0. Visually, it adds a square button to the browser window instead of the “cookie” button on the original plugin.

Figure 4: Fake browser extension created by Grandoreiro — fake button

This extension will also ask the user for various permissions:

• Reading your browsing history
• Displaying notifications
• Modifying data you copy and paste

Actual in-code permissions:

• “tabs”
• “activeTab”
• “webNavigation”
• “all_urls”
• “cookies”
• “contextMenus”
• “unlimitedStorage”
• “notifications”
• “storage”
• “clipboardWrite”
• “browser”
• “webRequest”
• “webRequestBlocking”
• “<all_urls>”

After the extension is deployed and installed, the dropper writes three additional files under %appdata%/local/*/:

• EXT.dat
• RB.dat
• EML.dat

The malware runs a watchdog on the EXT.dat file and will re-write it after any removal attempt.

Using the modified extension, the attacker can collect user information from cookies. Some of the collected information includes the following fields:

• “url”
• “tabid”
• “PASSANDO PARAMETRO”
• “cookie”
• “name”
• “domain”
• “value”
• “expired”
• “FormData”
• “WEBMAIL”
• “LoginForm[password]”
• “CHECKBOX_TROCA_SENHA”
• “ccnumber”

We suspect that the malware uses this extension to grab the victim’s cookies and use them from another device to ride the victim’s active session. With this method, the attacker won’t need to continue controlling the victim’s machine.

Note that some of the strings in the collected data remain written in Portuguese. Another tidbit that connects Grandoreiro variants to Brazil is the “default_locale” setting within the malicious browser extension code that is set to “pt_BR” (likely meaning Portuguese_Brazil).

Figure 5: Grandoreiro — Brazilian origins

Victim Monitoring

Once active on the infected device, Grandoreiro waits in the background for the victim to take an action that will trigger it, such as browsing to a targeted bank’s website. That’s when the attack would invoke the remote-access feature of the malware and engage with the victim in real time by launching malicious images on their screen to trick them into keeping the session alive and providing information that can help the attacker.

The images are premade to look like the targeted bank’s interface, and the attacker can launch them in real time.

Grandoreiro: Brazil and Spain Code Versions Closely Related

After discovering Grandoreiro attacks in Spain, our team looked into the code for modifications. We established that the source codes are 80–90 percent identical. It stands to reason that the attackers deploying Grandoreiro in Spain have some tie to those operating it in Brazil.

Figure 6: Grandoreiro versions in Spain and Brazil are 80–90 percent similar

Simplistic Banking Malware: If It Ain’t Broke …

Banking Trojans are a popular tool among various attackers around the globe who use them to rob the bank accounts of unsuspecting victims by infecting the devices they bank from.

In the global arena, sophisticated, modular banking Trojans like TrickBot and IcedID, operated by organized cybercrime gangs, are what we usually find being used against large banks in various countries. But that stands in stark contrast to what we continue to see in the LATAM region and wherever else the language barrier can enable the same cybercriminals to operate, namely Spanish/Portuguese-speaking countries outside of LATAM.

Notoriously simplistic malware codes reign supreme in these regions, allowing almost any level of attacker to access and use them against consumers and businesses alike. While relatively simple, its power lies in the attacker’s ability to take over devices and trick the victim in real time within the context of their normal online banking activities.

IBM X-Force research continues to monitor these threats and keep our readers up to date on how they evolve. To read more from our teams, check out our Security Intelligence blogs, and join us on X-Force Exchange for timely indicators of compromise (IoCs) and threat intel on emerging attacks.

The post Grandoreiro Malware Now Targeting Banks in Spain appeared first on Security Intelligence.

Last week in security news, researchers found a new clicker malware called “Tekya” hidden within 24 children’s games on the Google Play store. Mobile users weren’t the only ones targeted by malicious software last week, however. Malware campaigns targeting vulnerable network-attached storage (NAS) devices, industrial environments and banking customers in Germany also came to light.

Top Story of the Week: Google Play Infiltrated by Tekya Clicker Malware

Researchers at Check Point noted that a new malware family called “Tekya” had made its way into 56 apps available for download on Google Play with a combined total of 1 million downloads worldwide. Over half (32) of those affected apps were utilities such as cooking programs, calculators, downloaders and translators. The remaining 24 apps were games designed for children.

Upon successful installation, Tekya set about to commit mobile ad fraud. It did this by imitating a user’s actions to click on ads and banners from Google’s AdMob, Facebook and other agencies.

Also in Security News

• 2FA Bypass Incorporated by Trickbot Campaign Targeting German Users: Researchers at IBM X-Force observed attackers pushing an Android app called “TrickMo” in Germany. Delivered by the Trickbot Trojan, this program bypassed two-factor authentication (2FA) measures to steal German users’ banking credentials.
• Milum Distributed in WildPressure Operation Targeting the Middle East: Kaspersky Lab detected a new advanced persistent threat (APT) operation called “WildPressure” spreading a fully functional Trojan written in C++. This malware, originally named “Milum46_Win32.exe,” stole information off of a victim’s device and exfiltrated it to its command-and-control (C&C) server.
• Vulnerable NAS Devices Targeted by Mukashi Mirai Variant: Researchers at Palo Alto Networks spotted a new variant of Mirai called “Mukashi” leveraging brute-force attacks to target NAS products from Zyxel running firmware 5.21. Mukashi’s purpose behind those attacks was to compromise those devices, enlist them into a botnet and potentially conduct distributed denial-of-service (DDoS) attacks.
• Oski Infostealer Seeded by New DNS Hijacking Campaign: According to Bitdefender, malicious actors set their sights on users’ home routers in order to change their DNS settings so that they could redirect users to a malicious website. The campaign leveraged payloads hosted via Bitbucket to spread samples of Oski malware.
• Google Drive Used by Downloader to Spread Advanced Malware: The Zscaler ThreatLabZ team witnessed a spam campaign using various email templates to target people in various countries around the world. That campaign, in turn, distributed Win32.Downloader.EdLoader, a downloader that delivered its final malware payload via Google Drive.

Security Tip of the Week: Strengthen Your Organization’s Mobile Security

Security professionals can help organizations strengthen their mobile security posture by investing in capabilities that can analyze suspicious behavior on corporate mobile devices and correlate it with intelligence into how digital threats normally function. Solutions that use artificial intelligence (AI) and machine learning are a good place to start.

Additionally, infosec personnel should pursue mobile security best practices by implementing patches on a regular basis, restricting the sources from which mobile users can download apps and enforcing a robust password management strategy.

The post Weekly Security News Roundup: 24 Children’s Gaming Apps Laden With Tekya Clicker appeared first on Security Intelligence.