Contributed to this research: Segev Fogel, Amir Gendler and Nethanella Messer.

IBM Trusteer researchers continually monitor the evolution and attack tactics in the banking sector. In a recent analysis, our team found that an Ursnif (aka Gozi) banking Trojan variant is being used in the wild to target online banking users in Italy with mobile malware. Aside from the Ursnif infection on the victim’s desktop, the malware tricks victims into fetching a mobile app from a fake Google Play page and infects their mobile device with the Cerberus Android malware.

The Cerberus malware component of the attack is used by Ursnif’s operators to receive two-factor authentication codes sent by banks to their users when account updates and money transfer transactions are being confirmed in real-time. Cerberus also possesses other features and can enable the attacker to obtain the lock-screen code and remotely control the device.

Cerberus is an overlay-type mobile malware that emerged in mid-2019 but initially lacked advanced capabilities. It has evolved over time to eventually feature the ability to hijack SMS content and control devices remotely, alongside other sophisticated data theft features. Cerberus was peddled in the underground as commodity malware until the summer of 2020, taking over the market share of Anubis, a previous pay-per-use malware.

In September 2020, Cerberus’ development team decided to disband, spurring an auction attempt that aimed to sell off the source code to the highest bidder, starting at $100,000. The code did not sell but was instead shared with the malware’s customer base, which meant it was publicly leaked. That intentional release of the source code gave rise to numerous malware campaigns involving Cerberus and likely also led to this combined attack with the Ursnif banking Trojan.

A Combination Attack From Desktop to Smartphone

Ursnif is a very long-standing staple in the cybercrime arena, possibly the oldest banking Trojan that’s still active today. Recent campaigns featuring this malware have been most notable in Italy, where it is typically delivered to business email recipients in attachments that purport to carry invoices, delivery notices or other business correspondence. The infection chain commonly involves poisoned macros, getting past email controls by featuring productivity files most organizations use. In some campaigns, the attackers keep access to the infection zone limited to Italian-based IP addresses only.

Once infected by the Ursnif malware and upon attempting to access their online banking account, victims are advised, via web injection, that they won’t be able to continue to use their bank’s services without downloading a security app. To obtain that app, they are shown a QR code and instructed to scan it with their phone’s camera.

Figure 1: Web injection instructing infected users to download a mobile app

Looking into the QR code provided through the injection, we found a Base64 encoded string with the details.

Figure 2: Malicious QR code’s content is a Base64-encoded string

If users scan the QR code, they will open a web page on their smartphone and be sent to a fake Google Play page featuring a corresponding banking app logo of the banking brand the victim originally attempted to access. The campaign, in this case, included a number of domains that were most likely registered for that purpose and reported in other malicious activity in the past, such as hxxps://play.google.servlce.store/store/apps/details.php?id=it.[BANK BRAND].

Each of the domains hosting the fake Google Play pages used similar words or typo-squatting to appear legitimate. Some examples are:

• google.servlce.store
• gooogle.services
• goooogle.services
• play.google.servlce.store
• play.gooogle.services
• play.goooogle.services.

These malicious domains have been flagged on VirusTotal for a few months, with more reports accumulating over time. Reports on the malicious Android Packages (APKs) that conceal the Cerberus malware spread in this campaign have been flagging it since at least late-2020.

In cases of users who do not successfully scan the QR code, they are asked to provide their telephone number and subsequently receive an SMS message with a download link to fetch the malicious application, which warns users about a potential service interruption if they fail to obtain the app.

Figure 3: Web injection instructing infected users to provide their phone number

In the background, the injection’s code couples the phone number inserted by the victim with the bot ID the Ursnif malware assigned to that infected desktop, the bank’s name the victim uses and their login credentials as grabbed by Ursnif.

Notice the use of the word ‘Jambo’ in parts of the code. It is most likely that Ursnif’s operators wrote a jQuery library to simplify HTML Document Object Model tree traversal and manipulation, using it to orchestrate their injections. Fraudsters can use the library to define the amounts to transfer from accounts and other parameters of the fraudulent transaction.

Figure 4: Injection code sending Cerberus infection URL to Ursnif-infected victims

If the victims submit their phone number on the web injection, the remote server will send back a download URL for them to unknowingly download the Cerberus malware. This injection also keeps the victims’ device identifiers linked to their bot ID and account credentials.

Figure 5: Injection code sending Cerberus infection URL to Ursnif-infected victims, additional view

Cerberus in Action

Cerberus campaigns have already been detected spreading through the official Google Play store in the past, but this distribution attempts to land on victim devices through a third-party source — the attacker’s domains. The option to sideload APKs is not enabled by default on Android devices, and the choice to deliver the malware from a non-official source may have limited the spread of the campaign to a larger number of devices.

When Cerberus is downloaded to a new device, it takes into account the original bank name the victim attempted to access when the infection process was initiated. A JavaScript function includes those details and ensures the victim continues to see a consistent message.

Here too, the ‘Jambo’ word repeats throughout the function, calling into action the jQuery library that orchestrates the malware’s script-based activity.

Figure 6: JavaScript function fetches Cerberus malware

Cerberus is being used here only as the component that allows the attackers to bypass the bank’s SMS-code verification challenge. The fraudulent transaction itself takes place on the victims’ infected desktops (Windows-based devices). While most fraud is in-session using Gozi SOCK proxy capability, some access to the victim’s account came from other devices.

Ursnif’s C2 Communications

The basics of Ursnif’s command and control (C2) communications are also carried out through the same channels. Jambo.getScript sends information to srv_dom, which is the malware’s injection server in this case, used to manage the man-in-the-browser activity.

Figure 7: Injection server communications

The core commands botmasters can launch come in where string ‘step=’ appears. Some of the available bot actions are:

IBAN Swapping Back in Style

On the infected desktop, we are back to seeing familiar activity from the Ursnif Trojan. Since it hooks the internet browser, it takes different steps to manipulate what victims see on their screens and have them click on elements that launch the Trojan’s resources into action.

One of the actions Ursnif wishes to take here is to automate transactions that start on the desktop’s browser. To do that, it is designed to swap the international bank account number (IBAN) and bank identifier code (BIC) numbers from legitimate transactions for an IBAN of an account the fraudster controls.

To launch its fraudulent transaction flow, Ursnif needs to start a function that would be clicked by the infected victim. It, therefore, attempts to replace a login button from the original bank’s webpage and plant its own button that the victim will click. The function launched is named ‘hookPay()’:

Figure 8: hookPay() function – Ursnif replaces IBAN number in legitimate transactions

The function being used to swap the IBAN and plan the transaction parameters is called ‘makeTrf()’. The amount being transferred is set to move forward if the account’s balance is higher than €3,000.

Figure 9: makeTrf() function – Ursnif sets up the fraudulent transaction’s parameters

Injections Adapt to Security Challenge

The configuration file in this campaign targeted the customers of banking institutions in Italy, specifically business banking services. On top of that, the attackers were after e-wallet and e-commerce credentials.

Web injections were adapted to each target’s security challenge; for example, an injection instructing victims to provide numbers from a hard token.

Figure 10: Adapting web injection social engineering to security challenge

Victims are asked to enter the code they received into the web injection and are given a 90-second time-lapse to do that, likely also adapted to the time allotted by the targeted bank or service provider:

Figure 11: Adapting web injection social engineering to security challenge, additional view

After receiving the data from the victim, the malware sends data to the C2 server, including authorization token, SMS content, telephone number and account login information. It then shows a .gif file that makes it appear as if the web browser is loading something. After a couple of seconds, the .gif file is hidden, and the malware continues the login process in the background.

To prevent victims from accessing the account and discovering the fraudulent activity before it is finalized, Ursnif presents a maintenance notice on the account. This notice can effectively prevent the victim from accessing the account from the infected device.

Figure 12: Victims are denied access to their bank account to hide fraudulent activity

Something Old, Something New — The Ursnif-Cerberus Combo

Banking Trojan operators have always been fans of fraud they can automate. The rollout of two-factor authentication and strong transaction authorization schemes by online banking services across the globe have caused this entire threat actor class to rethink their tactics, techniques and procedures. Over time, the incorporation of mobile malware into the overall scheme of banking Trojan fraud has become a must, since it is the only way to complete transactions. The hindrance remains that malware operators have to continue to find ways to infect more mobile devices, especially when getting into official app stores has been getting harder. Also, activating the victim for the initial setup of the automation process is another place where the criminal can fail. Fortunately, these are also the places where defenders can help prevent fraud.

Seeing Ursnif using Cerberus as its mobile malware component is new, but it is not surprising in the banking Trojan arena. Banking Trojan operators are constantly shifting tactics, but the strategy remains the same — they have to gain access to victims’ smartphones if they hope to get through security controls applied to banking and other services consumed online. Using Cerberus is also expected since the code was leaked and gave the option to any malware operator to make use of it against unsuspecting victims.

IBM Security Trusteer helps organizations detect fraud, authenticate users and establish identity trust across the omnichannel customer journey. Through cloud-based intelligence, backed by artificial intelligence and patented machine learning, Trusteer provides a holistic approach to identifying new and existing customers, while improving the user experience. More than 500 leading organizations rely on Trusteer to help secure their customers’ digital journey and support business growth. To learn more visit: https://www.ibm.com/security/fraud-protection/trusteer

To keep malware off your mobile devices, follow some security hygiene basics:

• Don’t jailbreak a smartphone
• Only download apps from Google Play’s official store
• If you download from a URL, get your bank’s application via your bank’s website
• Don’t enable sideloading; your bank or service provider will not ask you to load applications from unofficial sources
• Check who is the developer of the app you are downloading; if it does not look right, abort the download
• Be wary of excessive app permissions: Only allow apps to use your device for the purpose you require and not for unrelated activities
• If it looks like there’s a new security requirement from your bank, close the browser window and call your bank with the number on the back of your card to verify what’s needed
• If a transaction you attempted to carry out is stopped by an apparent ‘maintenance’ issue, attempt to access the account from a different device or call your bank.

IOCs

C2 Servers

*/statppaa/*

hxxp://sanpoloanalytics[.]org/pp_am/

*/statmoflsa/*

hxxp://sanpoloanalytics[.]org/lancher/

MD5 Gozi: b6921ce0f1b94a938acb6896cc8daeba
MD5 Cerberus + APK:
40b8a8fd2f4743534ad184be95299a8e17d029a7ce5bc9eaeb28c5401152460d

Phishing domains and C&C servers:

C&C:
hxxps://ecertificateboly.us/lancher/
hxxp://sanpoloanalytics.org/lancher/

Phishing:
hxxps://play.google.servlce.store/store/apps/details.php?id=it.phoenixspa.inbank
hxxps://play.gooogle.services/store/apps/details.php?id=com.paypal.android.p2pmobile
hxxps://google.servlce.store
hxxps://gooogle.services
hxxps://goooogle.services
hxxps://play.google.servlce.store
hxxps://play.gooogle.services
hxxps://play.goooogle.services

IP addresses:

SOCKS Proxy:
37.120.222.138:9955

VNC:
194.76.225.91

The post Ursnif Leverages Cerberus to Automate Fraudulent Bank Transfers in Italy appeared first on Security Intelligence.

Clast82, a malware dropper that helps attackers spread the AlienBot mobile remote access Trojan and malware-as-a-service, has been detected on Google’s Play Store. After Clast82 sought to evade Google’s detection, it was patched in February. Read on to find how enterprise can protect employees against this and other types of malware.

Inside the Malicious Dropper

Check Point found that the Clast82 malware dropper inserted malicious code into Android apps on Google Play.

Those apps started a service from MainActivity upon launch in order to start a dropping flow known as LoaderService. It also started a foreground service to drop the mobile remote access Trojan. As part of this process, Clast82 had to get around the need to show an ongoing notification to a user. It did so by displaying a ‘neutral’ notification, such as ‘GooglePlayServices,’ with no other text.

From there, two of Clast82’s evasion techniques took effect. First, the malware dropper used Firebase as a command-and-control communication platform. Firebase responded with a configuration containing an ‘enable’ parameter whose value determined whether Clast82 triggered. By default, that parameter read ‘false.’ It changed to ‘true’ after Google published the malware dropper on its Play Store.

Second, Firebase received a payload path from GitHub and called the ‘installApp’ method to finalize and launch the payload.

Some affected devices block installations from unknown sources. In those cases, Clast82 prompted the user to allow installation every five seconds under the guise of ‘Google Play Services.’

Check Point’s researchers learned that that the threat actor behind Clast82 created a new developer user for each new app on Google’s Play Store. They also created a new repository on their GitHub account. That let the attackers serve up different payloads, including the remote access Trojan.

Following their initial report on Jan. 27, Check Point notified Google about the malicious apps a day later. The tech giant confirmed on Feb. 9 that it had removed the affected apps from its Play Store.

The AlienBot Remote Access Trojan

The researchers at Check Point observed Clast82 dropping over 100 different samples of AlienBot. This mobile remote access Trojan is known for targeting financial apps with malicious code in order to steal credentials and two-factor authentication codes. At that point, the malware-as-a-service can then empty the victim’s banking account, install malicious apps and/or control the infected device with TeamViewer.

AlienBot isn’t a new malware. ThreatFabric examined the mobile remote access Trojan and found that it included a fork of the first variant of Cerberus. The people behind Cerberus shut it down in 2020, after which fraudsters began switching to Alien as their preferred Android-based MaaS tool.

How to Defend Against Clast82

Organizations need to defend themselves and their users against Clast82 or another mobile remote access Trojan. They can do this by using mobile device management to limit or terminate the use of some mobile apps installed on devices that interact with corporate data. At the same time, they should consider using threat intelligence to track new digital threats and implement defensive measures as a precaution.

The post Google Blocks Remote Access Trojan Targeting Android appeared first on Security Intelligence.

Digital attackers uploaded 17 versions of the Joker malware family to Google’s Play Store in September 2020 as part of an ongoing effort to target Android users.

How the Attackers Bypassed Google’s Vetting Process

The Zscaler ThreatLabZ research team found on Sept. 24, 2020, that digital attackers had concealed the Joker malware versions in applications ranging from PDF scanners to Android keyboards and photo collage programs to translators.

In its study of the malicious apps, the firm found that digital attackers used one of three techniques on each occasion to evade detection by Google’s vetting systems.

The first scenario involved the download of the Joker malware payload from a URL sent over by the attackers’ command-and-control (C&C) server. The apps did this by using string obfuscation to conceal the C&C address in its code.

As for the second scenario, the malicious app dispensed with a C&C address and opted for a stager payload URL encoded in its code. The malware downloaded the stager payload in the form of an Android Package or a Dalvik executable file. This stager then retrieved the final payload URL, downloaded the payload and ran it.

For the third and final scenario, the infected app contacted its C&C server to retrieve a stage one payload URL and download the payload. This payload then obtained a stage two payload that functioned exactly as the first. That payload included a hardcoded URL for downloading the final payload.

At that point, the Joker malware got to work. It stole SMS messages and contact lists and signed the victim up for premium wireless application protocol services.

Those apps had garnered about 120,000 downloads at the time Zscaler discovered them.

Zscaler’s researchers notified the Google Android Security team about the malicious apps. Because of this, Google’s personnel removed the apps from the Play Store.

Other Recent Attacks Involving Joker Malware

The malware attack described above wasn’t the first time in 2020 that Joker made headlines. Back in February, Check Point Research found that a few new samples of the spyware and premium dialer family had infiltrated Google’s Play Store. Those samples garnered more than 130,000 downloads at the time they were found. They all appeared on Check Point’s radar at the same time as a new click malware family called Haken.

Just a few months after, Check Point once again detected Joker samples hiding in the Play Store. This time, however, they spotted the malware using an old trick from the PC threat world — concealing a dynamically loaded hex file — to evade Google’s detection. A couple of months later, Pradeo found six more apps infected with the malware. Then, at the end of September, Zimperium reported on the discovery of 64 Joker variants within the span of less than a month.

How to Defend Against Mobile Malware

Organizations can help defend against types of malware like Joker by abiding by mobile security best practices. For instance, they can use their comprehensive vulnerability management programs to keep all mobile devices up to date and to limit app installations to trusted developers on official marketplaces. Security teams can enshrine these practices into their organization’s security policies to augment those measures. They also can use ongoing security awareness training to educate the workforce about the importance of following those guidelines.

Simultaneously, organizations can consider using advanced security solutions that use AI to spot threats that prey upon mobile devices and/or other connected assets in an attempt to infiltrate the corporate network.

The post Joker Malware Hits Google Play with 17 Variants appeared first on Security Intelligence.

Digital attackers used Minecraft-themed fleeceware apps in the Google Play Store to prey on millions of Android users.

Surfing the Fleeceware Wave

Avast reported seven fleeceware apps to Google Play in mid-November. Most of those apps claimed to offer Minecraft-related skins, maps and/or mods for the popular game. Others offered skins for other games or advertised themes and wallpapers for Android devices.

Using those disguises, all of the apps managed to attract more than 100,000 people before Avast discovered them. Five of them boasted more than one million downloads. All of the apps Avast discovered were still up on Google’s Play Store at the time of this blog.

What Is Fleeceware?

A fleeceware app isn’t traditional Android malware in the sense that it doesn’t contain malicious code. Instead, the threat comes from excessive subscription fees that it might not clearly advertise to mobile users. Fleeceware entices a victim into downloading an app that interests them. Then, the developer counts on the user forgetting about the program and/or failing to notice the actual subscription fee.

These developers target younger users who might not pay attention to the subscription’s details. The developer fleeces the victim by tricking them into paying money for something they might not want, they might not know they have or they might have gotten elsewhere free of charge.

Fleeceware on Google Play

This wasn’t the first time fleeceware found its way into Google’s Play Store. In January 2020, SophosLabs revealed it had detected more than 20 fleeceware apps hiding out in the Android marketplace. Those apps gained a collective total of over 600 million installations. One of those apps charged users $3,639.48‬ annually, or $69.99 per week, for displaying daily horoscopes.

A few months later, Google updated its policies to ensure that users understood the full price of an app subscription, when free trials and introductory offers end and how to manage their app subscriptions.

That didn’t stop some people from attempting to get around Google’s policies. In August 2020, Google removed some fleeceware apps for failing to include a dismiss button and for displaying subscription information in small, light fonts.

Mobile Security Best Practices

Organizations can help defend their users against fleeceware apps, such as the ones described above by using Mobile Device Management (MDM) to limit the functionality of apps installed on corporately owned mobile devices. They can also use ongoing security awareness training to reinforce compliance with their security policies. Include a list of allowed mobile apps and app marketplaces that employees can use on their mobile devices.

The post Minecraft-Themed Fleeceware Apps Hide Steep Fees appeared first on Security Intelligence.

Last week in security news, researchers revealed that the average ransomware demand grew 14 times over a one-year period from 2018 to 2019. Ransomware wasn’t the only malware category that made headlines this past week. A strain of Android malware caught researchers’ attention by limiting its malicious activity to a single capability. Yet another threat received some attention for its growing interest in creating backdoor functionality on infected Windows machines.

Top Story of the Week: A Leap in Ransomware Demand Amounts

Citing industry researchers, Group-IB revealed that the average ransom demanded from a victim increased 14 times, from $6,000 to $84,000, in the span of one year. And this observation didn’t even capture some of the largest ransomware demands of 2019.

Out of all the ransomware families, Ryuk was the worst, according to researchers. In one attack, the crypto-malware coerced two cities in Florida into handing over a combined ransom payment of $1 million. In another attack, threat actors demanded $5 million — the largest demand ever recorded, noted Group-IB — from a town in Massachusetts.

Source: iStock

Also in Security News

• Portuguese Banks Caught in the Crosshairs of New Grandoreiro Variant: Segurança Informática revealed that it spotted a new variant of the Grandoreiro malware family targeting Portuguese banks. This variant operated similarly to previous versions, but it also improved the way in which it communicated with its command-and-control (C&C) server.
• Malicious Functionality of DEFENSOR ID Limited to Single Action: Researchers at ESET learned that an Android malware strain called “DEFENSOR ID” had succeeded in bypassing Google Play’s security checks. It did so by limiting its malicious functionality to a single action: requesting access to Accessibility Services for the purpose of emptying victims’ financial accounts.
• New Flaw Allows Malicious Apps to Masquerade as Legitimate: Promon researchers detected a critical severity vulnerability that enabled malicious Android applications to camouflage themselves as legitimate programs in order to remain hidden. They named the flaw “StrandHogg 2.0” due to its similarities with the original StrandHogg flaw discovered in 2019.
• Phishers Target Office 365 Details With Fake Supreme Court Subpoenas: A phishing campaign detected by Armorblox sent out attack emails that used “Supreme Court” as the sender identity and used authoritative language to coerce recipients into clicking a “View Subpoena” button. Those who complied found themselves redirected to a fake Office 365 login page.
• Continued Interest in Backdoor Functionality Held by Sarwent Malware: SentinelOne came across a new sample of the Sarwent malware family that demonstrated sustained interest in using PowerShell commands and other techniques to perform backdoor functionality. Updates to the threat also provided evidence of a preference for abusing Remote Desktop Protocol (RDP).
• Plaintext Passwords Targeted by Modified Discord Client: According to Bleeping Computer, attackers released a new version of the AnarchyGrabber malware family called “AnarchyGrabber3.” This threat abused a modified Discord client to steal users’ plaintext passwords and relied on commands to spread to victims’ friends on Discord.
• New Versions of Valak Malware Deployed in U.S., German Campaigns: In April 2020, Cybereason identified multiple attack campaigns leveraging new variants of the Valak malware family to prey on targets in the United States and Germany. Researchers found over 30 versions of the malware, a discovery that suggests that Valak’s authors made many improvements to their creation over a short period of time.
• Brute-Force Attacks Employed by PonyFinal Ransomware for Gaining Initial Access: Microsoft Security Intelligence revealed that a PonyFinal ransomware campaign leveraged brute-force attacks against a target organization’s systems management server as a means of gaining initial access. The campaign ultimately spread to endpoints with Java Runtime Environment (JRE) enabled to install its payload.

Security Tip of the Week: Strengthen Your Anti-Ransomware Defenses

Security professionals can help their organizations defend against a ransomware attack by making sure they have access to the latest threat intelligence. They can then use that information to stay on top of the latest ransomware attacks and techniques. Additionally, companies should leverage an endpoint management solution to monitor their endpoints for suspicious activity that could be indicative of a ransomware attack.

The post Weekly Security News Roundup: Average Ransomware Demand Grew 14 Times in One Year appeared first on Security Intelligence.

Security researchers uncovered a new Android malware strain called “DEFENSOR ID” that channels its malicious activity through a device’s Accessibility Services.

In its analysis, ESET observed DEFENSOR ID had succeeded in infiltrating the Google Play store, sneaking past mobile security checks by reducing its malicious functionality to a single action: requesting access to a device’s Accessibility Services. This privilege enabled the malware to perform 17 commands received from the attacker, including launching an app and performing a click action remotely instructed by its handlers.

By controlling a device’s Accessibility Services, DEFENSOR ID gave attackers the ability to steal access to and subsequently empty a victim’s cryptocurrency wallet or banking account. This privilege also gave malicious actors the ability to read SMS text messages for the purpose of intercepting a victim’s two-step verification (2SV) code in the event that they had enabled this security feature on their account.

Android Malware Abusing Accessibility Services

DEFENSOR ID isn’t the first Android malware to abuse Accessibility Services in 2020. In March, for instance, McAfee witnessed the Android/LeifAccess.A Trojan exploiting this Android feature to infect a device and post fake reviews on Google Play.

In April 2020, Check Point Research observed the Black Rose Lucy malware family using a fake streaming video optimization (SVO) prompt to trick a victim into granting access to their device’s Accessibility Services. Just a couple of days later, Cybereason detailed the efforts of EventBot to steal user data from financial apps by leveraging Accessibility Services.

Defend Against DEFENSOR ID

Security professionals can help defend their organizations against Android malware such as DEFENSOR ID by creating security policies around the use of mobile devices. Those policies should limit the marketplaces and developers from which employees can download apps onto their corporate devices. Teams should also consider leveraging tools powered by artificial intelligence (AI) to help detect the latest threat behaviors circulating in the wild.

The post New Android Malware Channels Malicious Activity Through Accessibility Services appeared first on Security Intelligence.

More than 200 personal finance apps are at risk of a mobile banking Trojan dubbed EventBot, which is designed to steal user data, security researchers warn.

First spotted in the wild by Cybereason, EventBot is focused on Android devices and attempts to take advantage of its accessibility features.

The range of targets EventBot could potentially infect represent some of the best-known financial service mobile apps on the market. The mobile banking Trojan can even infiltrate cryptocurrency wallets such as Coinbase, researchers said.

How EventBot Makes Its Entrance

Like similar cyberthreats, EventBot makes its way onto smartphones through malicious apps designed to resemble legitimate tools, such as Microsoft Word or Adobe Flash. These programs operate as a keylogger upon installation by sending a request to the mobile OS’s accessibility services.

The Trojan runs in the background of the device and begins tracking everything typed into the smartphone once those permissions have been granted. Even notifications and text messages can be read by hackers once the malware has gained a foothold, researchers said.

The investigation suggested EventBot is a serious cybersecurity issue, given its focus on financial service apps and the fact that its approach is based on services that are critical to Android’s functionality.

The data stolen via the Trojan ranges from banking passwords to two-factor authentication (2FA) codes. The information can then be used for a variety of purposes, researchers added. This includes everything from hijacking financial transactions to identity theft and, of course, taking funds from a victim’s account.

EventBot is likely to evolve considerably over time. Already, researchers noted that there have been changes in the way it encrypts communication with a command-and-control (C&C) server. The threat’s authors have also added capabilities, such as a way to steal a victim’s lock code or gain access to settings that could give cybercriminals greater privileges.

Put an End to EventBot Before It Begins

IT security teams managing a fleet of Android devices for a company can defend themselves against the likes of EventBot with a robust security information and event management (SIEM) solution. Teams should also use threat intelligence to keep abreast of major variations and evolutions in the overall threat landscape.

Individual consumers, meanwhile, should always be wary of downloading apps from sources other than the official app stores: Google Play and the Apple App Store.

The post EventBot Mobile Banking Trojan Could Infect Over 200 Financial Services Apps appeared first on Security Intelligence.

Last week in security news, the authors of Shade ransomware announced that they were releasing 750,000 decryption keys to help their remaining victims recover their files for free. Speaking of ransomware, a notorious malware-as-a-service (MaaS) botnet added crypto-ransomware capabilities, thereby augmenting its ability to target Android users. Several other botnets also attracted the attention of security researchers.

Top Story of the Week: The End of Shade Ransomware

In a GitHub post, the authors of Shade ransomware announced the publication of 750,000 decryption keys along with their own custom decryption software. The malicious actors noted that some victims might have trouble using these resources to recover their files for free. In response, those nefarious individuals vocalized their hope that security firms would use the published keys and software to create commercial decryption tools that would be easier to use.

This announcement marked the last stage of Shade ransomware’s retirement. After ceasing all distribution of their creation in late 2019, those responsible for the ransomware said that they had deleted all data and source codes relating to their activity.

Source: iStock

Also in Security News

• Return of Black Rose Lucy Marked by Addition of Ransomware Features: Check Point Research discovered that the Black Rose Lucy botnet had returned from a two-year hiatus by masquerading as a video player application. The digital threat leveraged this disguise to use its new ransomware features and encrypt all files identified in the device’s directories.
• BEC Scam Launched by Florentine Banker Steals £600K: Also from Check Point Research, a threat group known as the Florentine Banker attracted security professionals’ attention by targeting at least three large financial organizations with sophisticated business email compromise (BEC) scams. In one of these attacks, the group successfully stole £600,000.
• New Shellbot Linux Malware Launched by Outlaw Hacking Group: Yoroi Security came across a new Linux malware called Shellbot that originated from the Outlaw hacking group. Early versions of this threat arrived with a module for conducting distributed denial-of-service (DDoS) attacks, but later versions used a Monero miner and Perl backdoor as its main elements.
• LeetHozer Botnet Samples Share Attack Resources With Moobot: The Network Research Lab at 360 observed that the new LeetHozer botnet used the same downloader and the same unique string in its vulnerability exploitation routine as Moobot. Acknowledging those similarities, the research team posited that Moobot and LeetHozer originated from the same group of attackers.
• Inquiry Discovered Multi-Year PhantomLance Campaign: Kaspersky launched an inquiry into a backdoor Trojan identified by another security firm back in July 2019. This effort revealed that the campaign, dubbed PhantomLance, had been active since at least 2016 and had infiltrated several app marketplaces including the Google Play store.
• Zero-Day Flaw in Sophos Firewalls Exploited by Information Stealer: Researchers at Sophos revealed that malicious actors had exploited a zero-day flaw to achieve remote code execution on some of the security firm’s firewall products. That malicious activity enabled those actors to install the Asnarök Trojan for the purpose of stealing data from their victims.
• High-Severity Code Injection Vulnerability Plugged in WP Plugin: In late April, Wordfence discovered a vulnerability in the Real-Time Find and Replace WordPress plugin that could enable a malicious actor to inject malicious Javascript into an exposed site by tricking the site admin. The security firm notified the plugin’s developer who responded by issuing a patch a few hours later.
• Department of Labor’s FMLA Used as Lure to Target Users: IBM X-Force detected a phishing campaign in which digital attackers used the U.S. Department of Labor’s Family and Medical Leave Act (FMLA) to convince recipients to open an email attachment. Once opened, that file infected recipients with Trickbot.

Security Tip of the Week: Review Your Organization’s Ransomware Defenses

Security professionals can strengthen defenses against ransomware threats such as Shade by using an ongoing security awareness training program to build up a positive security culture in the workplace. This effort will cultivate employees’ familiarity with phishing campaigns and other social engineering attacks, thereby reducing the number of available distribution channels for attackers. In addition, infosec personnel should leverage the latest threat intelligence to stay on top of evolving ransomware campaigns.

The post Weekly Security News Roundup: Shade Ransomware Authors Release 750K Decryption Keys appeared first on Security Intelligence.

Last week in security news, researchers found a new clicker malware called “Tekya” hidden within 24 children’s games on the Google Play store. Mobile users weren’t the only ones targeted by malicious software last week, however. Malware campaigns targeting vulnerable network-attached storage (NAS) devices, industrial environments and banking customers in Germany also came to light.

Top Story of the Week: Google Play Infiltrated by Tekya Clicker Malware

Researchers at Check Point noted that a new malware family called “Tekya” had made its way into 56 apps available for download on Google Play with a combined total of 1 million downloads worldwide. Over half (32) of those affected apps were utilities such as cooking programs, calculators, downloaders and translators. The remaining 24 apps were games designed for children.

Upon successful installation, Tekya set about to commit mobile ad fraud. It did this by imitating a user’s actions to click on ads and banners from Google’s AdMob, Facebook and other agencies.

Also in Security News

• 2FA Bypass Incorporated by Trickbot Campaign Targeting German Users: Researchers at IBM X-Force observed attackers pushing an Android app called “TrickMo” in Germany. Delivered by the Trickbot Trojan, this program bypassed two-factor authentication (2FA) measures to steal German users’ banking credentials.
• Milum Distributed in WildPressure Operation Targeting the Middle East: Kaspersky Lab detected a new advanced persistent threat (APT) operation called “WildPressure” spreading a fully functional Trojan written in C++. This malware, originally named “Milum46_Win32.exe,” stole information off of a victim’s device and exfiltrated it to its command-and-control (C&C) server.
• Vulnerable NAS Devices Targeted by Mukashi Mirai Variant: Researchers at Palo Alto Networks spotted a new variant of Mirai called “Mukashi” leveraging brute-force attacks to target NAS products from Zyxel running firmware 5.21. Mukashi’s purpose behind those attacks was to compromise those devices, enlist them into a botnet and potentially conduct distributed denial-of-service (DDoS) attacks.
• Oski Infostealer Seeded by New DNS Hijacking Campaign: According to Bitdefender, malicious actors set their sights on users’ home routers in order to change their DNS settings so that they could redirect users to a malicious website. The campaign leveraged payloads hosted via Bitbucket to spread samples of Oski malware.
• Google Drive Used by Downloader to Spread Advanced Malware: The Zscaler ThreatLabZ team witnessed a spam campaign using various email templates to target people in various countries around the world. That campaign, in turn, distributed Win32.Downloader.EdLoader, a downloader that delivered its final malware payload via Google Drive.

Security Tip of the Week: Strengthen Your Organization’s Mobile Security

Security professionals can help organizations strengthen their mobile security posture by investing in capabilities that can analyze suspicious behavior on corporate mobile devices and correlate it with intelligence into how digital threats normally function. Solutions that use artificial intelligence (AI) and machine learning are a good place to start.

Additionally, infosec personnel should pursue mobile security best practices by implementing patches on a regular basis, restricting the sources from which mobile users can download apps and enforcing a robust password management strategy.

The post Weekly Security News Roundup: 24 Children’s Gaming Apps Laden With Tekya Clicker appeared first on Security Intelligence.

Security researchers observed attackers using unofficial webpages in an attempt to target Russian financial institutions with the Geost banking Trojan.

By reverse engineering a sample of Geost, Trend Micro learned that digital attackers primarily relied on unofficial webpages with randomly generated server hostnames to distribute the banking Trojan. As such, the malware specifically targeted Android users without access to the Google Play store and those inclined to search for programs not available on Google’s official Android marketplace.

One sample discovered by Trend Micro arrived in an application with the name “установка,” which is Russian for “setting.” The app used the Google Play logo to trick users into downloading it from an obscure web server. Unsurprisingly, this program hid its logo upon successful installation. It then demanded that its victims grant it important administrator privileges, including the ability to access SMS messages for the purpose of receiving confirmation text messages from Russian banking services.

Other Malware Threats Confronting Russian Banks

Geost first attracted the security community’s attention in October 2019. At that time, Virus Bulletin published a research paper detailing the activities of the Trojan. This briefing revealed that the malware had infected 800,000 victims at the time of discovery.

It’s important to note that Geost isn’t the first banking Trojan that’s targeted Russian financial institutions. Back in June 2019, for instance, Kaspersky Lab discovered that new variants of the Riltok Trojan family had expanded beyond their normal scope of Russian banks to include organizations in France, Italy and the United Kingdom.

How to Defend Against the Geost Banking Trojan

Security professionals can help their organizations defend against the Geost banking Trojan and similar threats by preventing employees from downloading apps from unofficial marketplaces onto their work devices. Infosec personnel should also invest in a unified endpoint management (UEM) solution for the purpose of automatically uninstalling infected mobile apps upon detection.

The post Geost Banking Trojan Targets Russian Banks Via Unofficial Webpages appeared first on Security Intelligence.