Malicious Actors Planting Fileless Malware on target machines using Event Logs
  • Advisory

The attack is initiated by using phishing techniques to lure the unsuspecting victim into downloading a compressed file containing two penetration testing tools: namely Cobalt Strike and SilentBreak. These tools are used to insert malware into a system’s memory -- making it “fileless”, as this ensures there are no traces of it on the system’s local drive; making it difficult for traditional signature-based anti-malware tools to detect.

The encrypted shellcode that contains the payload is then injected into the event logs, while the launcher is put on the disk for side-loading. The launcher isn’t harmful without the shellcode, which -- as already mentioned -- is hidden in the event logs. This will now enable a Trojan to be delivered and an attack to be executed.

Novel Use of Chatbots in Phishing Schemes
  • Advisory

The phishing process begins with an email purporting to contain parcel delivery information and impersonating the DHL shipping brand. Unlike traditional phishing links, which take the victim directly to a webpage that requests sensitive information and other personally identifiable information (PII), this method attempts to initiate a conversation first with a chatbot before sneakily directing the victim to the actual phishing pages where sensitive information and PII will be obtained. It may even include a bogus CAPTCHA page in an attempt to gain the victim's trust. Furthermore, the victim may be redirected to a phishing page that requires the victim to enter vendor account credentials before proceeding to a payment step, ostensibly to cover shipping costs. The final "Secure Pay" page includes the standard credit card payment fields, such as cardholder name, card number, expiration date, and CVV code. The method of delivery remains email.

Dangerous Malware Targets Android Devices
  • Advisory

The malware is typically distributed via a sophisticated phishing campaign or social media posts that direct the victim to a bogus site of a popular service and trick them into downloading an app laced with the trojan. The malware will then scan the device to determine which apps are installed and send the results back to the command and control (C2) server. It will then request 43 permissions from the victim's device, which, if granted, will grant the threat actors complete access to the compromised device. Deeper technical analysis of the malware revealed that it can grant itself permissions (via Accessibility) upon installation, including SMS access, contact access, system alert window creation, audio recording, and full storage read and write access. When the victim tries to launch the genuine application, the injection action takes place, and a phishing page is loaded on top of the actual GUI. The credentials are sent to the same C2 that supplied the injections.

Nigeria Scammers Using Agent Tesla Remote Access Trojan (RAT) In Financial Scams
  • Advisory

The malware was allegedly used by the scammers to reroute financial transactions and steal confidential data from oil and gas organizations in South East Asia, the Middle East, and North Africa. The primary mode of distribution is phishing emails with malicious attachments, followed by malicious online advertisements, social engineering, and software 'cracks.' Furthermore, the majority are distributed through spam emails disguised as invoices, shipment documents, and purchase orders, with file names such as (Invoice, Shipment, P.O. – Purchase Order).

A number of samples were gathered and disguised as files with the extensions pdf and xlsx. If the exploit is successful, reconnaissance is carried out and account credentials are stolen in order to carry out a BEC attack.

New Whatsapp OTP Scam Using Call Forwarding Trick
  • Advisory

The attack is typically launched via vishing, with the hacker convincing the victim to dial a Man Machine Interface (MMI) code that will enable call forwarding when the line is busy or the network is unavailable. These MMI codes typically begin with a '*' or a '#'. The attacker will pose as a representative of a bank, phone company, or government agency, and will sound convincing. When the victim enters this code, all of their phone calls are forwarded to the attacker's phone number. Once the victim enters the code, the hacker will initiate the WhatsApp recovery process for the victim's Whatsapp account on their device, with the option of receiving OTP via phone call. Because the phone is engaged, the code is sent directly to the attacker's phone. The hacker is able to complete the registration process as soon as the OTP is received, taking over the victim's WhatsApp account while they are logged out.

New Emotet Malware Stealing Credit Cards Info from Google Chrome users.
  • Advisory

The malware is distributed via an elaborate phishing campaign that includes malware-laden attachments – most of which are Microsoft Office files. Among the other attachments are archives, executables, and scripts. To gain access, the malware exploits the Microsoft Office Memory corruption vulnerability, CVE-2017-11882. An Office attachment is used to detect 45 percent of this malware. There were 33 percent spreadsheets, 29 percent executables and scripts, 22 percent archives, and 11 percent documents among these attachments. Additionally, 14 percent of the email malware has bypassed at least one email gateway security scanner before it was captured. Other notable differences in Emotet's latest incarnation include the use of 64-bit shell code in attacks, as well as more advanced PowerShell and active scripts.

The Emotet Botnet is intended to steal credit card information from Google Chrome user profiles. The credit card stealer module appears to be designed specifically for Google Chrome. The malware sends the credit card information extracted from the user's Chrome profile back to its command-and-control (C2) server. However, the C2 server to which the information is sent is not the same as the one that deployed the card stealer.

Latest Articles