The Google Play Store, the official Android app distribution platform, is used for delivery. The adware infections can degrade the user experience, deplete the battery, generate heat, and even cause unauthorized charges by displaying unwanted advertisements. Furthermore, the malware generally attempts to conceal itself by masquerading as something else on the host device and earns money for remote operators by forcing the victim to view or click on affiliated advertisements. The identified apps are:
The primary mode of distribution is via shady cryptocurrency websites that try to get the intended victim to manually download apps in the form of APKs to install on their devices. There is also an ongoing smishing (phishing via SMS) campaign to garner app installs. Upon installation, the malicious app will seek permissions which will include the Accessibility API. Gaining access to the Accessibility API allows the malware to remain persistent on the infected device and perform actions without the need for user interaction. The malware will then connect to the Command-and-Control (C2) server and send out a list of apps installed on the infected device. The goal is to determine which banking apps the victim is using so that the C2 can send matching overlays of the login screen to facilitate credential theft. The malware has been found in clones of legitimate applications such as TheCryptoApp and a bogus cryptocurrency mining app called Mining X.
The attack begins with an email to the intended victim informing them that their Facebook page is in violation of Community Standards and will be deleted if they do not appeal within two days. The user is then encouraged to click a big, bold, blue "Appeal Now" link, which will take them to the "support inbox."
By clicking the link, you will begin a Messenger conversation with a chatbot whose Facebook page is called "Page Support" and has no followers and little to no activity. The chatbot will then send a brief message explaining why the user's page has been marked for "permanent deletion," and will inform the user that they can appeal by clicking another "Appeal Now" link. By clicking on this link, the victim will be directed to a website that is not under the control of Facebook. In order to process the appeal, the phishing page (appeal-59321958.web.app/appeal.html) will request certain Personally Identifiable Information (PII). The victim's email address, mobile phone number, name, and page name are among the details requested. When you submit this form, a pop-up window will appear asking for your account password. Once the password is entered the victim will be taken to a fake Facebook page requesting for a two-factor authentication code. Checks have revealed that this page will accept any code, as it is just there to make the whole process seem legitimate. After this is done the victim is redirected to Facebook’s real intellectual property and guidelines page.
The SessionManager backdoor is installed as a malicious module within Internet Information Services (IIS), a Microsoft-developed flexible web server that provides web hosting services for Microsoft solutions. According to Kaspersky, its detection rate is also cause for concern because some of its samples were not detected by some of the more popular "online file scanning services.”
Some of SessionManager’s capabilities are:
End-of-support refers to when a company discontinues support for a product or service. This is common especially when a company releases a new version and discontinues support for previous versions. According to its lifecycle page, "on January 10, 2023, Windows 8.1 will no longer receive security updates, non-security updates, bug fixes, technical support, or online technical content updates."
This marks the end of an operating system that was released in 2013 as a major update to Microsoft's touch-friendly Windows 8 operating system.
The following Windows 8.1 editions will be affected:
Furthermore, Microsoft 365 apps will no longer be supported on Windows 8.1 because they do not meet the system requirements.
Luna is written in the rust programming language, which allows for easy cross-platform interoperability and the ability to avoid static analysis; in fact, the Linux and ESXi variants are compiled using the same source code, while the Windows variant differs only slightly. It also encrypts devices using a combination of Advanced Encryption Scheme (AES) and Curve25519 (Diffie-Hellman key exchange in X25519), which is quite unusual.
Because it was only recently discovered, the mode of delivery and target base have yet to be determined.