Ransomware Attack Warning
  • Advisory

The USB drives contain so-called 'BadUSB' attacks. The BadUSB exploits the USB standards versatility and allows an attacker to reprogram a USB drive to emulate a keyboard to create keystrokes and commands on a computer, install malware prior to the operating system booting, or to spoof a network card and redirect traffic. Numerous attack tools are installed in the process that allowed for exploitation of PCs, lateral movement across a network, and installation of additional malware. The tools were used to deploy multiple ransomware strains, including BlackBatter and REvil. This attack has been seen in the US where the USB drives were sent in the mail through the Postal Service and Parcel Service. One type contained a message impersonating the US Department of Health and Human Services and claimed to be a COVID-19 warning. Other malicious USBs were sent in the post with a gift card claiming to be from Amazon.  

SMS-Based Malware Infecting Mobile Devices
  • Advisory

TangleBot Android malware is installed when an unsuspecting user clicks on a malicious link disguised as COVID-19 vaccination appointment-related information in an SMS message or information about fake local power outages that are due to occur. The aim behind both messages remain to encourage potential victims to follow a link that supposedly offers detailed information. Once at the page, user are asked to update applications such as Adobe Flash Player to view the page’s content by going through nine (9) dialogue boxes to give acceptance to different permissions that will allow the malware operators initiate the malware configuration process.

Wordpress Themes and Plugins Vulnerabilities
  • Advisory

The infected extensions contained a dropper for a web shell that gives the attackers full access to the infected sites. When downloaded or installed directly from the WordPress[.]org directory, the same extensions worked fine. Some of the infected websites discovered using this backdoor had spam payloads dating back nearly three years, indicating that the actors behind the operation were selling access to the sites to operators of other spam campaigns. Cybersecurity firm eSentire revealed how compromised WordPress websites belonging to legitimate businesses are used as a hotbed for malware delivery, serving an implant called GootLoader to unsuspecting users searching for postnuptial or intellectual property agreements on search engines like Google. A total of 10,359 WordPress plugin vulnerabilities have been discovered to date. Among the plugins affected are Login/Signup Popup (Inline Form + Woocommerce), Side Cart Woocommerce (Ajax), and Waitlist Woocommerce (Back in stock notifier). The vulnerability stems from a lack of validation when processing AJAX requests, allowing an attacker to set the "users can register" (i.e., anyone can register) option on a site to true and the "default role" setting (i.e., the default role of users who register at the blog) to administrator, granting complete control.

New Variant of BRATA Banking Trojan Infecting Android Devices
  • Advisory

This malware initially targeted Brazilian users and therefore called Brazilian Remote Access Tool Android (BRATA). Recently, the malware has been reported to be currently targeting banks and financial institutions in Italy, Latin America, Poland and the United Kingdom with the potential of spreading to more countries across the globe. The malware has received many upgrades and changes with capability of remaining undetected by virtually all malware scanning engines and is used to download and run real malicious software. After a victim unknowingly installs the downloader app, they only need to accept one permission to download and install a malicious application from an untrusted source. When the victim clicks the install button, the downloader app sends a GET request to the C2 server to download the malicious .APK. In some cases, the link redirects the victim to a phishing page that looks like the bank’s, and it is used to steal credentials and other relevant information (e.g. pin code, password and security questions).Once the malicious app is installed, the fraud operators can take control of the victim infected devices to perform the following:

  • Through the Accessibility Service, the malware clicks the “start now” button (of the popup) automatically, so the victim is not able to deny the recording/casting of the owned device.
  • Remove itself from the compromised device to reduce detection.
  • Uninstall specific applications (e.g., antivirus).
  • Hide its own icon app to be less traceable by not advanced users.
  • Disable Google Play Protect to avoid being flagged by Google as suspicious app.
  • Modify the device settings to get more privileges.
  • Unlock the device if it is locked with a secret pin or pattern.
  • Show phishing page.
  • Abuse the accessibility service to read everything that is shown on the screen of the infected device or to simulate click on the screen. This information is then sent to the C2 server of the attackers.

New Zero-Day Chrome Web Browser Vulnerability
  • Advisory

The Vulnerability tracked as CVE-2022-0609, is described as a Use-After-Free (UAF) vulnerability in the Animation component. Use-After-Free is a memory corruption bug that occurs when an application attempts to use memory that is no longer assigned to it (or has been freed) – after that memory has been assigned to another application. 

Iranian Government-Sponsored APT Group Target Government and Commercial Networks
  • Advisory

MuddyWater attempts to coax their targeted victim into downloading ZIP files containing either an Excel file with a malicious macro that communicates with the actor's C2 server or a PDF file that drops a malicious file to the victim's network as part of its spearphishing campaign. MuddyWater actors have been observed exploiting publicly disclosed vulnerabilities and employing open-source tools and strategies to gain access to sensitive data on victims' systems and deploy ransomware. These actors also maintain persistence on victim networks by employing techniques such as side-loading dynamic link libraries (DLLs) to trick legitimate programs into running malware and obfuscating PowerShell scripts to conceal command and control (C2) functions. Furthermore, the group employs multiple malware sets, including PowGoop, Small Sieve, Canopy/Starwhale, Mori, and POWERSTATS, for malware loading, backdoor access, persistence and exfiltration.

Latest Articles