Viry a Červi

It's tax season, and scammers are a step ahead of filers, Microsoft says

The Register - Anti-Virus - 20 Březen, 2024 - 20:30
Phishing season started early with crims intent on the hooking early filers

As the digital wolves dress in sheep's tax forms, Microsoft has thrown a spotlight on a crafty 2024 phishing expedition, unraveled in January, that preys on the unsuspecting herd of early tax filers.…

Kategorie: Viry a Červi

US task force aims to plug security leaks in water sector

The Register - Anti-Virus - 20 Březen, 2024 - 19:32
From a trickle to a flood, threats now seen as too great to ignore

US government is urging state officials to band together to improve the cybersecurity of the country's water sector amid growing threats from foreign adversaries.…

Kategorie: Viry a Červi

London Clinic probes claim staffer tried to peek at Princess Kate's records

The Register - Anti-Virus - 20 Březen, 2024 - 16:30
First: Not being able buy a meat pie with a credit card. Now this

The London Clinic where the Princess of Wales had surgery at the start of this year says it is investigating claims an employee tried to access her medical records.…

Kategorie: Viry a Červi

Serial extortionist of medical facilities pleads guilty to cybercrime charges

The Register - Anti-Virus - 20 Březen, 2024 - 15:33
Robert Purbeck even went as far as threatening a dentist with the sale of his child’s data

A cyberattacker and extortionist of a medical center has pleaded guilty to federal computer fraud and abuse charges in the US.…

Kategorie: Viry a Červi

Stalkerware usage surging, despite data privacy concerns

The Register - Anti-Virus - 20 Březen, 2024 - 14:15
At least 31,031 people affected last year

Stalkerware has reached "pandemic proportions," according to Kaspersky, which documented a total of 31,031 people affected by the intrusive software in 2023 – up almost six percent on the prior year.…

Kategorie: Viry a Červi

Android malware, Android malware and more Android malware

Kaspersky Securelist - 20 Březen, 2024 - 12:00

Introduction

Malware for mobile devices is something we come across very often. In 2023, our technologies blocked 33.8 million malware, adware, and riskware attacks on mobile devices. One of 2023’s most resonant attacks was Operation Triangulation, targeting iOS, but that was rather a unique case. Among the mobile platforms, Android remains the most popular target operating system for cybercriminals. Last month, we wrote a total of four private crimeware reports on Android malware, three of which are summarized below.

To learn more about our crimeware reporting service, you can contact us at [email protected].

Tambir

Tambir is an Android backdoor that targets users in Turkey. It disguises itself as an IPTV app, but does not manifest any such functionality. Instead, it is a full-fledged spyware application that collects SMS messages, keystrokes, etc.

Upon starting, the application shows a screen that asks the user in Turkish to enable the accessibility service. Once it is granted all the permissions, the app obtains a C2 address from a public source, such as Telegram, ICQ or Twitter/X. Next, the application shapeshifts by changing its icon to that of YouTube.

Encrypted C2 address in a chat invitation

Tambir supports more then 30 commands that it can retrieve from the C2. These include starting and stopping the keylogger, running an application specified by the attacker, sending SMS messages, dialing a number and so on.

We found certain similarities between Tambir and the GodFather malware. They both target users in Turkey and both support Telegram for retrieving a C2 server address. However, Tambir has a much richer feature set.

Dwphon

In November 2023, we stumbled upon an Android malware variant targeting mobile phones by various Chinese OEM manufacturers. Their products were primarily intended for the Russian market. The same malware earlier had been found in the firmware of a kids’ smart watch by an Israeli manufacturer distributed mainly in Europe and the Middle East.

Dwphon comes as a component of the system update application and exhibits many characteristics of pre-installed Android malware. For example, it collects device and personal information, as well as information about third-party applications installed on the device. The exact infection path is unclear, but there is an assumption that the infected application was incorporated into the firmware as a result of a possible supply chain attack.

The malware itself consists of a number of modules that provide a range of functions:

  • Main module. Collects system information (e.g. IMSI, system language, etc.) and sends it to the C2. Commands that can be received are related to installing, downloading and deleting apps on the device, downloading files, and showing popups, among others.
  • DsSdk module. Another module that collects device information. The module has its own C2 and is unable to receive commands.
  • ExtEnabler module. This module starts and monitors other applications. Part of the module’s functionality is sending a broadcast message when an application is started. Some of the samples we investigated did not contain any receiver code. We did, however, find one sample that contained it. This sample includes the Triada Trojan, which suggests a link between Dwphon and Triada, although there is insufficient evidence to support this.
Gigabud

Gigabud is an Android RAT (Remote Access Trojan), active since at least mid-2022 and first discovered in January 2023. Focused on stealing banking credentials from individuals in Southeast Asia, it initially mimicked a local airline app, but later crossed borders into other countries, such as Peru, and also changed functionality to fake loan malware.

Gigabud is written in Kotlin, and obfuscated with Dexguard and later Virbox. Its various versions mimic apps created by companies in Thailand and Peru among others. Upon starting, the application shows the login screen of the app it mimics and subsequently sends the credentials, along with device information, to the C2. Next, it shows a virtual assistant, which guides the victim to apply for a loan.

It then continues by requesting the accessibility feature to be enabled – if it isn’t already. It needs this to steal credentials and mimic touch events for bypassing 2FA.

Scheme of the captured data

Apart from stealing credentials, Gigabud embeds a screen recording module. The main functionality is stealing credentials from the infected device. It does this by streaming the screen to the C2 over WebSocket or RTMP.

Gigabud contains various Chinese language artifacts. For example, the log messages are written in Chinese, the APK signature is in Chinese, and the C2 servers are located in China.

Conclusion

In 2023, we detected more than 1.3 million unique malicious installation packages targeting the Android platform and distributed in various ways. Users can protect themselves by not downloading apps from unofficial app marketplaces and by carefully reviewing the permissions that apps request. Frequently, apps do not embed any exploitation functionality and thus solely rely on the user giving them permissions. Additionally, antimalware tools help to keep your Android device clean.

If you would like to stay up to date on the latest TTPs being used by criminals, or if you have questions about our private reports, you can contact us at [email protected].

Indicators of compromise

Gigabud
043020302ea8d134afbd5bd37c05d2a8
0960de9d425b5157720f59c2901d4e3b
0677a090eb28837b1bbf3e6ab1822fdd

Dwphon
042f041108a79ac07d7b3165531faa9a
1796e678498bf9a067c43769f4096488
274b8d86042d94a6ca6823841fec6d2c

Tambir
04807757a54ce0fbc8326ea8b11f8169
06148a2e5828e6844c2a1a74030d22b6
098dac0668497d9707045bc1e10ced93

Five Eyes tell critical infra orgs: Take these actions now to protect against China's Volt Typhoon

The Register - Anti-Virus - 20 Březen, 2024 - 11:15
Unless you want to be the next Change Healthcare, that is

The Feds and friends yesterday issued yet another warning about China's Volt Typhoon gang, this time urging critical infrastructure owners and operators to protect their facilities against destructive cyber attacks that may be brewing.…

Kategorie: Viry a Červi

Australian techie jailed for accessing museum's accounting system and buying himself stuff

The Register - Anti-Virus - 20 Březen, 2024 - 02:45
Also down under, researchers find security-cleared workers leaking details of their gigs

An Australian IT contractor has been sentenced to 30 months jail for ripping off the National Maritime Museum.…

Kategorie: Viry a Červi

Beijing-backed cyberspies attacked 70+ orgs across 23 countries

The Register - Anti-Virus - 19 Březen, 2024 - 22:00
Plus potential links to I-Soon, researchers say

Chinese cyberspies have compromised at least 70 organizations, mostly government entities, and targeted more than 116 victims across the globe, according to security researchers.…

Kategorie: Viry a Červi

Crypto scams more costly to the US than ransomware, Feds say

The Register - Anti-Virus - 19 Březen, 2024 - 21:00
Latest figures paint grim picture of how viciously the elderly are targeted

The FBI says investment fraud was the form of cybercrime that incurred the greatest financial loss for Americans last year.…

Kategorie: Viry a Červi

Crypto wallet providers urged to rethink security as criminals drain them of millions

The Register - Anti-Virus - 19 Březen, 2024 - 15:30
Innovative Ethereum feature exploited as victims say goodbye to assets

Infosec researchers are noting rising cryptocurrency attacks and have encouraged wallet security providers to up their collective game.…

Kategorie: Viry a Červi

Atos says Airbus flew off, no longer interested in infosec and big data biz

The Register - Anti-Virus - 19 Březen, 2024 - 13:30
Ailing tech integrator takes a hard hit... share price down by up to 20% this morning

Atos' share price sank as much as 20 percent this morning on confirmation that Airbus is no longer interested in buying the big data and security (BDS) parts of the crumbling tech empire.…

Kategorie: Viry a Červi

Threat landscape for industrial automation systems. H2 2023

Kaspersky Securelist - 19 Březen, 2024 - 11:00

Global statistics across all threats

In the second half of 2023, the percentage of ICS computers on which malicious objects were blocked decreased by 2.1 pp to 31.9%.

Percentage of ICS computers on which malicious objects were blocked, by half year

Selected industries

In H2 2023, building automation once again had the highest percentage of ICS computers on which malicious objects were blocked of all industries that we looked at. Oil and Gas was the only industry to see a slight (0.5 pp) increase in the second half of the year.

Percentage of ICS computers on which malicious objects were blocked in selected industries

Main threat sources

The internet, email clients and removable media remained the main sources of threats to computers connected to enterprise OT networks. In the second half of 2023, the percentage of ICS computers on which malicious objects were blocked dropped for each of the main sources.

Percentage of ICS computers on which malicious objects from various sources were blocked

Malicious object categories

Malicious objects blocked by Kaspersky products on ICS computers belonged to many categories. In H2 2023, only one category saw an increase on the first half of the year: ICS computers on which miner executable files for Windows were blocked, by 1.4 times.

Percentage of ICS computers on which the activity of various categories of malicious objects was prevented

Regions

In H2 2023, the percentage of computers on which malicious activity was prevented varied across regions from 38.2% in Africa to 14.8% in Northern Europe. The percentage increased in South Asia, Eastern Europe and Southern Europe.

Regions ranked by percentage of ICS computers on which malicious objects were blocked, H2 2023

Africa

Africa leads the region rankings

  • By percentage of ICS computers where malicious objects were blocked (all threats).
  • By percentage of ICS computers on which spyware was blocked.

    Regions ranked by percentage of ICS computers on which spyware was blocked, H2 2023

  • By percentage of ICS computers on which worms were blocked.

    Regions ranked by percentage of ICS computers on which worms were blocked, H2 2023

  • By percentage of ICS computers on which web miners were blocked.

    Regions ranked by percentage of ICS computers on which browser-based web miners were blocked, H2 2023

  • By percentage of ICS computers on which removable media threats were blocked

    Regions ranked by percentage of ICS computers on which removable media threats were blocked, H2 2023

Southern Europe
  • Leads the regions by percentage of ICS computers on which email threats (malicious email attachments and phishing links) were blocked.

    Regions ranked by percentage of ICS computers on which malicious email attachments and phishing links were blocked, H2 2023

  • Second among the regions by percentage of ICS computers on which malicious documents were blocked.
  • One of the two regions where the percentage of ICS computers on which spyware was blocked rose in the six-month period.
Eastern Europe
  • Saw the largest, among all regions, increase in the percentage of ICS computers on which malicious objects were blocked in H2 2023: 6 pp.
  • Second among the regions by percentage of ICS computers on which malicious scripts and phishing pages were blocked.
  • In the six-month period, the region saw a rise in the percentage of ICS computers on which the following were blocked:
    • Malicious scripts and phishing pages: by 2.9 pp
    • Miner executable files for Windows: by 0.9 pp
    • Worms: by 0.43 pp (the only region where this percentage rose)
    • Denylisted internet resources: by 0.4 pp (the only region where this percentage rose).
Russia
  • Second among the regions by percentage of ICS computers on which miners in the form of executable files for Windows were blocked.
Central Asia
  • Leads the regions by percentage of ICS computers on which denylisted internet resources were blocked.

    Regions ranked by percentage of ICS computers on which denylisted internet resources were blocked, H2 2023

  • Leads by percentage of ICS computers on which miners in the form of executable files for Windows were blocked.

    Regions ranked by percentage of ICS computers on which miners in the form of executable files for Windows were blocked, H2 2023

  • Second among the regions by percentage of ICS computers on which worms were blocked.
East Asia
  • Leads the regions by percentage of ICS computers on which malware for AutoCAD was blocked.
  • Second among the regions by percentage of ICS computers on which viruses were blocked.
  • Spyware ranked second in the region among all malware categories by percentage of ICS computers on which it was blocked.
South-East Asia
  • Leader among the regions by percentage of ICS computers on which viruses were blocked.

    Regions ranked by percentage of ICS computers on which viruses were blocked, H2 2023

  • Viruses ranked third in the region among all malware categories by percentage of ICS computers on which they were blocked.
South Asia
  • Leader (along with the Middle East) among the regions by percentage of ICS computers on which ransomware was blocked.

    Regions ranked by percentage of ICS computers on which ransomware was blocked, H2 2023

Middle East
  • Leads (together with South Asia) the regions by percentage of ICS computers on which ransomware was blocked.
  • Second among the regions by percentage of ICS computers on which spyware was blocked.
  • Second among the regions by percentage of ICS computers on which web miners were blocked.
Latin America
  • Leads the regions by percentage of ICS computers on which malicious scripts and phishing pages were blocked.

    Regions ranked by percentage of ICS computers on which malicious scripts and phishing pages were blocked, H2 2023

  • Leader by percentage of ICS computers on which malicious documents were blocked.

    Regions ranked by percentage of ICS computers on which malicious documents were blocked, H2 2023

  • Second among the regions by percentage of ICS computers on which malicious email attachments and phishing links were blocked.
Australia and New Zealand
  • The only region where the percentage of ICS computers on which malicious documents were blocked rose in the six-month period.

The full report is available on the Kaspersky ICS CERT website.

Don't be like these 900+ websites and expose millions of passwords via Firebase

The Register - Anti-Virus - 18 Březen, 2024 - 22:29
Warning: Poorly configured Google Cloud databases spill billing info, plaintext credentials

At least 900 websites built with Google's Firebase, a cloud database, have been misconfigured, leaving credentials, personal info, and other sensitive data inadvertently exposed to the public internet, according to security researchers.…

Kategorie: Viry a Červi

Fujitsu: Miscreants infected our systems with malware, may have stolen customer info

The Register - Anti-Virus - 18 Březen, 2024 - 21:30
Sneaky software slips past shields, spurring scramble

Fujitsu has confirmed that miscreants have compromised some of its internal computers, deployed malware, and may have stolen some customer information.…

Kategorie: Viry a Červi

More than 133,000 Fortinet appliances still vulnerable to month-old critical bug

The Register - Anti-Virus - 18 Březen, 2024 - 20:00
A huge attack surface for a vulnerability with various PoCs available

The volume of Fortinet boxes exposed to the public internet and vulnerable to a month-old critical security flaw in FortiOS is still extremely high, despite a gradual increase in patching.…

Kategorie: Viry a Červi

Cyber baddies leak 70M+ files online, claim they're from AT&T

The Register - Anti-Virus - 18 Březen, 2024 - 17:45
Telco reckons data is old, isn't from its systems

More than 70 million records, allegedly stolen from AT&T in 2021, were dumped on a cybercrime forum at the weekend.…

Kategorie: Viry a Červi

Cyberattack gifts esports pros with cheats, forcing Apex Legends to postpone tournament

The Register - Anti-Virus - 18 Březen, 2024 - 14:15
Virtual gunslingers forcibly became cheaters via mystery means

Updated  Esports pros competing in the Apex Legends Global Series (ALGS) Pro League tournament were forced to abandon their match today due to a suspected cyberattack.…

Kategorie: Viry a Červi

Infosec teams must be allowed to fail, argues Gartner

The Register - Anti-Virus - 18 Březen, 2024 - 08:29
But failing to recover from incidents is unforgivable because 'adrenalin does not scale'

Zero tolerance of failure by information security professionals is unrealistic, and makes it harder for cyber security folk to do the essential part of their job: recovering fast from inevitable attacks, according to Gartner analysts Chris Mixter and Dennis Xu.…

Kategorie: Viry a Červi

Filipino police free hundreds of slaves toiling in romance scam operation

The Register - Anti-Virus - 18 Březen, 2024 - 06:46
875 workers liberated after falling for promises of lucrative work, nine arrested

Filipino police rescued 875 "workers" – including 504 foreigners – in a raid late last week on a firm that posed as an online gaming company but in reality operated a forced labor camp that housed romance scam operators.…

Kategorie: Viry a Červi
Syndikovat obsah