Viry a Červi
It's tax season, and scammers are a step ahead of filers, Microsoft says
As the digital wolves dress in sheep's tax forms, Microsoft has thrown a spotlight on a crafty 2024 phishing expedition, unraveled in January, that preys on the unsuspecting herd of early tax filers.…
US task force aims to plug security leaks in water sector
US government is urging state officials to band together to improve the cybersecurity of the country's water sector amid growing threats from foreign adversaries.…
London Clinic probes claim staffer tried to peek at Princess Kate's records
The London Clinic where the Princess of Wales had surgery at the start of this year says it is investigating claims an employee tried to access her medical records.…
Serial extortionist of medical facilities pleads guilty to cybercrime charges
A cyberattacker and extortionist of a medical center has pleaded guilty to federal computer fraud and abuse charges in the US.…
Stalkerware usage surging, despite data privacy concerns
Stalkerware has reached "pandemic proportions," according to Kaspersky, which documented a total of 31,031 people affected by the intrusive software in 2023 – up almost six percent on the prior year.…
Android malware, Android malware and more Android malware
Malware for mobile devices is something we come across very often. In 2023, our technologies blocked 33.8 million malware, adware, and riskware attacks on mobile devices. One of 2023’s most resonant attacks was Operation Triangulation, targeting iOS, but that was rather a unique case. Among the mobile platforms, Android remains the most popular target operating system for cybercriminals. Last month, we wrote a total of four private crimeware reports on Android malware, three of which are summarized below.
To learn more about our crimeware reporting service, you can contact us at [email protected].
TambirTambir is an Android backdoor that targets users in Turkey. It disguises itself as an IPTV app, but does not manifest any such functionality. Instead, it is a full-fledged spyware application that collects SMS messages, keystrokes, etc.
Upon starting, the application shows a screen that asks the user in Turkish to enable the accessibility service. Once it is granted all the permissions, the app obtains a C2 address from a public source, such as Telegram, ICQ or Twitter/X. Next, the application shapeshifts by changing its icon to that of YouTube.
Tambir supports more then 30 commands that it can retrieve from the C2. These include starting and stopping the keylogger, running an application specified by the attacker, sending SMS messages, dialing a number and so on.
We found certain similarities between Tambir and the GodFather malware. They both target users in Turkey and both support Telegram for retrieving a C2 server address. However, Tambir has a much richer feature set.
DwphonIn November 2023, we stumbled upon an Android malware variant targeting mobile phones by various Chinese OEM manufacturers. Their products were primarily intended for the Russian market. The same malware earlier had been found in the firmware of a kids’ smart watch by an Israeli manufacturer distributed mainly in Europe and the Middle East.
Dwphon comes as a component of the system update application and exhibits many characteristics of pre-installed Android malware. For example, it collects device and personal information, as well as information about third-party applications installed on the device. The exact infection path is unclear, but there is an assumption that the infected application was incorporated into the firmware as a result of a possible supply chain attack.
The malware itself consists of a number of modules that provide a range of functions:
- Main module. Collects system information (e.g. IMSI, system language, etc.) and sends it to the C2. Commands that can be received are related to installing, downloading and deleting apps on the device, downloading files, and showing popups, among others.
- DsSdk module. Another module that collects device information. The module has its own C2 and is unable to receive commands.
- ExtEnabler module. This module starts and monitors other applications. Part of the module’s functionality is sending a broadcast message when an application is started. Some of the samples we investigated did not contain any receiver code. We did, however, find one sample that contained it. This sample includes the Triada Trojan, which suggests a link between Dwphon and Triada, although there is insufficient evidence to support this.
Gigabud is an Android RAT (Remote Access Trojan), active since at least mid-2022 and first discovered in January 2023. Focused on stealing banking credentials from individuals in Southeast Asia, it initially mimicked a local airline app, but later crossed borders into other countries, such as Peru, and also changed functionality to fake loan malware.
Gigabud is written in Kotlin, and obfuscated with Dexguard and later Virbox. Its various versions mimic apps created by companies in Thailand and Peru among others. Upon starting, the application shows the login screen of the app it mimics and subsequently sends the credentials, along with device information, to the C2. Next, it shows a virtual assistant, which guides the victim to apply for a loan.
It then continues by requesting the accessibility feature to be enabled – if it isn’t already. It needs this to steal credentials and mimic touch events for bypassing 2FA.
Apart from stealing credentials, Gigabud embeds a screen recording module. The main functionality is stealing credentials from the infected device. It does this by streaming the screen to the C2 over WebSocket or RTMP.
Gigabud contains various Chinese language artifacts. For example, the log messages are written in Chinese, the APK signature is in Chinese, and the C2 servers are located in China.
ConclusionIn 2023, we detected more than 1.3 million unique malicious installation packages targeting the Android platform and distributed in various ways. Users can protect themselves by not downloading apps from unofficial app marketplaces and by carefully reviewing the permissions that apps request. Frequently, apps do not embed any exploitation functionality and thus solely rely on the user giving them permissions. Additionally, antimalware tools help to keep your Android device clean.
If you would like to stay up to date on the latest TTPs being used by criminals, or if you have questions about our private reports, you can contact us at [email protected].
Indicators of compromiseGigabud
043020302ea8d134afbd5bd37c05d2a8
0960de9d425b5157720f59c2901d4e3b
0677a090eb28837b1bbf3e6ab1822fdd
Dwphon
042f041108a79ac07d7b3165531faa9a
1796e678498bf9a067c43769f4096488
274b8d86042d94a6ca6823841fec6d2c
Tambir
04807757a54ce0fbc8326ea8b11f8169
06148a2e5828e6844c2a1a74030d22b6
098dac0668497d9707045bc1e10ced93
Five Eyes tell critical infra orgs: Take these actions now to protect against China's Volt Typhoon
The Feds and friends yesterday issued yet another warning about China's Volt Typhoon gang, this time urging critical infrastructure owners and operators to protect their facilities against destructive cyber attacks that may be brewing.…
Australian techie jailed for accessing museum's accounting system and buying himself stuff
An Australian IT contractor has been sentenced to 30 months jail for ripping off the National Maritime Museum.…
Beijing-backed cyberspies attacked 70+ orgs across 23 countries
Chinese cyberspies have compromised at least 70 organizations, mostly government entities, and targeted more than 116 victims across the globe, according to security researchers.…
Crypto scams more costly to the US than ransomware, Feds say
The FBI says investment fraud was the form of cybercrime that incurred the greatest financial loss for Americans last year.…
Crypto wallet providers urged to rethink security as criminals drain them of millions
Infosec researchers are noting rising cryptocurrency attacks and have encouraged wallet security providers to up their collective game.…
Atos says Airbus flew off, no longer interested in infosec and big data biz
Atos' share price sank as much as 20 percent this morning on confirmation that Airbus is no longer interested in buying the big data and security (BDS) parts of the crumbling tech empire.…
Threat landscape for industrial automation systems. H2 2023
In the second half of 2023, the percentage of ICS computers on which malicious objects were blocked decreased by 2.1 pp to 31.9%.
Selected industriesIn H2 2023, building automation once again had the highest percentage of ICS computers on which malicious objects were blocked of all industries that we looked at. Oil and Gas was the only industry to see a slight (0.5 pp) increase in the second half of the year.
Main threat sourcesThe internet, email clients and removable media remained the main sources of threats to computers connected to enterprise OT networks. In the second half of 2023, the percentage of ICS computers on which malicious objects were blocked dropped for each of the main sources.
Malicious object categoriesMalicious objects blocked by Kaspersky products on ICS computers belonged to many categories. In H2 2023, only one category saw an increase on the first half of the year: ICS computers on which miner executable files for Windows were blocked, by 1.4 times.
RegionsIn H2 2023, the percentage of computers on which malicious activity was prevented varied across regions from 38.2% in Africa to 14.8% in Northern Europe. The percentage increased in South Asia, Eastern Europe and Southern Europe.
AfricaAfrica leads the region rankings
- By percentage of ICS computers where malicious objects were blocked (all threats).
- By percentage of ICS computers on which spyware was blocked.
- By percentage of ICS computers on which worms were blocked.
- By percentage of ICS computers on which web miners were blocked.
- By percentage of ICS computers on which removable media threats were blocked
- Leads the regions by percentage of ICS computers on which email threats (malicious email attachments and phishing links) were blocked.
- Second among the regions by percentage of ICS computers on which malicious documents were blocked.
- One of the two regions where the percentage of ICS computers on which spyware was blocked rose in the six-month period.
- Saw the largest, among all regions, increase in the percentage of ICS computers on which malicious objects were blocked in H2 2023: 6 pp.
- Second among the regions by percentage of ICS computers on which malicious scripts and phishing pages were blocked.
- In the six-month period, the region saw a rise in the percentage of ICS computers on which the following were blocked:
- Malicious scripts and phishing pages: by 2.9 pp
- Miner executable files for Windows: by 0.9 pp
- Worms: by 0.43 pp (the only region where this percentage rose)
- Denylisted internet resources: by 0.4 pp (the only region where this percentage rose).
- Second among the regions by percentage of ICS computers on which miners in the form of executable files for Windows were blocked.
- Leads the regions by percentage of ICS computers on which denylisted internet resources were blocked.
- Leads by percentage of ICS computers on which miners in the form of executable files for Windows were blocked.
- Second among the regions by percentage of ICS computers on which worms were blocked.
- Leads the regions by percentage of ICS computers on which malware for AutoCAD was blocked.
- Second among the regions by percentage of ICS computers on which viruses were blocked.
- Spyware ranked second in the region among all malware categories by percentage of ICS computers on which it was blocked.
- Leader among the regions by percentage of ICS computers on which viruses were blocked.
- Viruses ranked third in the region among all malware categories by percentage of ICS computers on which they were blocked.
- Leader (along with the Middle East) among the regions by percentage of ICS computers on which ransomware was blocked.
- Leads (together with South Asia) the regions by percentage of ICS computers on which ransomware was blocked.
- Second among the regions by percentage of ICS computers on which spyware was blocked.
- Second among the regions by percentage of ICS computers on which web miners were blocked.
- Leads the regions by percentage of ICS computers on which malicious scripts and phishing pages were blocked.
- Leader by percentage of ICS computers on which malicious documents were blocked.
- Second among the regions by percentage of ICS computers on which malicious email attachments and phishing links were blocked.
- The only region where the percentage of ICS computers on which malicious documents were blocked rose in the six-month period.
The full report is available on the Kaspersky ICS CERT website.
Don't be like these 900+ websites and expose millions of passwords via Firebase
At least 900 websites built with Google's Firebase, a cloud database, have been misconfigured, leaving credentials, personal info, and other sensitive data inadvertently exposed to the public internet, according to security researchers.…
Fujitsu: Miscreants infected our systems with malware, may have stolen customer info
Fujitsu has confirmed that miscreants have compromised some of its internal computers, deployed malware, and may have stolen some customer information.…
More than 133,000 Fortinet appliances still vulnerable to month-old critical bug
The volume of Fortinet boxes exposed to the public internet and vulnerable to a month-old critical security flaw in FortiOS is still extremely high, despite a gradual increase in patching.…
Cyber baddies leak 70M+ files online, claim they're from AT&T
More than 70 million records, allegedly stolen from AT&T in 2021, were dumped on a cybercrime forum at the weekend.…
Cyberattack gifts esports pros with cheats, forcing Apex Legends to postpone tournament
Updated Esports pros competing in the Apex Legends Global Series (ALGS) Pro League tournament were forced to abandon their match today due to a suspected cyberattack.…
Infosec teams must be allowed to fail, argues Gartner
Zero tolerance of failure by information security professionals is unrealistic, and makes it harder for cyber security folk to do the essential part of their job: recovering fast from inevitable attacks, according to Gartner analysts Chris Mixter and Dennis Xu.…
Filipino police free hundreds of slaves toiling in romance scam operation
Filipino police rescued 875 "workers" – including 504 foreigners – in a raid late last week on a firm that posed as an online gaming company but in reality operated a forced labor camp that housed romance scam operators.…
- « první
- ‹ předchozí
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- následující ›
- poslední »