Authored by Dexter Shin

Many government agencies provide their services online for the convenience of their citizens. Also, if this service could be provided through a mobile app, it would be very convenient and accessible. But what happens when malware pretends to be these services?

McAfee Mobile Research Team found an InfoStealer Android malware pretending to be a government agency service in Bahrain. This malware pretends to be the official app of Bahrain and advertises that users can renew or apply for driver’s licenses, visas, and ID cards on mobile. Users who are deceived by advertisements that they are available on mobile will be provided with the necessary personal information for these services without a doubt. They reach users in various ways, including Facebook and SMS messages. Users who are not familiar with these attacks easily make the mistake of sending personal information.

Detailed pretended app

In Bahrain, there’s a government agency called the Labour Market Regulatory Authority (LMRA). This agency operates with full financial and administrative independence under the guidance of a board of directors chaired by the Minister of Labour. They provide a variety of mobile services, and most apps provide only one service per app. However, this fake app promotes providing more than one service.

Figure 1. Legitimate official LMRA website

Figure 2. Fake app named LMRA

Excluding the most frequently found fake apps pretending LMRA, there are various fake apps included Bank of Bahrain and Kuwait (BBK), BenefitPay, a fintech company in Bahrain, and even apps pretending to be related to Bitcoin or loans. These apps use the same techniques as the LMRA fake apps to steal personal information.

Figure 3. Various fake apps using the same techniques

From the type of app that this malware pretends, we can guess that the purpose is financial fraud to use the personal information it has stolen. Moreover, someone has been affected by this campaign as shown in the picture below.

Figure 4. Victims of financial fraud (Source: Reddit)

Distribution method

They distribute these apps using Facebook pages and SMS messages. Facebook pages are fake and malware author is constantly creating new pages. These pages direct users to phishing sites, either WordPress blog sites or custom sites designed to download apps.

Figure 5. Facebook profile and page with a link to the phishing site

Figure 6. One of the phishing sites designed to download app

In the case of SMS, social engineering messages are sent to trick users into clicking a link so that they feel the need to urgently confirm.

Figure 7. Phishing message using SMS (Source: Reddit)

What they want

When the user launches the app, the app shows a large legitimate icon for users to be mistaken. And it asks for the CPR and phone number. The CPR number is an exclusive 9-digit identifier given to each resident in Bahrain. There is a “Verify” button, but it is simply a button to send information to the C2 server. If users input their information, it goes directly to the next screen without verification. This step just stores the information for the next step.

Figure 8. The first screen (left) and next screen of a fake app (right)

There are various menus, but they are all linked to the same URL. The parameter value is the CPR and phone numbers input by the user on the first screen.

Figure 9. All menus are linked to the same URL

The last page asks for the user’s full name, email, and date of birth. After inputting everything and clicking the “Send” button, all information inputted so far will be sent to the malware author’s c2 server.

Figure 10. All data sent to C2 server

After sending, it shows a completion page to trick the user. It shows a message saying you will receive an email within 24 hours. But it is just a counter that decreases automatically. So, it does nothing after 24 hours. In other words, while users are waiting for the confirmation email for 24 hours, cybercriminals will exploit the stolen information to steal victims’ financial assets.

Figure 11. Completion page to trick users

In addition, they have a payload for stealing SMS. This app has a receiver that works when SMS is received. So as soon as SMS comes, it sends an SMS message to the C2 server without notifying the user.

Figure 12. Payload for stealing SMS

Dynamic loading of phishing sites via Firebase

We confirmed that there are two types of these apps. There is a type that implements a custom C2 server and receives data directly through web API, and another type is an app that uses Firebase. Firebase is a backend service platform provided by Google. Among many services, Firestore can store data as a database. This malware uses Firestore. Because it is a legitimate service provided by Google, it is difficult to detect as a malicious URL.

For apps that use Firebase, dynamically load phishing URLs stored in Firestore. Therefore, even if a phishing site is blocked, it is possible to respond quickly to maintain already installed victims by changing the URL stored in Firestore.

Figure 13. Dynamically loading phishing site loaded in webview

Conclusion

According to our detection telemetry data, there are 62 users have already used this app in Bahrain. However, since this data is a number at the time of writing, this number is expected to continue to increase, considering that new Facebook pages are still being actively created.

Recent malware tends to target specific countries or users rather than widespread attacks. These attacks may be difficult for general users to distinguish because malware accurately uses the parts needed by users living in a specific country. So we recommend users install secure software to protect their devices. Also, users are encouraged to download and use apps from official app stores like Google Play Store or Apple AppStore. If you can’t find an app in these stores, you must download the app provided on the official website.

McAfee Mobile Security already detects this threat as Android/InfoStealer. For more information, visit McAfee Mobile Security.

Indicators of Compromise (IOCs)

Samples:

SHA256	Package Name	App Name
6f6d86e60814ad7c86949b7b5c212b83ab0c4da65f0a105693c48d9b5798136c	com.ariashirazi.instabrowser	LMRA
5574c98c9df202ec7799c3feb87c374310fa49a99838e68eb43f5c08ca08392d	com.npra.bahrain.five	LMRA Bahrain
b7424354c356561811e6af9d8f4f4e5b0bf6dfe8ad9d57f4c4e13b6c4eaccafb	com.npra.bahrain.five	LMRA Bahrain
f9bdeca0e2057b0e334c849ff918bdbe49abd1056a285fed1239c9948040496a	com.lmra.nine.lmranine	LMRA
bf22b5dfc369758b655dda8ae5d642c205bb192bbcc3a03ce654e6977e6df730	com.stich.inches	Visa Update
8c8ffc01e6466a3e02a4842053aa872119adf8d48fd9acd686213e158a8377ba	com.ariashirazi.instabrowser	EasyLoan
164fafa8a48575973eee3a33ee9434ea07bd48e18aa360a979cc7fb16a0da819	com.ariashirazi.instabrowser	BTC Flasher
94959b8c811fdcfae7c40778811a2fcc4c84fbdb8cde483abd1af9431fc84b44	com.ariashirazi.instabrowser	BenefitPay
d4d0b7660e90be081979bfbc27bbf70d182ff1accd829300255cae0cb10fe546	com.lymors.lulumoney	BBK Loan App

Domains:

• https[://]lmraa.com
• https[://]lmjbfv.site
• https[://]dbjiud.site
• https[://]a.jobshuntt.com
• https[://]shop.wecarerelief.ca

Firebase(for C2):

• https[://]npra-5.firebaseio.com
• https[://]lmra9-38b17.firebaseio.com
• https[://]practice-8e048.firebaseio.com

The post Fake Bahrain Government Android App Steals Personal Data Used for Financial Fraud appeared first on McAfee Blog.

Authored by Fernando Ruiz 

McAfee Mobile Research Team identified an Android backdoor implemented with Xamarin, an open-source framework that allows building Android and iOS apps with .NET and C#. Dubbed Android/Xamalicious it tries to gain accessibility privileges with social engineering and then it communicates with the command-and-control server to evaluate whether or not to download a second-stage payload that’s dynamically injected as an assembly DLL at runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps among other actions financially motivated without user consent.

The second stage payload can take full control of the infected device due to the powerful accessibility services that were already granted during the first stage which also contains functions to self-update the main APK which means that it has the potential to perform any type of activity like a spyware or banking trojan without user interaction. However, we identified a link between Xamalicious and the ad-fraud app “Cash Magnet” which automatically clicks ads, installs apps, and other actions to fraudulently generate revenue while users that installed it may earn points that are supposed to be redeemable as a retail gift card. This means that the developers behind these threats are financially motivated and drive ad-fraud therefore this might be one of the main payloads of Xamalicious.

The usage of the Xamarin framework allowed malware authors to stay active and without detection for a long time, taking advantage of the build process for APK files that worked as a packer to hide the malicious code. In addition, malware authors also implemented different obfuscation techniques and custom encryption to exfiltrate data and communicate with the command-and-control server. 

We’ve identified about 25 different malicious apps that carry this threat. Some variants have been distributed on Google Play since mid-2020. The apps identified in this report were proactively removed by Google from Google Play ahead of our reporting. McAfee is a member of the App Defense Alliance and an active partner in the malware mitigation program, which aims to quickly find Potentially Harmful Applications (PHAs) and stop them before they ever make it onto Google Play. Android users are protected by Google Play Protect, which can warn users of identified malicious apps on Android devices. McAfee Mobile Security detects this threat as Android/Xamalicious.  

Based on the number of installations these apps may have compromised at least 327,000 devices from Google Play plus the installations coming from third-party markets that continually produce new infections based on the detection telemetry of McAfee clients around the world. This threat remains very active. 

 

Figure 1. “Count Easy Calorie Calculator” was available on Google Play on August 2022 and carries Android/Xamalicious 

Android/Xamalicious trojans are apps related to health, games, horoscope, and productivity. Most of these apps are still available for download in third-party marketplaces.  

Previously we detected malware abusing Xamarin framework such as the open-sourced AndroSpy and forked versions of it, but Xamalicious is implemented differently. Technical details about Xamarin architecture are well documented and detail how .NET code is interpreted by Android using Mono. 

Obtaining Accessibility Services

Let’s use the app “Numerology: Personal horoscope & Number predictions” as an example. Once started it immediately requests the victim to enable accessibility services for “correct work” and provides directions to activate this permission:  

 

Figure 2. Tricking users into granting accessibility services permission 

Users need to manually activate the accessibility services after several OS warnings such as the following on the accessibility options: 

Figure 3. Accessibility services configuration prompt highlights the risks of this permission. 

Where is the malicious code? 

This is not the traditional Java code or native ELF Android application, the malware module was written originally in .NET and compiled into a dynamic link library (DLL). Then it is LZ4 compressed, and it might be embedded into a BLOB file, or directly available in the /assemblies directory on the APK structure. This code is loaded then by a native library (ELF) or by the DEX file at runtime level. In simple words, this means that in some samples the reversing of the DLL assemblies is straightforward while in others it requires extra steps to unpack them. 

The malicious code is usually available in two different assembly files in the /assemblies directory on the apk. Usually, file names are core.dll and a <package-specific>.dll.

Some malware variants has obfuscated the DLL assemblies to avoid analysis and reversing of the malicious code while others keep the original code available.  

 

Figure 4. Core.dll and GoogleService.dll contain malicious code. 

Communication with the command-and-control server

Once accessibility permissions are granted the malware initiates communication with the malicious server to dynamically load a second-stage payload.  

Figure 5. App execution and communication with the malicious server 

Collect Device Information 

Android/Xamalicious collects multiple device data including the list of installed applications obtained via system commands to determine if the infected victim is a good target for the second stage payload. The malware can collect location, carrier, and network information among device rooting status, adb connectivity configuration, for instance, if the device is connected via ADB or is rooted, the C2 will not provide a second-stage payload DLL for download. 

Method/Command	Description
DevInfo	Hardware and device information that includes:  Android Id  Brand, CPU, Model, Fingerprint, Serial  OS Version, release, SDK  Language  Developer Option status  Language  SIM Information (operator, state, network type, etc)  Firmware, firmware version
GeoInfo	Location of the device based on IP address, the malware contacts services such as api.myip.com to verify the device location and ISP data.  ISP Name  Organization  Services  FraudScore: Self-protection to identify if the device is not a real user
EmuInfo	It lists all adbProperties that in a real device are around 640 properties. This list is encoded as a string param in URL encoded format.  This data may be used to determinate if the affected client is a real device or emulator since it contains params such as:  CPU  Memory   Sensors  USB Configuration  ADB Status
RootInfo	After trying to identify if the device is rooted or not with multiple techniques the output is consolidated in this command
Packages	It uses the system commands “pm list packages -s” and “pm list packages -3” to list system and installed apps on the device.
Accessibility	It provides the status if accessibility services permissions are granted or not
GetURL	This command only provides the Android Id and it’s a request for the second-stage payload. The C2 evaluates the provided client request and returns a status and an encrypted assembly DLL.

Data Encryption in JWT 

To evade analysis and detection, malware authors encrypted all communication and data transmitted between the C2 and the infected device, not only protected by HTTPS, it’s encrypted as a JSON Web Encryption (JWE) token using RSA-OAEP with a 128CBC-HS256 algorithm however the RSA key values used by the Xamalicious are hardcoded in the decompiled malicious DLL so decryption of transmitted information is possible if C2 infrastructure is available during the analysis. 

In the Send() function Android/Xamalicious first prepares the received object, usually a JSON structure calling the function encrypt() which creates the JWT using a hardcoded RSA key. So the data is exfiltrated fully encrypted to the malware host pointing to the path  “/Updater” via HTTP POST method. 

Then it waits for the C2 response and passes it to the decrypt() function which has a hardcoded RSA private key to properly decrypt the received command which might contain a second stage payload for the “getURL” command. 

Encrypt Method: 

Figure 6. Encrypt function with hardcoded RSA Key values as XML string 

The decryption method is also hardcoded into malware which allowed the research team to intercept and decrypt the communication from the C2 using the RSA key values provided as XML string it’s possible to build a certificate with the parameters to decrypt the JWE tokens content. 

C2 evaluation

Collected data is transmitted to the C&C to determine if the device is a proper target to download a second-stage payload. The self-protection mechanism of the malware authors goes beyond traditional emulation detection and country code operator limitations because in this case, the command-and-control server will not deliver the second stage payload if the device is rooted or connected as ADB via USB or does not have a SIM card among multiple other environment validations. 

DLL Custom Encryption 

With the getURL command, the infected client requests the malicious payload, if the C&C Server determines that the device is “Ok” to receive the malicious library it will encrypt a DLL with Advanced encryption standard (AES) in Cipher block chaining (CBC) using a custom key for the client that requested it based on the device id and other parameters explained below to decrypt the code since it’s a symmetric encryption method, the same key works for encryption and decryption of the payload. 

Delivers the Payload in JWT 

The encrypted DLL is inserted as part of the HTTP response in the encrypted JSON Web Token “JWT”. Then the client will receive the token, decrypt it, and then decrypt the ‘url’ parm with AES CBC and a custom key.  

The AES key used to decrypt the assembly is unique per infected device and its string of 32 chars of length contains appended the device ID, brand, model, and a hardcoded padding of “1” up to 32 chars of length. 

For instance, if the device ID is 0123456ABCDEF010 and the affected device is a Pixel 5, then the AES key is: “0123456ABCDEF010googlePixel 5111” 

This means that the DLL has multiple layers of encryption. 

1. It’s a HTTPS protected.
2. It’s encrypted as a JWE Token using RSA-OAEP with a 128CBC-HS256 algorithm.
3. URL parameter that contains the DLL is encrypted with AES and encoded as base64 

All these efforts are related to hiding the payload and trying to stay under the radar where this threat had relative success since some variants might have been active years ago without AV detections. 

DLL Injected 

Xamalicious will name this DLL “cache.bin” and store it in the local system to finally dynamically load it using the Assembly.Load method. 

Figure 7. Loading of second stage payload using Assembly.Load method. 

Once the second stage payload has been loaded the device can be fully compromised because once accessibility permissions are granted, it can obverse and interact with any activity opening a backdoor to any type of malicious activity. 

During the analysis, the downloaded second stage payload contained a DLL with the class “MegaSDKXE” which was obfuscated and incomplete probably because the C2 didn’t receive the expected params to provide the complete malicious second stage that might be limited to a specific carrier, language, app installed, location, time zone or unknown conditions of the affected device, however, we can assure that this is a high-risk backdoor that leaves the possibility to dynamically execute any command on the affected device not limited to spying, impersonation or as a financially motivated malware. 

Cash Magnet Ad-Fraud and Xamalicious

One of the Xamalicious samples detected by McAfee Mobile generic signatures was “LetterLink” (com.regaliusgames.llinkgame) which was available on Google Play at the end of 2020, with a book icon. It was poorly described as a hidden version of “Cash Magnet”: An app that performs ad-fraud with automated clicker activity, apps downloads, and other tasks that lead to monetization for affiliate marketing. This application offers users points that are supposed to be redeemable by retail gift cards or cryptocurrency.

Figure 8a. LetterLink login page after running the app for the first time.

Figure 8b. LetterLink agreement for Cash Magnet

Originally published in 2019 on Google Play, “Cash Magnet” (com.uicashmagnet) was described as a passive income application offering users to earn up to $30 USD per month running automated ads. Since it was removed by Google the authors then infiltrated LetterLink and more recently “Dots: One Line Connector” (com.orlovst.dots) which are hidden versions of the same ad-fraud scheme.

Figure 9. LetterLink Icon that hides Cash Magnet

“LetterLink” performs multiple Xamalicious activities since it contains the “core.dll” library, it connects to the same C2 server, and it uses the same hardcoded private RSA certificate to build the JWE encrypted tokens which provide a non-repudiation proof that the developers of Cash Magnet are behind Xamalicious.

Figure 10. Cash Magnet infiltrated the app as a Game, available until the end of 2023

“Dots: One Line Connector” app is not a game, the screenshot published by Google Play does not correspond to the application behavior because once it is started it just asks for authentication credentials without any logo or reference to Cash Magnet. “Dots” does not contain the same DLLs as its predecessor, however the communication with the C2 is similar using the same RSA key parameters. We reported this app to Google and they promptly removed it from Google Play.

Affected Users 

Based on our telemetry we observed that more affected users are in the American continent with the most activity in the USA, Brazil, and Argentina. In Europe, clients also reported the infection, especially in the UK, Spain, and Germany. 

Figure 11. McAfee detections Android/Xamalicious around the world 

Conclusion 

Android applications written in non-java code with frameworks such as Flutter, react native and Xamarin can provide an additional layer of obfuscation to malware authors that intentionally pick these tools to avoid detection and try to stay under the radar of security vendors and keep their presence on apps markets. 

Avoid using apps that require accessibility services unless there is a genuine need for use. If a new app tries to convince you to activate accessibility services claiming that it’s required without a real and reasonable reason and requesting to ignore the operative system warning, then it’s a red flag. 

The second stage payload might take control of the device because accessibility permissions are granted so any other permission or action can then be performed by the malware if these instructions are provided in the injected code. 

Because it is difficult for users to actively deal with all these threats, we strongly recommend that users install security software on their devices and always keep up to date. By using McAfee Mobile Security products, users can further safeguard their devices and mitigate the risks linked with these kinds of malware, providing a safer and more secure experience. 

Android/Xamalicious Samples Distributed on Google Play: 

Package Name	App Name	Installs
com.anomenforyou.essentialhoroscope	Essential Horoscope for Android	100,000
com.littleray.skineditorforpeminecraft	3D Skin Editor for PE Minecraft	100,000
com.vyblystudio.dotslinkpuzzles	Logo Maker Pro	100,000
com.autoclickrepeater.free	Auto Click Repeater	10,000
com.lakhinstudio.counteasycaloriecalculator	Count Easy Calorie Calculator	10,000
com.muranogames.easyworkoutsathome	Sound Volume Extender	5,000
com.regaliusgames.llinkgame	LetterLink	1,000
com.Ushak.NPHOROSCOPENUMBER	NUMEROLOGY: PERSONAL HOROSCOPE &NUMBER PREDICTIONS	1,000
com.browgames.stepkeepereasymeter	Step Keeper: Easy Pedometer	500
com.shvetsStudio.trackYourSleep	Track Your Sleep	500
com.devapps.soundvolumebooster	Sound Volume Booster	100
com.Osinko.HoroscopeTaro	Astrological Navigator: Daily Horoscope & Tarot	100
com.Potap64.universalcalculator	Universal Calculator	100

Indicators of Compromise 

Hash PackageName 7149acb072fe3dcf4dcc6524be68bd76a9a2896e125ff2dddefb32a4357f47f6 com.android.accessibility.service a5de2dc4e6005e75450a0df0ea83816996092261f7dac30b5cf909bf6daaced0 com.android.accessibility.service 22803693c21ee17667d764dd226177160bfc2a5d315e66dc355b7366b01df89b com.android.callllogbacup efbb63f9fa17802f3f9b3a0f4236df268787e3d8b7d2409d1584d316dabc0cf9 com.android.dreammusic e801844333031b7fd4bd7bb56d9fb095f0d89eb89d5a3cc594a4bed24f837351 com.android.statementsandservices 5fffb10487e718634924552b46e717bbcbb6a4f9b1fed02483a6517f9acd2f61 com.android.ui.clock 81a9a6c86b5343a7170ae5abd15f9d2370c8282a4ed54d8d28a3e1ab7c8ae88e com.android.ui.clock 9c646516dd189cab1b6ced59bf98ade42e19c56fc075e42b85d597449bc9708b com.android.version.shared dfdca848aecb3439b8c93fd83f1fd4036fc671e3a2dcae9875b4648fd26f1d63 com.anomenforyou.essentialhoroscope e7ffcf1db4fb13b5cb1e9939b3a966c4a5a894f7b1c1978ce6235886776c961e com.autoclickrepeater.free 8927ff14529f03cbb2ebf617c298f291c2d69be44a8efa4e0406dea16e53e6f9 com.autoclickrepeater.free 117fded1dc51eff3788f1a3ec2b941058ce32760acf61a35152be6307f6e2052 com.browgames.stepkeepereasymeter 28a4ae5c699a7d96e963ca5ceec304aa9c4e55bc661e16c194bdba9a8ad847b7 com.devapps.soundvolumebooster b0b9a8e9ec3d0857b70464617c09ffffce55671b227a9fdbb178be3dbfebe8ed com.kolomia.mineskineditor 899b0f186c20fdbfe445b4722f4741a5481cd3cbcb44e107b8e01367cccfdda3 com.lakhinstudio.counteasycaloriecalculator e52b65fdcb77ed4f5989a69d57f1f53ead58af43fa4623021a12bc11cebe29ce com.lakhinstudio.counteasycaloriecalculator e694f9f7289677adaf2c2e93ba0ac24ae38ab9879a34b86c613dd3c60a56992d com.littleray.skineditorforpeminecraft 19ffe895b0d1be65847e01d0e3064805732c2867ce485dfccc604432faadc443 com.muranogames.easyworkoutsathome 6a3455ff881338e9337a75c9f2857c33814b7eb4060c06c72839b641b347ed36 com.Osinko.HoroscopeTaro e6668c32b04d48209d5c71ea96cb45a9641e87fb075c8a7697a0ae28929913a6 com.Potap64.universalcalculator 6953ba04233f5cf15ab538ae191a66cb36e9e0753fcaeeb388e3c03260a64483 com.regaliusgames.llinkgame 01c56911c7843098777ec375bb5b0029379b0457a9675f149f339b7db823e996 com.shvetsStudio.trackYourSleep 3201785a7de8e37e5d12e8499377cfa3a5b0fead6667e6d9079d8e99304ce815 com.turovskyi.magicofnumbers acb5de2ed2c064e46f8d42ee82feabe380364a6ef0fbfeb73cf01ffc5e0ded6b com.Ushak.NPHOROSCOPENUMBER 9b4dc1e80a4f4c798d0d87a52f52e28700b5b38b38a532994f70830f24f867ba com.Ushak.NPHOROSCOPENUMBER 1bfc02c985478b21c6713311ca9108f6c432052ea568458c8bd7582f0a825a48 com.vyblystudio.dotslinkpuzzles

The post Stealth Backdoor “Android/Xamalicious” Actively Infecting Devices appeared first on McAfee Blog.

Short-URL services have emerged as a crucial part of the way we use the Internet. With the increasing use of social media, where the number of characters is limited, short-URL services are a useful tool for reducing a URL’s length. However, this convenience also comes with a potential risk. The anonymity provided by these services can serve as a breeding ground for online threats. This article delves deeper into the potential risks associated with using short-URL services and how you can safeguard yourself from these threats.

What are Short-URL Services?

Short-URL services are online tools that convert a long URL into a short one. These services are often free and easy to use: you simply enter the long URL you wish to shorten and the service will generate a short URL for you. This can be particularly handy for social media platforms such as Twitter, where character limits can make sharing long URLS impractical.

The short URL does not provide any clues about the destination website – it is a random mix of letters and numbers. This lack of transparency can make it difficult for users to determine the legitimacy of the link before clicking it. Consequently, this has opened a pandora’s box for cyber threats, as ill-intentioned individuals can hide malicious links behind these short URLs.

The Hidden Threats of Short-URL Services

While the brevity provided by short-URL services is a practical solution in the age of character-limited social media posts, it’s important to understand the accompanying risks. With the shortened URL, the original URL is hidden, which can make it challenging for users to discern whether the link is safe or not. This very feature is exploited by cybercriminals who mask malicious sites with short URLs, intending to trick users into visiting harmful web pages.

Phishing attacks, malware, and other types of online fraud can be hidden behind short URLs. Usually, these URLs are distributed via emails, social media, and instant messaging applications. Once clicked, these malicious links can infect a user’s device with malware or lead them to fake websites where sensitive information is collected. This manipulative tactic is known as ‘spoofing’.

→ Dig Deeper: New Malicious Clicker found in apps installed by 20M+ users

Increased Vulnerability with Short-URL Services

The practice of using short URLs has brought about an increased level of vulnerability in cyberspace. Certain security features that help in identifying a malicious website, such as examining the URL structure or the SSL certificate, are effectively nullified by the use of short URLs. As a result, even experienced internet users can fall prey to these malicious tactics. This marks a significant shift in traditional cybersecurity threats, where the danger is now hidden behind the veil of convenience.

→ Dig Deeper: “This Connection Is Not Private” – What it Means and How to Protect Your Privacy

Even more concerning is the fact that once a short URL is generated, it remains active indefinitely. This means a malicious link can continue to exist and pose a threat long after the original malicious activity has been detected and dealt with. Given the scale at which these short URLs are generated and shared across various digital platforms, the potential for harm is vast and hard to contain. 

The Role of URL Shortening Services in Cybercrime

Given the opacity provided by short-URL services, they have become a popular tool among cybercriminals. A report by the cybersecurity firm Symantec found that 87% of the malicious URLs used in massive cyber-attacks were actually short URLs. This stark statistic illustrates the size of the problem at hand and the urgent need for adequate measures to tackle it.

Short URLs are like a wolf in sheep’s clothing. They appear harmless, but the reality could be contrary. Without the ability to inspect the actual URL, users can unknowingly fall into a trap set by online fraudsters. The success of these threats relies heavily on the victim’s ignorance and the inability to determine the authenticity of the link they are clicking on. 

Case Studies of Cyber Threats Involving Short URLs

To fully comprehend the risks associated with short URLs, let’s examine a few real-life cases where short URLs were used to spread cyber threats. In one instance, a malicious short URL was used to propagate a Facebook scam that promised users a free gift card if they clicked on the link. Instead of a gift card, the link led users to a phishing site designed to steal personal information.

→ Dig Deeper: Don’t Take a Bite out of that Apple Gift Card Scam

In another instance, an email campaign used a short URL to spread the notorious Locky ransomware. The email contained an invoice with a short URL, which when clicked, downloaded the ransomware onto the user’s device. These two cases underscore the severe risks associated with short URLs and highlight the importance of exercising caution when dealing with such links.

How to Safeguard Against Threats Hidden in Short URLs

While the threats presented by short URLs are real and potentially damaging, internet users are not entirely helpless against them. There are certain measures that can be taken to avoid falling victim to these threats. Below are some of the ways to ensure safe browsing habits:

Firstly, be wary of any strange or unexpected links, even if they come from trusted sources. Cybercriminals often disguise malicious links to appear as though they are from trusted sources, in a tactic known as ‘spoofing’. However, if an email or a message seems out of character or too good to be true, it’s best to avoid clicking on the link.

Secondly, consider using URL expansion services. These services allow you to enter a shortened URL and then reveal the full URL, enabling you to see where the link will take you before you click on it. This can provide an added layer of security when dealing with unfamiliar links.

Finally, keep your devices and internet security software up to date. This is a simple but effective measure against all forms of online threats, including those hidden in short URLs. By regularly updating your devices and software, you can ensure you have the most recent security patches and protections available.

McAfee Pro Tip: Enhance your online safety and privacy by employing a secure browser. A safe browser incorporates additional security features designed to thwart unauthorized third-party activities during your web surfing sessions. Know more about safe browsing.

Role of Institutions in Mitigating Threats

While individual users can take steps to protect themselves, institutions also have a role to play in mitigating the threats associated with short URLs. Social media platforms, email providers and companies should all be invested in protecting their users from cyber threats. Implementing stricter URL policies, improving spam filters, and educating users about potential dangers can all help in reducing the risk.

Internet service providers can also have a hand in safeguarding users. For instance, they could monitor and block suspicious short URLs, or provide warnings to users about potential threats. While these measures may not completely eliminate the risk, they can greatly reduce the chances of users falling victim to cyber threats.

Moreover, there’s a growing need for regulatory policies around the usage and creation of short URLs. Instituting thorough checks before a short URL is generated could help in curbing the misuse of these services. Such checks could include verifying the authenticity of the original URL and scanning for potential threats.

Final Thoughts

Short-URL services undeniably offer a degree of convenience in this age of Twitter-length posts and character-limited updates. However, the potential threats that lurk behind these shortened links cannot be overlooked. Users and institutions need to balance the benefits of these services with the risks, and take appropriate measures to safeguard against potential threats.

While we cannot completely eliminate the risks associated with short URLs, by staying informed, exercising caution, and using tools and resources at our disposal, we can significantly reduce our vulnerability to these threats. In the end, it’s about promoting a safer Internet experience for everyone, where convenience doesn’t come at the cost of security.

Stay informed about the latest online threats plaguing the community today. Explore the insights provided by McAfee to arm yourself with the knowledge needed to protect against evolving cybersecurity challenges.

The post Short-URL Services May Hide Threats appeared first on McAfee Blog.

Recent Internet attacks have caused several popular sites to become unreachable. These include Twitter, Etsy, Spotify, Airbnb, Github, and The New York Times. These incidents have highlighted a new threat to online services: botnets powered by the Internet of Things (IoT). Distributed denial of service (DDoS) attacks have been around for over a decade and, for the most part, have been handled by network providers’ security services. However, the landscape is changing.

The primary strategy in these attacks is to control a number of devices which then simultaneously flood a destination with network requests. The target becomes overloaded and legitimate requests cannot be processed. Traditional network filters typically handle this by recognizing and blocking systems exhibiting this malicious behavior. However, when thousands of systems mount an attack, these traditional filters fail to differentiate between legitimate and malicious traffic, causing system availability to crumble.

Cybercriminals, Hacktivists, and IoT

Cybercriminals and hacktivists have found a new weapon in this war: the IoT. Billions of IoT devices exist, ranging in size from a piece of jewelry to a tractor. These devices all have one thing in common: they connect to the internet. While this connection offers tremendous benefits, such as allowing users to monitor their homes or check the contents of their refrigerators remotely, it also presents a significant risk. For hackers, each IoT device represents a potential recruit for their bot armies.

A recent attack against a major DNS provider shed light on this vulnerability. Botnets containing tens or hundreds of thousands of hijacked IoT devices have the potential to bring down significant sections of the internet. Over the coming months, we’ll likely discover just how formidable a threat these devices pose. For now, let’s dig into the key aspects of recent IoT DDoS attacks.

5 Key Points to Understand

The proliferation of Internet of Things (IoT) devices has ushered in a new era of digital convenience, but it has also opened the floodgates to a range of cybersecurity concerns. To navigate the complexities of this digital landscape, it’s essential to grasp five key points:

1. Insecure IoT devices pose new risks to everyone

Each device that can be hacked is a potential soldier for a botnet army, which could be used to disrupt essential parts of the internet. Such attacks can interfere with your favorite sites for streaming, socializing, shopping, healthcare, education, banking, and more. They have the potential to undermine the very foundations of our digital society. This underscores the need for proactive measures to protect our digital way of life and ensure the continued availability of essential services that have become integral to modern living. 

→Dig Deeper: How Valuable Is Your Health Care Data?

2. IoT devices are coveted by hackers

Hackers will fight to retain control over them. Though the malware used in the Mirai botnets is simple, it will evolve as quickly as necessary to allow attackers to maintain control. IoT devices are significantly valuable to hackers as they can enact devastating DDoS attacks with minimal effort. As we embrace the convenience of IoT, we must also grapple with the responsibility of securing these devices to maintain the integrity and resilience of our increasingly digitized way of life.

3. DDoS Attacks from IoT Devices Are Intense and Difficult to Defend Against

Identifying and mitigating attacks from a handful of systems is manageable. However, when tens or hundreds of thousands of devices are involved, it becomes nearly impossible. The resources required to defend against such an attack are immense and expensive. For instance, a recent attack that aimed to incapacitate Brian Krebs’ security-reporting site led to Akamai’s Vice President of Web Security stating that if such attacks were sustained, they could easily cost millions in cybersecurity services to keep the site available. Attackers are unlikely to give up these always-connected devices that are ideal for forming powerful DDoS botnets.

There’s been speculation that nation-states are behind some of these attacks, but this is highly unlikely. The authors of Mirai, a prominent botnet, willingly released their code to the public, something a governmental organization would almost certainly not do. However, it’s plausible that after observing the power of IoT botnets, nation-states are developing similar strategies—ones with even more advanced capabilities. In the short term, however, cybercriminals and hacktivists will continue to be the primary drivers of these attacks.

→ Dig Deeper: Mirai Botnet Creates Army of IoT Orcs

4. Cybercriminals and Hacktivists Are the Main Perpetrators

In the coming months, it’s expected that criminals will discover ways to profit from these attacks, such as through extortion. The authors of Mirai voluntarily released their code to the public—an action unlikely from a government-backed team. However, the effectiveness of IoT botnets hasn’t gone unnoticed, and it’s a good bet that nation-states are already working on similar strategies but with significantly more advanced capabilities.

Over time, expect cybercriminals and hacktivists to remain the main culprits behind these attacks. In the immediate future, these groups will continue to exploit insecure IoT devices to enact devastating DDoS attacks, constantly evolving their methods to stay ahead of defenses.

→ Dig Deeper: Hacktivists Turn to Phishing to Fund Their Causes

5. It Will Likely Get Worse Before It Gets Better

Unfortunately, the majority of IoT devices lack robust security defenses. The devices currently being targeted are the most vulnerable, many of which have default passwords easily accessible online. Unless the owner changes the default password, hackers can quickly and easily gain control of these devices. With each device they compromise, they gain another soldier for their botnet.

To improve this situation, several factors must be addressed. Devices must be designed with security at the forefront; they must be configured correctly and continuously managed to keep their security up-to-date. This will require both technical advancements and behavioral changes to stay in line with the evolving tactics of hackers.

McAfee Pro Tip: Software updates not only enhance security but also bring new features, better compatibility, stability improvements, and feature removal. While frequent update reminders can be bothersome, they ultimately enhance the user experience, ensuring you make the most of your technology. Know more about the importance of software updates.

Final Thoughts

Securing IoT devices is now a critical issue for everyone. The sheer number of IoT devices, combined with their vulnerability, provides cybercriminals and hacktivists with a vast pool of resources to fuel potent DDoS campaigns. We are just beginning to observe the attacks and issues surrounding IoT security. Until the implementation of comprehensive controls and responsible behaviors becomes commonplace, we will continue to face these challenges. By understanding these issues, we take the first steps toward a more secure future.

Take more steps with McAfee to secure your digital future. Explore our security solutions or read our cybersecurity blogs and reports.

The post Top 5 Things to Know About Recent IoT Attacks appeared first on McAfee Blog.

Authored by Dexter Shin

Most people have smartphones these days which can be used to easily search for various topics of interest on the Internet. These topics could be about enhancing their privacy, staying fit with activities like Pilates or yoga, or even finding new people to talk to. So, companies create mobile applications to make it more convenient for users and advertise these apps on their websites. But is it safe to download these advertised applications through website searches?

McAfee Mobile Research Team recently observed a malicious Android and iOS information stealer application delivered via phishing sites. This malware became active in early October and has been observed installed on more than 200 devices, according to McAfee’s telemetry. All of these devices are located in South Korea. Considering that all the distribution phishing sites are active at the time of writing this blog post, it is expected that the number of affected devices will continue to increase.

The malware author selects a service that people might find interesting and attracts victims by disguising their service. They also create phishing sites that use the resources of legitimate sites, making them appear identical and tricking users into thinking that they are the official website of the application they want to install. The phishing site also provides Android and iOS versions of the malicious application. When users eventually download and run the app through this phishing site, their contact information and SMS messages are sent to the malware author. McAfee Mobile Security detects this threat as Android/SpyAgent. For more information, visit McAfee Mobile Security.

How to distribute
We recently introduced SpyNote through a phishing campaign targeting Japan. After we found this malware and confirmed that it was targeting South Korea, we suspected it was also distributed through a phishing campaign. So we researched several communities in Korea. One of them, called Arca Live, we were able to confirm their exact distribution method.

They initially approach victims via SMS message. At this stage, the scammers pretend to be women and send seductive messages with photos. After a bit of conversation, they try to move the stage to LINE messenger. After moving to LINE Messenger, the scammer becomes more aggressive. They send victims a link to make a video call and said that it should only be done using an app that prevents capture. That link is a phishing site where malicious apps will be downloaded.

Figure 1. Distribute phishing sites from LINE messenger after moving from SMS (Red text: Scammer, Blue text: Victim)

What do phishing sites do

One of the phishing sites disguises as Camtalk, a legitimate social networking app available on the Google Play Store and Apple App Store, to trick users into downloading malicious Android and iOS applications from remote servers. It uses the same text, layout, and buttons as the legitimate Camtalk website, but instead of redirecting users to the official app store, it forces them to download the malicious application directly:

Figure 2. Comparison of legitimate site (Left) and phishing site (Right)

In addition to pretending to be a social networking app, malware authors behind this campaign also use other different themes in their phishing sites. For example, the app in first picture below offers cloud-based storage for photos and expanded functions than a default album app such as the ability to protect desired albums by setting a password. And the apps in the second and third pictures are yoga and fitness, enticing users with topics that can be easily searched nearby. The important point is normally these types of apps do not require permission to access SMS and contacts.

Figure 3.Many phishing sites in various fields

All phishing sites we found are hosted on the same IP address and they encourage users to download the app by clicking on the Google Play icon or the App Store icon.

Figure 4. Flow for downloading malicious app files

When users click the store button for their devices, their devices begin downloading the type of file (Android APK or iOS IPA) appropriate for each device from a remote server rather than the official app store. And then devices ask users to install it.

Figure 5. The process of app installation on Android

Figure 6. The process of app installation on iOS

How to sign iOS malware

iOS has more restrictive policies regarding sideloading compared to Android. On iOS devices, if an app is not signed with a legitimate developer’s signature or certificate, it must be manually allowed. This applies when attempting to install apps on iOS devices from sources other than the official app store. So, additional steps are required for an app to be installed.

Figure 7. Need to verify developer certificate on iOS

However, this iOS malware attempts to bypass this process using unique methods. Some iPhone users want to download apps through 3rd party stores rather than Apple App Store. There are many types of stores and tools on the Internet, but one of them is called Scarlet. The store shares enterprise certificates, making it easy for developers or crackers who want to use the store to share their apps with users. In other words, since users have already set the certificate to ‘Trust’ when installing the app called Scarlet, other apps using the same certificate installed afterward will be automatically verified.

Figure 8. App automatically verified after installation of 3rd party store

Their enterprise certificates can be easily downloaded by general users as well.

Figure 9. Enterprise certificate shared via messenger

The iOS malware is using these certificates. So, for devices that already have the certificate trusted using Scarlet, no additional steps are required to execute this malware. Once installed, the app can be run at any time.

Figure 10. Automatic verification and executable app

What do they want

These apps all have the same code, just the application name and icon are different. In case of Android, they require permissions to read your contacts and SMS.

Figure 11. Malicious app required sensitive permissions (Android)

In getDeviceInfo() function, android_id and the victim device’s phone number are sent to the C2 server for the purpose of identifying each device. Subsequently, in the following function, all user’s contact information and SMS messages are sent to the C2 server.

Figure 12. Sensitive data stolen by malware (Android)

And in case of iOS, they only require permission to read your contacts. And it requires the user to input their phone number to enter the chat room. Of course, this is done to identify the victim on the C2 server.

Figure 13. Malicious app required sensitive permissions (iOS)

Similarly to Android, there is code within iOS that collects contact information and the data is sent to the C2 server.

Figure 14. Sensitive data stolen by malware (iOS)

Conclusion
The focus of this ongoing campaign is targeting South Korea and there are 10 phishing sites discovered so far. This campaign can potentially be used for other malicious purposes since it steals the victim’s phone number, associated contacts, and SMS messages. So, users should consider all potential threats related to this, as the data targeted by the malware author is clear, and changes can be made to the known aspects so far.

Users should remain cautious, even if they believe they are on an official website. If the app installation does not occur through Google Play Store or Apple App Store, suspicion is warranted. Furthermore, users should always verify when the app requests permissions that seem unrelated to its intended purpose. Because it is difficult for users to actively deal with all these threats, we strongly recommend that users should install security software on their devices and always keep up to date. By using McAfee Mobile Security products, users can further safeguard their devices and mitigate the risks linked with these kinds of malware, providing a safer and more secure experience.

Indicators of Compromise (IOCs)

Indicators	Indicator Type	Description
hxxps://jinyoga[.]shop/	URL	Phishing site
hxxps://mysecret-album[.]com/	URL	Phishing site
hxxps://pilatesyoaa[.]com/	URL	Phishing site
hxxps://sweetchat19[.]com/	URL	Phishing site
hxxps://sweetchat23[.]com/	URL	Phishing site
hxxps://telegraming[.]pro/	URL	Phishing site
hxxps://dl.yoga-jin[.]com/	URL	Phishing site
hxxps://aromyoga[.]com/	URL	Phishing site
hxxps://swim-talk[.]com/	URL	Phishing site
hxxps://spykorea[.]shop/	URL	Phishing site
hxxps://api.sweetchat23[.]com/	URL	C2 server
hxxps://somaonvip[.]com/	URL	C2 server
ed0166fad985d252ae9c92377d6a85025e9b49cafdc06d652107e55dd137f3b2	SHA256	Android APK
2b62d3c5f552d32265aa4fb87392292474a1c3cd7f7c10fa24fb5d486f9f7665	SHA256	Android APK
4bc1b594f4e6702088cbfd035c4331a52ff22b48295a1dd130b0c0a6d41636c9	SHA256	Android APK
bb614273d75b1709e62ce764d026c287aad1fdb1b5c35d18b45324c32e666e19	SHA256	Android APK
97856de8b869999bf7a2d08910721b3508294521bc5766a9dd28d91f479eeb2e	SHA256	iOS IPA
fcad6f5c29913c6ab84b0bc48c98a0b91a199ba29cbfc5becced105bb9acefd6	SHA256	iOS IPA
04721303e090160c92625c7f2504115559a124c6deb358f30ae1f43499b6ba3b	SHA256	iOS Mach-O Binary
5ccd397ee38db0f7013c52f68a4f7d6a279e95bb611c71e3e2bd9b769c5a700c	SHA256	iOS Mach-O Binary

 

The post Fake Android and iOS apps steal SMS and contacts in South Korea appeared first on McAfee Blog.

Authored by Dexter Shin 

Minecraft is a popular video game that can be played on a desktop or mobile. This is a sandbox game developed by Mojang Studios. Players create and break apart various kinds of blocks in 3-dimensional worlds and they can select to enjoy Survivor Mode to survive in the wild or Creative Mode to focus on being creative. 

Minecraft’s popularity has led to many attempts to recreate similar games. As a result, there are so many games with the same concept as Minecraft worldwide. Even on Google Play, we can easily search for similar games. McAfee Mobile Research Team recently discovered 38 games with hidden advertising. These HiddenAds applications discovered on the Google Play Store and installed by at least 35 million users worldwide, have been found to send packets stealthily for advertising revenue in bulk.  

McAfee, a member of the App Defense Alliance, focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem. reported the discovered apps to Google, which took prompt action and the apps are no longer available on Google Play. Android users are protected by Google Play Protect, which can warn users of identified malicious apps on Android devices, and McAfee Mobile Security detects this threat as Android/HiddenAds.BJL. For more information, and to get fully protected, visit McAfee Mobile Security. 

How is it distributed to users? 

They were officially uploaded to Google Play under various titles and package names. Many games have already been downloaded by users, including apps with 10M+ downloads. 

Figure 1. 10M+ downloaded app being one of them 

Also, because they can play the game, users can’t notice the large amount of advertising packets being generated on their devices. 

Figure 2. Game screen that can be played 

What does it do?

After the game is running, the user can play without any problems in the block-based world, only like Minecraft-type games. However, advertisement packets of various domains continuously occur on the device. For example, the four packets shown in the picture are questionable packets generated by the ads libraries of Unity, Supersonic, Google, and AppLovin. Unfortunately, nothing is displayed on the game screen. 

Figure 3. Continuous advertising packets 

What’s even more interesting is the initial network packets of these games. The structure of the initial packet is very similar. All domains are different. But using 3.txt as the path is equivalent. That is, packets in the form of https://(random).netlify.app/3.txt commonly occur first. The picture below is an example of the first packet extracted from three different apps. 

Figure 4. Similarity of the initial packet form 

Users affected worldwide 

This threat has been detected in various countries around the world. Indicated by our telemetry, the threat has been most prominently detected in the United States, Canada, South Korea, and Brazil.

 

Figure 5. Users around the world who are widely affected 

 

As we featured in the McAfee 2023 Consumer Mobile Threat Report, one of the most accessible content for young people using mobile devices is games. Malware authors are also aware of this and try to hide their malicious features inside games. Not only is it difficult for general users to find these hidden features, but they can easily trust games from official stores such as Google Play. 

 

We first recommend that users thoroughly review user reviews before downloading applications from the store. And users should install security software on their devices and always keep up to date. 

 

Indicators of Compromise 

 

Package Name	Application Name	SHA256	GooglePlay  Downloads
com.good.robo.game.builder.craft.block	Block Box Master Diamond	300343e701afddbf32bca62916fd717f2af6e8a98fd78cc50d11f1154971d857	10M+
com.craft.world.fairy.fun.everyday.block	Craft Sword Mini Fun	72fa914ad3460f9e696ca2264fc899cad20b06b640a7adf8cfe87dd0ea19e137	5M+
com.skyland.pet.realm.block.rain.craft	Block Box Skyland Sword	d15713467be2f60b2bc548ddb24f202eb64f2aed3fb8801daec14e708f5cee5b	5M+
com.skyland.fun.block.game.monster.craft	Craft Monster Crazy Sword	cadbc904e77feaaf4294d218808f43d50809a87202292e78b0e6a3e164de6851	5M+
com.monster.craft.block.fun.robo.fairy	Block Pro Forrest Diamond	08429992bef8259e3011af36ad9d3c2a61b8df384860fd2a007a32a1e4d634af	1M+
com.cliffs.realm.block.craft.rain.vip	Block Game Skyland Forrest	34ef407f2bedfd8485f6a178f14ee023d395cb9b76ff1754e8733c1fc9ce01fb	1M+
com.block.builder.build.clever.craft.boy	Block Rainbow Sword Dragon	23aa3cc9481591b524a442fa8df485226e21da9d960dc5792af4ae2a096593d5	1M+
com.fun.skyland.craft.block.monster.loki	Craft Rainbow Mini Builder	88fa7de264c5880e65b926df4f75ac6a2900e3718d9d3576207614e20f674068	1M+
com.skyland.craft.caves.game.monster.block	Block Forrest Tree Crazy	010c081e5fda58d6508980528efb4f75e572d564ca9b5273db58193c59987abf	1M+
com.box.block.craft.builder.cliffs.build	Craft Clever Monster Castle	11c5e2124e47380d5a4033c08b2a137612a838bc46f720fba2a8fe75d0cf4224	500K+
com.block.sun.game.box.build.craft	Block Monster Diamond Dragon	19ad0dc40772d29f7f39b3a185abe50d0917cacf5f7bdc577839b541f61f7ac0	500K+
com.builder.craft.diamond.block.clever.robo	Craft World Fun Robo	746e2f552fda2e2e9966fecf6735ebd5a104296cde7208754e9b80236d13e853	500K+
com.block.master.boy.craft.cliffs.diamond	Block Pixelart Tree Pro	25b22e14f0bb79fc6b9994faec984501d0a2bf5573835d411eb8a721a8c2e397	500K+
com.fun.block.everyday.boy.robo.craft	Craft Mini Lucky Fun	9fdddf4a77909fd1d302c8f39912a41483634db66d30f89f75b19739eb8471ff	500K+
com.builder.craft.block.sun.game.mini	Block Earth Skyland World	b9284db049c0b641a6b760e7716eb3561e1b6b1f11df8048e9736eb286c2beed	500K+
com.dragon.craft.world.pixelart.block.vip	Block Rainbow Monster Castle	d6984e08465f08e9e39a0cad8da4c1e405b3aa414608a6d0eaa5409e7ed8eac1	500K+
com.craft.vip.earth.everyday.block.game	Block Fun Rainbow Builder	f3077681623d9ce32dc6a9cbf5d6ab7041297bf2a07c02ee327c730e41927c5f	500K+
com.block.good.mini.craft.box.best	Craft Dragon Diamond Robo	e685fb5a426fe587c3302bbd249f8aa9e152c1de9b170133dfb492ed5552acc9	500K+
com.lucky.robo.craft.loki.block.good	Block World Tree Monster	06c3ba10604c38006fd34406edd47373074d57c237c880a19fb8d3f34572417d	100K+
com.caves.robo.craft.dragon.block.earth	Block Diamond Boy Pro	122406962c303eaeb9839d767835a82ae9d745988deeef4c554e1750a5106cf0	100K+
com.tree.world.city.block.craft.crazy	Block Lucky Master Earth	e69fe06cb77626be76f2c92ad4229f6eb04c06c73e153d5424386a1309adbd15	100K+
com.game.skyland.craft.monster.block.best	Craft Forrest Mini Fun	e5fc2e6e3749cb4787a8bc5387ebb7802a2d3f9b408e4d2d07ee800056bb3e16	100K+
com.everyday.vip.caves.house.block.craft	Craft Sword City Pro	318165fd8d77a63ca221f5d3ee163e6f2d6df1f2df5c169aca6aca23aef2cf25	100K+
com.cell.rain.block.craft.loki.fairy	Block Loki Monster Builder	4f22be2ce64376f046ca180bd9933edcd62fd36f4a7abc39edf194f7170e2534	100K+
com.block.good.sun.boy.craft.fun	Block Boy Earth Mini	3b0cf56fb5929d23415259b718af15118c44cf918324cc62c1134bf9bc0f2a00	100K+
com.fairy.builder.sun.skyland.craft.block	Block Crazy Builder City	537638903f31e32612bddc79a483cb2c7546966cca64c5becec91d6fc4835e22	100K+
com.monster.house.good.block.earth.craft	Craft Sword Vip Pixelart	5f85f020eb8afc768e56167a6d1b75b6d416ecb1ec335d4c1edb6de8f93a3cad	100K+
com.block.best.boy.craft.sword.cell	Block City Fun Diamond	698544a913cfa5df0b2bb5d818cc0394c653c9884502a84b9dec979f8850b1e7	100K+
com.crazy.clever.city.block.caves.craft	Craft City Loki Rainbow	ba50dc2d2aeef9220ab5ff8699827bf68bc06caeef1d24cb8d02d00025fcb41c	100K+
com.cliffs.builder.craft.block.lucky.earth	Craft Boy Clever Sun	77962047b32a44c472b89d9641d7783a3e72c156b60eaaec74df725ffdc4671b	100K+
com.lucky.best.block.game.diamond.craft	Block City Dragon Sun	ac3d0b79903b1e63b449b64276075b337b002bb9a9a9636a47fdd1fb7a0fe368	100K+
com.build.craft.boy.loki.master.block	Craft Loki Forrest Monster	a2db1eba73d911142134ee127897d5857c521135a8ee768ae172ae2d2ee7b1d4	100K+
com.build.lokicrafts.master.forest	Lokicraft: Forrest Survival 3D	0f53996f5e3ec593ed09e55baf1f93d32d891f7d7e58a9bf19594b235d3a8a84	50K+
com.sun.realm.craft.lucky.dragon.block	Craft Castle Sun Rain	1e74e73bc29ce1f55740e52250506447b431eb8a4c20dfc75fd118b05ca18674	50K+
com.block.craft.vip.sun.game.box	Craft Game Earth World	7483b6a493c0f4f6309e21cc553f112da191b882f96a87bce8d0f54328ac7525	50K+
com.rain.crazy.lucky.pro.block.craft	Craft Lucky Castle Builder	de5eb8284ed56e91e665d13be459b9a0708fa96549a57e81aa7c11388ebfa535	50K+
com.JavaKidz.attacksnake	Craftsman: Building City 2022	e19fcc55ec4729d52dc0f732da02dc5830a2f78ec2b1f37969ee3c7fe16ddb37	50K+
com.skyland.house.block.craft.crazy.vip	Craft Rainbow Pro Rain	a7675a08a0b960f042a02710def8dd445d9109ca9da795aed8e69a79e014b46f	50K+

 

The post HiddenAds Spread via Android Gaming Apps on Google Play appeared first on McAfee Blog.

Authored by Dexter Shin 

McAfee Mobile Research Team found an Android banking trojan signed with a key used by legitimate apps in South Korea last year. By design, Android requires that all applications must be signed with a key, in other words a keystore, so they can be installed or updated. Because this key can only be used by the developer who created it, an application signed with the same key is assumed to belong to the same developer. That is the case of this Android banking trojan that uses this legitimate signing key to bypass signature-based detection techniques. And these banking trojans weren’t distributed on Google Play or official app stores until now. This threat had been disclosed to the company that owns the legitimate key last year and the company has taken precautions. The company has confirmed that they have replaced the signing key and currently, all their legitimate apps are signed with a new signing key. 

Android malware using a legitimate signing key 

While tracking the Android banking trojan Fakecalls we found a sample using the same signing key as a well–known app in Korea. This app is developed by a reputable IT services company with extensive businesses across various sectors, including but not limited to IT, gaming, payment, and advertising. We confirmed that most of the malicious samples using this key pretend to be a banking app as they use the same icon as the real banking apps. 

Figure 1. Malware and legitimate app on Google Play 

Distribution method and latest status 

Domains verified last August when we first discovered the samples are now down. However, we investigated URLs related to this malware and we found similar ones related to this threat. Among them, we identified a phishing site that is still alive during our research. The site is also disguised as a banking site. 

Figure 2. A phishing page disguised as a Korean banking site 

We also found that they updated the domain information of this web page a few days before our investigation. 

So we took a deeper look into this domain and we found additional unusual IP addresses that led us to the Command and control(C2) server admin pages used by the cybercriminals to control the infected devices. 

 

Figure 3. Fakecalls Command and control(C2) admin pages 

How does it work 

When we check the APK file structure, we can see that this malware uses a packer to avoid analysis and detection. The malicious code is encrypted in one of the files below. 

Figure 4. Tencent’s Legu Packer libraries 

After decrypting the DEX file, we found some unusual functionality. The code below gets the Android package information from a file with a HTML extension. 

 Figure 5. Questionable code in the decrypted DEX file 

This file is in fact another APK (Android Application) rather than a traditional HTML file designed to be displayed in a web browser. 

Figure 6. APK file disguised as an HTML file 

When the user launches the malware, it immediately asks for permission to install another app. Then it tries to install an application stored in the “assets” directory as “introduction.html”. The “introduction.html” is an APK file and real malicious behavior happens here. 

Figure 7. Dropper asks you to install the main payload 

When the dropped payload is about to be installed, it asks for several permissions to access sensitive personal information. 

Figure 8. Permissions required by the main malicious application 

It also registers several services and receivers to control notifications from the device and to receive commands from a remote Command and Control server. 

 Figure 9. Services and receivers registered by the main payload

By contrast, the malware uses a legitimate push SDK to receive commands from a remote server. Here are the complete list of commands and their purpose. 

 

Command name	Purpose
note	sms message upload
incoming_transfer	caller number upload
del_phone_record	delete call log
zhuanyi	set call forwarding with parameter
clear_note	delete sms message
assign_zhuanyi	set call forwarding
file	file upload
lanjie	block sms message from specified numbers
allfiles	find all possible files and upload them
email_send	send email
record_telephone	call recording on
inout	re-mapping on C2 server
blacklist	register as blacklist
listener_num	no function
no_listener_num	disable monitoring a specific number
rebuild	reset and reconnect with C2
deleteFile	delete file
num_address_list	contacts upload
addContact	add contacts
all_address_list	call record upload
deleteContact	delete contacts
note_intercept	intercept sms message from specified numbers
intercept_all_phone	intercept sms message from all
clear_date	delete all file
clear_phone_contact	delete all contacts
clear_phone_record	delete all call log
per_note	quick sms message upload
soft_name	app name upload

 

Cybercriminals are constantly evolving and using new ways to bypass security checks, such as abusing legitimate signing keys. Fortunately, there was no damage to users due to this signing key leak. However, we recommend that users install security software on their devices to respond to these threats. Also, users are recommended to download and use apps from the official app stores. 

McAfee Mobile Security detects this threat as Android/Banker regardless of the application, is signed with the previously legitimate signing key. 

 

Indicators of Compromise 

 

SHA256	Name	Type
7f4670ae852ec26f890129a4a3d3e95c079f2f289e16f1aa089c86ea7077b3d8	신한신청서	Dropper
9e7c9b04afe839d1b7d7959ad0092524fd4c6b67d1b6e5c2cb07bb67b8465eda	신한신청서	Dropper
21ec124012faad074ee1881236c6cde7691e3932276af9d59259df707c68f9dc	신한신청서	Dropper
9621d951c8115e1cc4cf7bd1838b8e659c7dea5d338a80e29ca52a8a58812579	신한신청서	Dropper
60f5deb79791d2e8c2799e9af52adca5df66d1304310d1f185cec9163deb37a2	보안인증서	Banker
756cffef2dc660a241ed0f52c07134b7ea7419402a89d700dffee4cc6e9d5bb6	보안인증서	Banker
6634fdaa22db46a6f231c827106485b8572d066498fc0c39bf8e9beb22c028f6	보안인증서	Banker
52021a13e2cd7bead4f338c8342cc933010478a18dfa4275bf999d2bc777dc6b	보안인증서	Banker
125772aac026d7783b50a2a7e17e65b9256db5c8585324d34b2e066b13fc9e12	보안인증서	Banker
a320c0815e09138541e9a03c030f30214c4ebaa9106b25d3a20177b5c0ef38b3	보안인증서	Banker
c7f32890d6d8c3402601743655f4ac2f7390351046f6d454387c874f5c6fe31f	보안인증서	Banker
dbc7a29f6e1e91780916be66c5bdaa609371b026d2a8f9a640563b4a47ceaf92	보안인증서	Banker
e6c74ef62c0e267d1990d8b4d0a620a7d090bfb38545cc966b5ef5fc8731bc24	보안인증서	Banker

 

Domains: 

• http[://]o20-app.dark-app.net 
• http[://]o20.orange-app.today 
• http[://]orange20.orange-app.today 

The post Fakecalls Android Malware Abuses Legitimate Signing Key appeared first on McAfee Blog.

Authored by SangRyol Ryu

McAfee’s Mobile Research Team discovered a software library we’ve named Goldoson, which collects lists of applications installed, and a history of Wi-Fi and Bluetooth devices information, including nearby GPS locations. Moreover, the library is armed with the functionality to perform ad fraud by clicking advertisements in the background without the user’s consent. The research team has found more than 60 applications containing this third-party malicious library, with more than 100 million downloads confirmed in the ONE store and Google Play app download markets in South Korea. While the malicious library was made by someone else, not the app developers, the risk to installers of the apps remains. 

McAfee Mobile Security detects this threat as Android/Goldoson and protects customers from this and many other mobile threats. McAfee is a member of the App Defense Alliance focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem. We reported the discovered apps to Google, which took prompt action. Google has reportedly notified the developers that their apps are in violation of Google Play policies and fixes are needed to reach compliance. Some apps were removed from Google Play while others were updated by the official developers. Users are encouraged to update the apps to the latest version to remove the identified threat from their devices. 

Top 9 applications previously infected by Goldoson on Google Play

How does it affect users? 

The Goldoson library registers the device and gets remote configurations at the same time the app runs. The library name and the remote server domain varies with each application, and it is obfuscated. The name Goldoson is after the first found domain name. 

Remote configuration contains the parameters for each of functionalities and it specifies how often it runs the components. Based on the parameters, the library periodically checks, pulls device information, and sends them to the remote servers. The tags such as ‘ads_enable’ or ‘collect_enable’ indicates each functionality to work or not while other parameters define conditions and availability. 

A response of remote configuration

The library includes the ability to load web pages without user awareness. The functionality may be abused to load ads for financial profit. Technically, the library loads HTML code and injects it into a customized and hidden WebView and it produces hidden traffic by visiting the URLs recursively. 

Collected data is sent out periodically every two days but the cycle is subject to change by the remote configuration. The information contains some sensitive data including the list of installed applications, location history, MAC address of Bluetooth and Wi-Fi nearby, and more. This may allow individuals to be identified when the data is combined. The following tables show the data observed on our test device. 

Google Play considers the list of installed apps to be personal and sensitive user data and requires a special permission declaration to get it. Users with Android 11 and above are more protected against apps attempting to gather all installed apps. However, even with the recent version of Android, we found that around 10% of the apps with Goldoson have the permission “QUERY_ALL_PACKAGES” that allows them to access app information. 

Likewise, with Android 6.0 or higher, users may be asked for permissions such as Location, Storage, or Camera at runtime. If user allows the location permission, the app can access not only GPS data but also Wi-Fi and Bluetooth device information nearby. Based on BSSID (Basic Service Set Identifier) and RSSI (Received Signal Strength Indicator), the application can determine the location of the device more accurately than GPS, especially indoors. 

A demo of runtime permission request

Where do the apps come from?

The infected applications come from various Android application stores. More than 100 million downloads have been tracked through Google Play. After that, ONE store, Korea’s leading app store, follows with about 8 million installations. 

Conclusion

As applications continue to scale in size and leverage additional external libraries, it is important to understand their behavior. App developers should be upfront about libraries used and take precautions to protect users’ information. McAfee Mobile Security products can also help detect threats and protect you from not only malware but also unwanted programs. For more information, visit our McAfee Mobile Security. 

Identified Apps and Goldoson Domains

Domains

• bhuroid.com
• enestcon.com
• htyyed.com
• discess.net
• gadlito.com
• gerfane.com
• visceun.com
• onanico.net
• methinno.net
• goldoson.net
• dalefs.com
• openwor.com
• thervide.net
• soildonutkiel.com
• treffaas.com
• sorrowdeepkold.com
• hjorsjopa.com
• dggerys.com
• ridinra.com
• necktro.com
• fuerob.com
• phyerh.net
• ojiskorp.net
• rouperdo.net
• tiffyre.net
• superdonaldkood.com
• soridok2kpop.com

List of Apps and Current Status

Package Name	Application Name	GooglePlay Downloads	GP Status
com.lottemembers.android	L.POINT with L.PAY	10M+	Updated*
com.Monthly23.SwipeBrickBreaker	Swipe Brick Breaker	10M+	Removed**
com.realbyteapps.moneymanagerfree	Money Manager Expense & Budget	10M+	Updated*
com.skt.tmap.ku	TMAP – 대리,주차,전기차 충전,킥보 …	10M+	Updated*
kr.co.lottecinema.lcm	롯데시네마	10M+	Updated*
com.ktmusic.geniemusic	지니뮤직 – genie	10M+	Updated*
com.cultureland.ver2	컬쳐랜드[컬쳐캐쉬]	5M+	Updated*
com.gretech.gomplayerko	GOM Player	5M+	Updated*
com.megabox.mop	메가박스(Megabox)	5M+	Removed**
kr.co.psynet	LIVE Score, Real-Time Score	5M+	Updated*
sixclk.newpiki	Pikicast	5M+	Removed**
com.appsnine.compass	Compass 9: Smart Compass	1M+	Removed**
com.gomtv.gomaudio	GOM Audio – Music, Sync lyrics	1M+	Updated*
com.gretech.gomtv	곰TV – All About Video	1M+	Updated*
com.guninnuri.guninday	전역일 계산기 디데이 곰신톡–군인 …	1M+	Updated*
com.itemmania.imiapp	아이템매니아 – 게임 아이템 거래 …	1M+	Removed**
com.lotteworld.android.lottemagicpass	LOTTE WORLD Magicpass	1M+	Updated*
com.Monthly23.BounceBrickBreaker	Bounce Brick Breaker	1M+	Removed**
com.Monthly23.InfiniteSlice	Infinite Slice	1M+	Removed**
com.pump.noraebang	나홀로 노래방–쉽게 찾아 이용하는 …	1M+	Updated*
com.somcloud.somnote	SomNote – Beautiful note app	1M+	Removed**
com.whitecrow.metroid	Korea Subway Info : Metroid	1M+	Updated*
kr.co.GoodTVBible	GOODTV다번역성경찬송	1M+	Removed**
kr.co.happymobile.happyscreen	해피스크린 – 해피포인트를 모으 …	1M+	Updated*
kr.co.rinasoft.howuse	UBhind: Mobile Tracker Manager	1M+	Removed**
mafu.driving.free	스피드 운전면허 필기시험 …	1M+	Removed**
com.wtwoo.girlsinger.worldcup	이상형 월드컵	500K+	Updated*
kr.ac.fspmobile.cu	CU편의점택배	500K+	Removed**
com.appsnine.audiorecorder	스마트 녹음기 : 음성 녹음기	100K+	Removed**
com.camera.catmera	캣메라 [순정 무음카메라]	100K+	Removed**
com.cultureland.plus	컬쳐플러스:컬쳐랜드 혜택 더하기 …	100K+	Updated*
com.dkworks.simple_air	창문닫아요(미세/초미세먼지/WHO …	100K+	Removed**
com.lotteworld.ticket.seoulsky	롯데월드타워 서울스카이	100K+	Updated*
com.Monthly23.LevelUpSnakeBall	Snake Ball Lover	100K+	Removed**
com.nmp.playgeto	게토(geto) – PC방 게이머 필수 앱	100K+	Removed**
com.note.app.memorymemo	기억메모 – 심플해서 더 좋은 메모장	100K+	Removed**
com.player.pb.stream	풀빵 : 광고 없는 유튜브 영상 …	100K+	Removed**
com.realbyteapps.moneya	Money Manager (Remove Ads)	100K+	Updated*
com.wishpoke.fanciticon	Inssaticon – Cute Emoticons, K	100K+	Removed**
marifish.elder815.ecloud	클라우드런처	100K+	Updated*
com.dtryx.scinema	작은영화관	50K+	Updated*
com.kcld.ticketoffice	매표소–뮤지컬문화공연 예매& …	50K+	Updated*
com.lotteworld.ticket.aquarium	롯데월드 아쿠아리움	50K+	Updated*
com.lotteworld.ticket.waterpark	롯데 워터파크	50K+	Updated*
com.skt.skaf.l001mtm091	T map for KT, LGU+	50K+	Removed**
org.howcompany.randomnumber	숫자 뽑기	50K+	Updated*
com.aog.loader	로더(Loader) – 효과음 다운로드 앱	10K+	Removed**
com.gomtv.gomaudio.pro	GOM Audio Plus – Music, Sync l	10K+	Updated*
com.NineGames.SwipeBrickBreaker2	Swipe Brick Breaker 2	10K+	Removed**
com.notice.safehome	안심해 – 안심귀가 프로젝트	10K+	Removed**
kr.thepay.chuncheon	불러봄내 – 춘천시민을 위한 공공  …	10K+	Removed**
com.curation.fantaholic	판타홀릭 – 아이돌 SNS 앱	5K+	Removed**
com.dtryx.cinecube	씨네큐브	5K+	Updated*
com.p2e.tia.tnt	TNT	5K+	Removed**
com.health.bestcare	베스트케어–위험한 전자기장, …	1K+	Removed**
com.ninegames.solitaire	InfinitySolitaire	1K+	Removed**
com.notice.newsafe	안심해 : 안심지도	1K+	Removed**
com.notii.cashnote	노티아이 for 소상공인	1K+	Removed**
com.tdi.dataone	TDI News – 최초 데이터 뉴스 앱 …	1K+	Removed**
com.ting.eyesting	눈팅 – 여자들의 커뮤니티	500+	Removed**
com.ting.tingsearch	팅서치 TingSearch	50+	Removed**
com.celeb.tube.krieshachu	츄스틱 : 크리샤츄 Fantastic	50+	Removed**
com.player.yeonhagoogokka	연하구곡	10+	Removed**

* Updated means that the recent application on Google Play does not contain the malicious library. 

** Removed means the application is not available on Google Play as of the time of posting. 

The post Goldoson: Privacy-invasive and Clicker Android Adware found in popular apps in South Korea appeared first on McAfee Blog.

Authored by Dexter Shin 

McAfee’s Mobile Research Team introduced a new Android malware targeting Instagram users who want to increase their followers or likes in the last post. As we researched more about this threat, we found another malware type that uses different technical methods to steal user’s credentials. The target is users who are not satisfied with the default functions provided by Instagram. Various Instagram modification application already exists for those users on the Internet. The new malware we found pretends to be a popular mod app and steals Instagram credentials. 

Behavior analysis 

Instander is one of the famous Instagram modification applications available for Android devices to help Instagram users access extra helpful features. The mod app supports uploading high-quality images and downloading posted photos and videos. 

The initial screens of this malware and Instander are similar, as shown below. 

Figure 1. Instander legitimate app(Left) and Mmalware(Right) 

Next, this malware requests an account (username or email) and password. Finally, this malware displays an error message regardless of whether the login information is correct. 

Figure 2. Malware requests account and password 

The malware steals the user’s username and password in a very unique way. The main trick is to use the Firebase API. First, the user input value is combined with [email protected]. This value and static password(=kamalw20051) are then sent via the Firebase API, createUserWithEmailAndPassword. And next, the password process is the same. After receiving the user’s account and password input, this malware will request it twice. 

Since we cannot see the dashboard of the malware author, we tested it using the same API. As a result, we checked the user input value in plain text on the dashboard. 

According to the Firebase document, createUserWithEmailAndPassword API is to create a new user account associated with the specified email address and password. Because the first parameter is defined as email patterns, the malware author uses the above code to create email patterns regardless of user input values. 

It is an API for creating accounts in the Firebase so that the administrator can check the account name in the Firebase dashboard. The victim’s account and password have been requested as Firebase account name, so it should be seen as plain text without hashing or masking. 

Network traffic 

As an interesting point on the network traffic of the malware, this malware communicates with the Firebase server in Protobuf format in the network. The initial configuration of this Firebase API uses the JSON format. Although the Protobuf format is readable enough, it can be assumed that this malware author intentionally attempts to obfuscate the network traffic through the additional settings. Also, the domain used for data transfer(=www.googleapis.com) is managed by Google. Because it is a domain that is too common and not dangerous, many network filtering and firewall solutions do not detect it. 

Conclusion 

As mentioned, users should always be careful about installing 3rd party apps. Aside from the types of malware we’ve introduced so far, attackers are trying to steal users’ credentials in a variety of ways. Therefore, you should employ security software on your mobile devices and always keep up to date. 

Fortunately, McAfee Mobile Security is able to detect this as Android/InstaStealer and protect you from similar threats. For more information visit  McAfee Mobile Security 

Indicators of Compromise 

SHA256: 

• 238a040fc53ba1f27c77943be88167d23ed502495fd83f501004356efdc22a39 

The post Instagram credentials Stealer: Disguised as Mod App appeared first on McAfee Blog.

Authored by Jyothi Naveen and Kiran Raj

McAfee Labs have been observing a spike in phishing campaigns that utilize Microsoft office macro capabilities. These malicious documents reach victims via mass spam E-mail campaigns and generally invoke urgency, fear, or similar emotions, leading unsuspecting users to promptly open them. The purpose of these spam operations is to deliver malicious payloads to as many people as possible.

A recent spam campaign was using malicious word documents to download and execute the Ursnif trojan. Ursnif is a high-risk trojan designed to record various sensitive information. It typically archives this sensitive data and sends it back to a command-and-control server.

This blog describes how attackers use document properties and a few other techniques to download and execute the Ursnif trojan.

Threat Summary

• The initial attack vector is a phishing email with a Microsoft Word document attachment.
• Upon opening the document, VBA executes a malicious shellcode
• Shellcode downloads the remote payload, Ursnif, and invokes rundll32.exe to execute it.

Infection Chain

The malware arrives through a phishing email containing a Microsoft Word document as an attachment. When the document is opened and macros are enabled, Word downloads a DLL (Ursnif payload). The Ursnif payload is then executed using rundll32.exe

Word Analysis

Macros are disabled by default and the malware authors are aware of this and hence present an image to entice the victims into enabling them.

VBA Macro Analysis of Word Document

Analyzing the sample statically with ‘oleId’ and ‘olevba’ indicates the suspicious vectors..

The VBA Macro is compatible with x32 and x64 architectures and is highly obfuscated as seen in Figure-5

To get a better understanding of the functionality, we have de-obfuscated the contents in the 2 figures shown below.

An interesting characteristic of this sample is that some of the strings like CLSID, URL for downloading Ursnif, and environment variables names are stored in custom document properties in reverse. As shown in Figure-7, VBA function “ActiveDocument.CustomDocumentProperties()” is used to retrieve the properties and uses “StrReverse” to reverse the contents. 

We can see the document properties in Figure-8  

Payload Download and Execution: 

The malicious macro retrieves hidden shellcode from a custom property named “Company” using the “cdec” function that converts the shellcode from string to decimal/hex value and executes it. The shellcode is shown below. 

The shellcode is written to memory and the access protection is changed to PAGE_EXECUTE_READWRITE. 

After adding the shellcode in memory, the environment variable containing the malicious URL of Ursnif payload is created. This Environment variable will be later used by the shellcode. 

The shellcode is executed with the use of the SetTimer API. SetTimer creates a timer with the specified time-out value mentioned and notifies a function when the time is elapsed. The 4th parameter used to call SetTimer is the pointer to the shellcode in memory which will be invoked when the mentioned time is elapsed. 

The shellcode downloads the file from the URL stored in the environmental variable and stores it as ” y9C4A.tmp.dll ” and executes it with rundll32.exe. 

URL	hxxp://docmasterpassb.top/kdv/x7t1QUUADWPEIQyxM6DT3vtrornV4uJcP4GvD9vM/
CMD	rundll32 “C:\Users\user\AppData\Local\Temp\y9C4A.tmp.dll”,DllRegisterServer

After successful execution of the shellcode, the environment variable is removed. 

IOC 

TYPE	VALUE	PRODUCT	DETECTION NAME
Main Word Document	6cf97570d317b42ef8bfd4ee4df21d217d5f27b73ff236049d70c37c5337909f	McAfee LiveSafe and Total Protection	X97M/Downloader.CJG
Downloaded dll	41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547	McAfee LiveSafe and Total Protection	Ursnif-FULJ
URL to download dll	hxxp://docmasterpassb.top/kdv/x7t1QUUADWPEIQyxM6DT3vtrornV4uJcP4GvD9vM/	WebAdvisor	Blocked

MITRE Attack Framework 

Technique ID	Tactic	Technique Details	Description
T1566.001	Initial Access	Spear phishing Attachment	Manual execution by user
T1059.005	Execution	Visual Basic	Malicious VBA macros
T1218.011	Defense Evasion	Signed binary abuse	Rundll32.exe is used
T1027	Defense Evasion	Obfuscation techniques	VBA and powershell base64 executions
T1086	Execution	Powershell execution	PowerShell command abuse

 Conclusion 

Macros are disabled by default in Microsoft Office applications, we suggest keeping it that way unless the document is received from a trusted source. The infection chain discussed in the blog is not limited to Word or Excel. Further threats may use other live-off-the-land tools to download its payloads.  

McAfee customers are protected against the malicious files and sites detailed in this blog with McAfee LiveSafe/Total Protection and McAfee Web Advisor. 

The post Phishing Campaigns featuring Ursnif Trojan on the Rise appeared first on McAfee Blog.