Securonix researchers recently detected CRON#TRAP campaign that has been attacking Windows machines with weaponized Linux virtual machines.

CRON#TRAP Campaign Attacking Windows Machine

CRON#TRAP is a sophisticated cyber attack campaign that begins with a “phishing email” containing a malicious shortcut (‘.lnk’) file disguised as “OneAmerica Survey.”

When executed, this file launches a “hidden 285MB package” that deploys a legitimate virtualization tool “QEMU” (Quick Emulator) which is renamed as “fontdiag.exe” to avoid detection. 

Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs

The attack creates a hidden Linux environment running “Tiny Core Linux,” complete with a pre-configured backdoor that establishes a connection to a “C2” server automatically. 

This environment is dubbed “PivotBox” and contains custom commands like “get-host-shell” and “get-host-user” for host-system interaction by using “SSH keys” for persistent access. 

The threat actors employed several tools, including vim, openssh, and 7zip, to manipulate the system while maintaining persistence via modified “boot local.sh” scripts and backed-up configurations via “file tool. sh. “

The primary targets of this campaign are “North America” and “Europe.”

This is concerning as it uses QEMU and operates within a hidden virtual environment, making it extremely difficult for traditional AV solutions to detect. 

While the sophisticated infrastructure of the malware contains:- 

• Network testing capabilities.
• Payload manipulation through a file called ‘crondx.’
• Data exfiltration channels using free file-sharing services. 

This highlights a well-planned multi-stage attack methodology that is designed for “long-term stealth” and “system compromise.”

The analysis of “crondx” (Chisel) reveals a sophisticated cyber attack component found within the “CRON#TRAP campaign,” where a pre-configured “64-bit ELF” executable serves as a critical backdoor mechanism.

This ELF executable is located at “/home/tc/crondx” in a Linux “QEMU” instance.

While this Golang-compiled binary is mainly engineered to establish “covert communication channels” with a C2 server at IP address “18.208.230[.]174” by using “websocket protocols” for data transmission. 

The attack sequence initiates via a phishing email containing a malicious “ZIP” file with a “.lnk” shortcut that triggers a “PowerShell script” to launch an emulated Linux environment via ‘QEMU.’ 

This effectively helps to evade traditional Windows-based AV detection systems. The threat actors modified the open-source “Chisel tunneling” tool that is used for legitimate “TCP/UDP” tunneling over HTTP with SSH security. 

It’s done by hardcoding connection parameters directly into the binary instead of requiring command-line configurations which helps in enhancing its “stealth capabilities.” 

This customized implementation enables persistent remote access via “encrypted channels,” that allow threat actors to deploy additional payloads to execute commands and exfiltrate data while remaining undetected, reads Securonix report.

The system’s compromise is further supported via various persistence mechanisms like “modified startup scripts” and “SSH key implementations.” 

Here, custom command aliases like ‘get-host-shell’ and ‘get-host-user’ facilitate direct interaction with the host machine within the isolated QEMU environment. 

The “.ash_history” file documents the activities of the threat actor like “tool installation,” “system reconnaissance,” and “payload deployment.” 

It shows a modular approach to system infiltration that uses legitimate software tools (‘QEMU’ and ‘Chisel’) to maintain persistent access while evading security controls.

Recommendations

Here below we have mentioned all the recommendations:-

• Avoid downloading unsolicited files or attachments.
• Treat external download links as potential threats.
• Monitor common malware staging directories, especially for scripts.
• Watch for legitimate software running from unusual locations.
• Enable robust endpoint logging for better detection.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

The post CRON#TRAP Campaign Attacking Windows Machine With Weaponized Linux VMs appeared first on Cyber Security News.

These types of attacks are executed via “emails” or “messages” that create a sense of urgency. 

Not only that, all these scams often lead victims to “malicious websites” or “prompt them to download harmful attachments.” 

Cybersecurity researchers at Sekoia recently found that the “Mamba” toolkit has been actively abusing multi-factor authentication in sophisticated phishing attacks.

Mamba Toolkit Abuses Multi-Factor Authentication

In October 2024, cybersecurity researchers discovered an advanced phishing campaign called “Mamba 2FA.” 

This phishing campaign targets Microsoft 365 users via sophisticated “HTML attachments” that create convincing replicas of “Microsoft login pages.” 

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free

While this phishing toolkit employs an “AiTM” technique and leverages the “Socket[.]IO” JavaScript library to establish “real-time websocket connections” with backend servers that enable it to evade traditional MFA protections. 

The phishing infrastructure operates through a “two-layer system” with URLs following a specific pattern (https://{domain}/{m,n,o}/?{Base64 string}):- 

• Link domains
• Relay servers

The kit supports four distinct phishing page templates, “OneDrive (o365_#one),” “generic Microsoft sign-in (o365#nom),” “SharePoint Online secure link (o365#sp),” and “voice mail notifications (o365#_voice).” 

It’s available as a “PhaaS platform” for ‘$250 per 30-day subscription’ via Telegram. So, with this subscription customers can generate customized “phishing links” and “HTML attachments” via a dedicated bot. 

The HTML attachments are particularly sophisticated and contain obfuscated ‘JavaScript code’ that redirects victims to phishing pages while using ‘CSS’ to hide harmless content, which makes the detection more challenging, according to the Sekoia report.

The service maintains a shared pool of servers and domain names that demonstrates its evolution from its initial appearance on “ICQ” in November 2023 to its current sophisticated form that targets “multiple organizations” via its “distributed infrastructure.”

Mamba 2FA phishing platform offers the following capabilities:-

• Supports non-phishing-resistant MFA.
• Integrates with Entra ID, AD FS, third-party SSO, and Microsoft accounts.
• Reflects enterprise custom login branding dynamically.
• Instantly sends stolen credentials and cookies via Telegram bot.
• Blocks access from security scanning services.

Link domains are specialized web addresses used in sophisticated phishing operations that employ an “antibot” detection system to filter out security tools and automated scanners. 

When these domains detect potential security solutions, they automatically redirect visitors to a harmless page (“https://google[.]com/404”). 

However, for regular visitors, the system serves a minimal HTML document that includes critical components (“a Socket.IO JavaScript library (version 4.7.5) for real-time bidirectional communication,” “unique identifiers stored in HTML attributes (with the ‘sti’ attribute containing a double Base64-encoded customer ID, and ‘vic’ attribute storing the target email),” and “template scripts (like jsdrive.js for OneDrive,” “jsnom.js for Microsoft sign-in, “jssp.js for SharePoint,” and “jsv.js for voice mail templates”). 

These templates manage the phishing page’s appearance and establish WebSocket connections with relay servers that help in processing user inputs like ’email addresses,’ ‘passwords,’ and ‘MFA codes’ through specific event commands (‘new-session’, ‘password_command’, ‘otp_command’). 

The system uses response events (‘s2c’, ‘s2c_cookies’, ‘s2c_restart’) to control page behavior and updates while utilizing proxy servers to mask the true origin of authentication attempts against Microsoft’s “Entra ID servers,” which makes the attack infrastructure more “resilient” and “harder” to trace.

Strategies to Protect Websites & APIs from Malware Attack => Free Webinar

The post Mamba Toolkit Abuses 2FA In Sophisticated Phishing Attack appeared first on Cyber Security News.

While these types of cybercrimes are often termed as “financial identity theft,” “medical identity theft,” and “criminal identity theft,” each having an impact that is specific to the victim. 

Microsoft’s security analysts have recently observed campaigns in which phishers have been actively abusing file-hosting services for identity phishing sor identity security is more important to focus.

Hackers Abusing Legitimate File Hosting Services

Microsoft’s cybersecurity team has identified a significant surge in sophisticated cyberattacks where threat actors are exploiting trusted file hosting platforms (“SharePoint,” “OneDrive,” and “Dropbox”) via “advanced defense evasion techniques.”

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free

These threat actors specifically use “restricted-access mechanisms” and “view-only file permissions” to evade traditional security measures like “email detonation systems” and “multi-factor authentication (MFA).” 

The attack chain typically begins when threat actors compromise a trusted vendor’s account, and then share malicious files using legitimate notification systems (like “no-reply@dropbox[.]com”) to target specific organizations.

These shared files are often disguised with urgent or contextually relevant names (like “Audit Report 2024” or “IT Filing Support 2024”), that are configured with sophisticated restrictions.

Here below we have mentioned those restrictions:- 

• They are accessible only to intended recipients.
• They require re-authentication through one-time passwords (OTP).
• They have time-limited access windows.
• They prevent file downloads. 

This methodology primarily leads to “BEC attacks” that enable ‘financial fraud,’ ‘unauthorized data exfiltration,’ and ‘lateral movement across network endpoints.’ 

The threat actors exploit the “implicit trust” associated with “legitimate file-sharing services.” 

They make use of these campaigns particularly effective at evading the security protocols while appearing as “routine business communications,” especially when the compromised sender is already whitelisted in the “Exchange Online policies” of the target organization.

In a sophisticated identity theft attack, when users access a “shared file,” they encounter a ‘multi-stage compromise process.’ 

Initially, they receive a verification prompt requesting their “email address,” followed by a seemingly legitimate “OTP” sent from a “spoofed Microsoft address” (“no-reply@notify.microsoft[.]com”). 

After entering the “OTP,” users are presented with what appears to be a legitimate document preview containing a deceptive “View my message” link. 

When clicked, this link redirects them to an “AiTM” phishing page. On this fraudulent page, users are manipulated into providing their account credentials (‘password’ and ‘Multi-Factor Authentication (MFA) response’), reads the Microsoft report.

Once obtained, all these compromised authentication tokens enable threat actors to launch secondary BEC attacks, where they can “impersonate legitimate users,” “access sensitive information,” and “potentially initiate fraudulent financial transactions” or further “spread the attack throughout the organization’s network.”

Recommendations

Here below we have mentioned all the recommendations:-

• Enable Conditional Access policies in Entra.
• Use identity-driven signals for sign-in evaluation.
• Protect with compliant devices and trusted IPs.
• Start with security defaults if needed.
• Implement continuous access evaluation.
• Use passwordless sign-in with FIDO2 keys.
• Turn on network protection in Defender for Endpoint.
• Implement Mobile Threat Defense for devices.
• Block malicious websites with Edge, and emails with Defender 365.
• Monitor suspicious activities in Entra ID Protection.
• Investigate suspicious sign-ins.
• Educate users on secure file-sharing risks.

Strategies to Protect Websites & APIs from Malware Attack => Free Webinar

The post Hackers Abusing Legitimate File Hosting Services For Sophisticated Phishing Attack appeared first on Cyber Security News.

They are primarily used by the threat actors to deliver malware by exploiting vulnerabilities in the PDF format and tricking users into executing malicious code.

Recently, cybersecurity analysts at Google Mandiant identified that UNC2970 hackers have been actively attacking job seekers using weaponized PDF readers.

In June 2024, Mandiant Managed Defense identified UNC2970, a suspected North Korean cyber espionage group targeting U.S. critical infrastructure sectors.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

Sophisticated Phishing Tactics

The group employs sophisticated phishing tactics, posing as recruiters and sending tailored job descriptions for senior-level positions. 

Their infection chain utilizes a password-protected ZIP archive containing an encrypted PDF and a trojanized version of “SumatraPDF” (v3.4.3 or earlier). 

When victims open the PDF using the modified application, it triggers the “BURNBOOK” launcher (a malicious libmupdf.dll) which decrypts the PDF using “ChaCha20” cipher with a “32-byte key” and “12-byte nonce.” 

BURNBOOK then loads the “MISTPEN” backdoor which is a modified Notepad++ plugin (binhex.dll), into the SumatraPDF.exe process via reflective loading, Mandiant said. 

For persistence, the malware creates a scheduled task named “Sumatra Launcher” in %APPDATA%\Microsoft\BDE UI Launcher, using “BdeUISrv.exe” and employing DLL search-order hijacking with a malicious “wtsapi32.dll.” 

The MISTPEN payload is re-encrypted and stored in %APPDATA%\Thumbs.ini for later execution. 

This technique allows UNC2970 to bypass security measures, targeting aerospace, energy, and nuclear sectors. 

The campaign doesn’t exploit any vulnerability in SumatraPDF but rather modifies its open-source code to deliver the malicious payload.

MISTPEN is written in C, and its primary function is to download and execute Portable Executable (PE) files. 

The backdoor uses AES encryption with a specific 256-bit key to decrypt a token, which it then uses to access Microsoft Graph APIs. 

MISTPEN communicates over HTTPS with Microsoft endpoints, including login.microsoftonline.com and graph.microsoft.com. 

It supports various commands like:- 

• ‘d’ for loading and executing PE payloads.
• ‘e’ for termination.
• ‘f’ for sleep functionality.
• ‘g’ for updating its configuration.

The backdoor can read and write its settings to a file named “setup.bin” which allows persistent configuration. However, MISTPEN backdoor is often delivered alongside “BURNBOOK,” a trojanized PDF reader that employs DLL search order hijacking. 

While the “TEARPAGE” is another component that acts as a loader and uses ChaCha20 cipher from an encrypted blob in “%APPDATA%\Thumbs.ini” to decrypt the “MISTPEN.” 

This malware suite is linked with UNC2970, and this group uses job-themed phishing emails to target multinational companies across various sectors and countries.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial

The post UNC2970 Hackers Targeting Job Seekers with Weaponized PDF Files appeared first on Cyber Security News.

The malware exploits the Accessibility Service to gain control over infected devices and downloads phishing pages impersonating cryptocurrency exchanges and financial institutions, which trick victims into entering their credentials, which are subsequently stolen by the malware.

Copybara, a sophisticated Android trojan active since 2021, continues to evolve by boasting a wide range of malicious capabilities, including keylogging, multimedia recording, SMS interception, screen capturing, credential theft, and remote device control. 

Often posing as legitimate financial apps, it lures victims into phishing pages targeting cryptocurrency exchanges and global financial institutions by introducing MQTT for covert C2 communication, enhancing its stealth and persistence.

The latest Copybara variant, a malicious Android application, leverages the MQTT protocol for efficient communication with its command-and-control server.

Developed using the B4A framework, this variant often masquerades as legitimate financial institutions, particularly those based in Italy and Spain. 

It is also known to impersonate popular applications like Google Chrome and IPTV services, which aim to trick users into downloading and installing the malware, potentially compromising their personal and financial information.

Copybara, a malicious Android application, leverages the Accessibility Service to gain extensive control over a victim’s device.

Upon installation, it persistently prompts users to enable this permission, which, if granted, allows the malware to manipulate various device settings and functions. 

The malware downloads and installs a list of phishing pages from a command-and-control (C2) server, designed to trick users into divulging their sensitive information. 

It establishes an MQTT connection to a C2 server, enabling it to receive and execute commands that range from capturing screenshots and recording audio to remotely controlling the device. 

The malware’s persistent notifications, blocked Settings menu options, and ability to download and install additional applications further hinder the victim’s ability to detect or remove it.

By mimicking legitimate apps with similar names and logos, the malware tricks victims into entering their credentials on phishing pages, which allows attackers to steal user information and gain unauthorized access to their accounts. 

Beyond credential theft, Copybara is a sophisticated trojan capable of audio and video recording, SMS hijacking, and screen capturing, making it a powerful tool for targeted attacks by malicious actors.

The Indicators of Compromise (IOCs) in this Zscaler ThreatLabz report include a list of malicious URLs and server IPs that are disguised to look like legitimate banking apps for BBVA, CaixaBank, Mediobanca, and BNL and distribute malware disguised as mobile banking apps. 

The server IPs listed could be hosting the malware or could be part of the attacker’s infrastructure. Security personnel should monitor these IOCs to detect and prevent potential malware infections.  

Indicators Of Compromise (IOCs) 

Sample hashes

• 01b0e9cb7e864e753261b94e3e652254968d8188562a5abfc240d19fa783bc5f
• 0280536885bb406bc8cd90631bb48ddd809dcf16ecfb5acdc2e75c40171a63af
• 11470b5107f563c19ab92929a0e0ee5cf1b0c95fdd146f69ff9f9d4123f908cb
• 136efade44da726858480a9b56aab5a9509e7c04b71fec08e9b779c069632d8c
• 13b904ed2391fed303979b8b8fe0ac72a356cab091057600237fc8ac784db82a
• 1487cfbb6d702b8b2cfa88a6d586c092cdfbb472274ff54f894df35edd2f9d3e
• 19e74d9f5649e9180b2b32b95c654e7fe448d989a44c15c9b3c245fa3150df5a
• 1a3e682c924edc1dc0a525f7f1c3e2534cb2945dfaf5bad52089592d216c6c7b
• 22046aaef8a6439d1f5f2980b4d6282e7b69e98c95a0f52010d8953f0cb5e736
• 22988cbb286f387036ced6fca6bb72b9f5e326706ad99065bc04bb8cb5dc4a12
• 230f3d74004fee235055e786aba413abff2ed5cf4faa1987a070493be28c75d1
• 24a58d1168d02009c97095e75387765e63b320a0dde1f8a9a7c8e3689a3f6dfb
• 28323f93a6657363a0637341358303485d2cf240995457fc8393fb6b74f10d30
• 29e642ef6bd41f343f66210e924724bb343432affd1ed25bf386d638ae79ee87
• 2a1118c91d97a34e06344191eff546c062f81ccf58a7fa7bf1ec206a42d36c2b
• 2a5d05a6bfb3a73a91d88c15384c9b384d9309e8db0ed4e348d1a85d0f6729db
• 2d5e80f752608faa23f05e6558a695fcac261d78b9979d6746dc11dc995665e3
• 376ff4dbea2e3570a5cb98a8b335c0503d050fecd7bb4f65d252b1b596d14fc7
• 40df5d874ed86aa65454d3d7becc334b7ca2dcb11754f9131135071a98752691
• 41b61acc644add0a40ec6dbda231ae41f9de478fbf8cc029bc89d95a2829a53e
• 447c387fca23aea2b0b78f1cf9ee1c369078196fe3c3051bb99309268d4a9f79
• 472feeabc60fdcc87345574586a7599ead1625c94bf75f373e9086b4a6cfedbe
• 4b43f7145eebe4c07d208911b9d74c7c996a5037a04d52e4c38a80c2456d1187
• 4daf21a708afc06c0da4ee6e192a6db6405efb1e3a9eb6905cc69d501e781c8b
• 5bc6f1986a6e794e8feb78c763fef5f8cbb59f3696daa468aba058fb79befbf0
• 6b15d8508e6782c25dc48618bbbe9b53c8c9a822655a8e52b7370e034fae7564
• 6bc1ac4f844a6940c9e083c32bbf3f469b1322cc5aa83e12ab1a7f35cdb51c23
• 6da8e49d8e083ec705985effa03cdb60cdd736f04ed711211b2a3842c815a708
• 731a58248c7b467bc9d9a7482d8cb010242b3a534904ddc39471fa0620752d22
• 767e4c42cefc4a29921f612f14611cf56b7d950ba91ccdd3a59adb57f25b7d18
• 790b166081fd763cc6239881a78ba5c4d757b8f98d1b5d5f7abfdede76f54c05
• 7a165645df48f6bde0fd5939a3e15d160826d944e603c34d46a7285f02f0941e
• 7b3262b6c3ad52e50e2ec6faf1ffb12ca08f0d17ac4f90420f13a6053b7f9622
• 7fa3d58a0056e8492a84894a6fd3b3d0d87ff1f9656f5e54b10580b9a4a4fd6a
• 7ffbc88e97be67214ad17325142ceb54823a5bdcebdbd4e4c9d0c65b3f0a1813
• 85901707c7d058269820671e10af027eeadd39ee15f079cff340eed0f0ac9c2e
• 868ce8fa932c46b6de18455dfc0935a75029cc10c7b484bc358cdfabf0b0c533
• 878bb68727daf025c0c9619d1d12337c289489f1190410ca4025c47f39357aa5
• 8a2f6ff8aa1a6b416cb0aaa1530a8178c53760a69ce5c14d1d16ee880c335a4f
• 8b05684a73f44ed82c0faf424b2d41a0c7b00c2fef4d7dc232c5433739a59f6c
• 8bbb6cd5277177beb86b037ef77d6fcbae4a51a19668063d4d1b40ce2453dad3
• 91fda73902e1a2a76b999df11caa4532c9c440d6f3da63dc03e0a78109d7583a
• 9762eba15b893609b9461125c5adbcaf3bac7fea9536ffca72566abfa1bed084
• 9830b91dfcf987a2556afd85893f8569c6ba03e3ebb194ecb6b32dafbc22e1e1
• 989cf5faf307304f86db03180978ba4bd93c909bb458db83fcebe4fb48d7a002
• 9b204f839aed79d4c27f8d28198ef596dec9848a27a51f0672743a91e618677c
• 9c136701362e2d661805257c02e23c9aa01b9081e1a559571f947390522fc51b
• 9f693923e5641c046bdcadf10b4e2b553d078b98afc2e30f2d72660b1e0161ed
• a1a1fbdb6070ff388642974b1616d1955c2a89fbb8702caa02fa6927adbdad6c
• a46537ccf4a188091f973a47b7186ee805539a0e5d94c62867cec08cec1c33e6
• a8cc088426c6406f03ccedbb854e8dc83543d38c98a405db15074e9531731ade
• ab85b62cad1a4009bf99c621b4950ee23c413b5c424952f225497bca7a318a99
• ad1182d8bf3b1976e09f45b91085167559bc24e8f5e3f7315f96f344532cbcf8
• afa3c43141a5b6f2473d49cdfa0bce1bf0af235a40f3ec092299287291137841
• b009ad0ed336f1e4bff3f452e238b3ea83d3bc7773f52d16d057298c116a95ea
• b1b6a2d91e6fcc07322edce92aa75c13763b6844b2a1a549eeaf0f536bdc6183
• b217e4f8143a6fbbad2e0667ce8242fc207274a78ce464af9b122df8ba12690b
• b4379324c7dc1fc623bcd9d2e8099dc3588ac23f87f33151d1c1005a1f33e713
• b5c206d8f980c8fa12a29886fad49f6a1469264055740cdf763efa7f726cd8d7
• b99fc0a9eea993d6b5a04b0a0b05fe103f164fb85281fcddb04ac686daee065f
• bcae6ea26fe1dd1fa5652e05c1b888186307ad277ce238a255908061b837a484
• bff6fb5cbb1c0f8d05e2c6acefcf499a9c22f10d7db8aeda994638bf75018fbf
• c32eb3b850a20e4715a6db40635de9fc6cefad840ce7e64e9c68c2b3e378ee7e
• c8c73080a2eb18ad1434ac408e916f3f819637550dfe07f20ad79e66ec1b2cf9
• cad56908abd1508451a5af4a5304de092f0342ec6a24bbbeb9b3988683483c84
• d23ef9fe27b116d982f8ebafb99587ffc9cc6c9b932f1b2d5efab2dad156e65e
• d852f48e1c8a37d11f9dfb90f339316a5a3fa012bf152db43de1e81b45a69ba7
• d887be78f443fabeb348ac2f85e1d42ed4d1c2cfc87d9e314c4b812c0b1fcfd8
• de242d9428a378a1b0dacb2e8d481fdfb062a47450f815c13e105975d5a41663
• e097bb08da761ae5780e6c600c79738e36285a59589098dde53c88611c1ac66a
• e328dde9fa6db3da195e813696973657cc4fe636601cb0061a75c5086b04aa95
• e3875e3b20be42f38f457cf0b0d85683535472b47535635ec42da52b73b27e6e
• e57565bd3f398508321470f857dfb07c195ed9b7b494ba00dc7c407ac8b8f3e1
• e82b0023abcc4bdb549f319389620c4cbd8ffabe8648168db31db62fd84a6904
• eb1f89b2edaeda18023a6ea5cd7a4b2997e4839e1f3d57e54c5b7a1b64407874
• eb779ec4ed2c85e114a18db89b8ef9c7a19adc907748d1f18076e167f79bf04b
• f6975b1a9ab8935d45d6c2d94540b67b2374827734593c126785924afffb6634
• f703f31f7b9ef95f820a724ebcee36377e2f4a42c92756b819bea6f34ec96cac
• f91fd4f9b6594446144ba865356fde07669ea0b46a62ddd926bb8cac0aa04dc9

C2 Server IPs

• 146.103.41[.]28
• 146.19.143[.]42
• 159.100.13[.]181
• 159.100.20[.]184
• 176.124.32[.]39
• 176.126.113[.]210
• 193.3.19[.]37
• 193.31.41[.]93
• 194.99.22[.]182
• 212.237.217[.]111
• 213.109.147[.]35
• 213.109.192[.]177
• 46.249.35[.]219
• 80.251.153[.]96

The post New Copybara Android Malware Remotely Controlling Infected Device appeared first on Cyber Security News.

Clicking the image redirected victims to a malicious Squarespace domain, giraffe-viola-p262.squarespace[.]com, which subsequently led to a PDF viewer. 

The sender domain is recognized as a known malware distributor, according to open-source threat intelligence, which targets AWS accounts.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

The attack starts with a malicious PDF hosted on a file-sharing site, while clicking an “Invoice Summary” link within the PDF triggers a redirect chain. 

First, it goes through a link shortener service and then to an attacker-controlled domain disguised as an AWS console page. 

Finally, it lands on a fake login page designed to steal user credentials. While Google Chrome flags this as phishing, users of other browsers or those who ignore warnings are at risk. 

A fake AWS login page that steals credentials, i.e., signin.aws.consoleportal.tech, closely resembles the real one and even uses a similar URL structure. 

To potentially gather even more information, the fake page loads JavaScript from a suspicious location. (https://d35uxhjf90umnp.cloudfront.net/index.js), while it’s unclear if this script is directly controlled by the attacker or somehow linked to their AWS resources.  

The honeypot, designed to mimic an employee’s AWS login, encountered a sophisticated phishing page that only accepted the originally targeted victim’s email address, indicating potential personalization or filtering mechanisms.

While considering using the employee’s actual account, the attacker’s infrastructure became unavailable. 

The cause remains unclear, but it could be due to the report to stop-spoofing@amazon.com or Chrome’s built-in phishing detection, which highlights the evolving tactics of attackers and the importance of layered security measures. 

To mitigate phishing risks, AWS customers should enforce strong account security by disabling root logins via Service Control Policies, implementing phishing-proof MFA using FIDO security keys for Organization Management accounts, and considering additional measures like SSO for user authentication. 

This layered approach significantly reduces the likelihood of a successful phishing attack, protecting the organization even in the face of human error. 

Enforce SSO for all cloud environment access instead of IAM users or root logins to streamline authentication management and bolster security through additional authentication measures. 

Implement least privilege principles to mitigate the risks associated with compromised user accounts by restricting access to critical resources and minimizing the number of users with elevated permissions, such as root access to AWS Organization Management accounts. 

Cloud logging services like Amazon CloudTrail are critical for effective security incident response.

By continuously recording cloud activities, these services enable security teams to pinpoint compromised resources, determine the extent of a breach, and implement targeted remediation actions. 

Historical DNS data revealed previously used IP addresses from Namecheap and Hostinger, which hosted other potential phishing domains with subdomains mimicking AWS services (e.g., signin.aws.{domain}). 

A lookalike search uncovered numerous domains replicating Amazon’s login page. While ownership by the same attacker is unclear, the subdomain format and association with known phishing IPs suggest malicious intent. 

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces

The post New Phishing Campaign Attacking AWS Accounts To Steal Logins appeared first on Cyber Security News.

Recently, security analysts uncovered macOS malware that disguises itself as an “Unarchiver” app, enabling threat actors to steal user data.

During routine research, cybersecurity experts at Hunt.io discovered a phishing site masquerading as theunarchiver[.]com. This site offers a questionable disc image (TheUnarchiver.dmg).

The only difference between this website and the real one was the changed download button and domain name (tneunarchiver[.]com).

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

macOS Malware Disguise As Unarchiver

Despite low-risk scores from Hatching Triage (1/10) and no detections on VirusTotal, there is considerable suspicion due to the deceptive domain and copied web page.

While previous attempts of this kind have employed similar tactics of giving out genuine software programs via phishing, such situations require careful assessment.

Consequently, a comprehensive analysis of the disk image must be done to reveal any possible subsequent malicious actions that might be not obvious during initial scanning processes as artificially low scores could result from mistakes in execution or can be misleading.

A machine code designed for both ARM and Intel architectures was discovered inside an unsigned disk image present in the suspicious “CryptoTrade” macOS file.

It is compiled using Swift language; ad-hoc signing was done during its creation on macOS 14.5 (May 2024).

While the examination of its contents, including the Info.plist file and shared libraries suggest malicious intent. 

Deceptive installation processes can be concluded from the presence of codes that are likely used to capture user’s passwords.

One URL found in the strings output (https://cryptomac[.]dev/download/grabber.zip) indicates that more malware might be available.

Despite these warning signs, VirusTotal suppliers failed to mark it as malicious software since it may have been incompatible with older versions of macOS utilized in analysis sandbox environments.

The “grabber.zip” file, undetected by VirusTotal, contains 10 shell scripts designed to steal user information.

The main script sets up a directory in the user’s Library folder, collects IP information, and executes various data-grabbing scripts. 

The stolen data is then compressed and sent to a remote server. Notable features include Russian comments in one script, suggesting the malware’s origin. 

This macOS-targeted stealer, similar to Amos and Poseidon, impersonates The Unarchiver app, uses Swift, and exfiltrates data to a common URL path (/api/index.php), yet remains undetected by security vendors.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

The post macOS Malware Disguise As Unarchiver App Steals User Data appeared first on Cyber Security News.

It leverages the widespread trust in India Post and the popularity of iPhones to deceive users into compromising their devices and potentially revealing sensitive information. 

A security incident affecting iPhone users in India has the potential to result in financial loss.

Compromised user information poses a significant risk of unauthorized access to sensitive data, enabling malicious actors to perpetrate further attacks, potentially leading to additional financial damages and reputational harm. 

A China-based threat actor, the Smishing Triad, is conducting a phishing campaign targeting multiple regions, including India, after previously targeting the US, UK, EU, UAE, KSA, and Pakistan.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

The group leverages Apple ID vulnerabilities by creating accounts using third-party email addresses, enabling iMessage-based phishing attacks, and containing shortened URLs that redirect users to fraudulent websites. 

An investigation uncovered the widespread use of newly registered domains for phishing attacks, delving into the tools and methods employed by threat actors to propagate these campaigns, quantifying the scale of the problem, outlines attacker tactics, and provides actionable insights into the evolving phishing landscape. 

Over 470 domain names resembling India Post’s official domain were registered between January and July 2024, indicative of a large-scale homograph phishing attack, while 296 were registered through a Chinese registrar, raising significant security concerns. 

A surge in domain registrations occurred in June and July 2024, with peak days witnessing up to 42 new registrations, emphasizing this campaign’s dynamic and potentially malicious nature. 

A large-scale homograph phishing attack targeting India Post is underway, as evidenced by over 470 domain registrations mimicking the official domain since January 2024. 

With 296 domains registered through a Chinese registrar, the threat has increased.

Attack activity surged in June and July 2024, with daily registration peaks of 42, indicating a dynamic and potentially malicious campaign targeting India Post users. 

Analysis by FortiGuard Labs indicates a substantial concentration of domains hosted by Tencent, primarily in Hong Kong. The data reveals that 232 domains are Tencent-hosted, with 16 specifically registered in Santa Clara. 

The phishing domain ‘indiapost[.]top’ hosts a cloned India Post website on specific paths to evade detection.

Despite recent registration, the domain is used to deceive users into providing personal and financial information. 

The phishing attack leverages a delivery failure notification to entice victims, collect sensitive data, and ultimately request a fraudulent payment. It poses significant risks of identity theft, financial loss, and potential further malicious activities. 

The attacker leverages either a newly created or compromised Apple ID to send the message, disguising it as a legitimate iMessage communication. 

It exploits the trust associated with iMessage and bypasses traditional email security measures, increasing the likelihood of successful attacks on iMessage-enabled devices.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

The post iPhone Users Beware! Fake Postal Messages Stealing Your Login Credentials appeared first on Cyber Security News.

QR codes can be linked to malware downloads or phishing sites cleverly disguised as legitimate sources, such as security updates or SharePoint document links, which bypass traditional email security checks and leverage the trust users place in QR codes for everyday tasks.  

Phishing scammers are impersonating the Microsoft login page by utilizing a QR code that redirects users through a benign-looking host (bing.com) to a phishing URL. 

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

The deceptive URL, obfuscated with Base64 encoding, ultimately leads to a login page designed to steal Microsoft account credentials such as the user ID and password. 

The phishing page itself is designed to look like the authentic login interface used by Microsoft, which further increases the likelihood of the scam’s success.  

Phishing attacks are evolving to use QR codes to trick users into entering their credentials on malicious websites, which can be designed to look like legitimate login pages and may even prefill the username field to increase believability. 

Once a user enters their credentials, the attacker can steal them and use them to gain unauthorized access to the user’s email, personal information, and potentially sensitive corporate data. 

Malicious QR codes can exploit vulnerabilities in mobile device QR scanners to circumvent user consent and carry out harmful actions. 

It includes silently downloading and installing malware, subscribing users to premium SMS services, which results in unexpected charges, or initiating calls to premium rate numbers, which incurs high costs. 

Even more serious, QR code exploits can steal login credentials, launch denial-of-service attacks, compromise user networks, and damage the reputation of targeted individuals or organizations. 

According to SonicWall Indicators of Compromise (IOCs) and URLs suspected to be malicious, likely file hashes are represented in hexadecimal format, which could be compared to a database of known malicious files to identify potential threats. 

The URLs are obfuscated with techniques like character substitution (e.g., ‘r’ for ‘e’).

Decoded, these URLs could lead to phishing sites or malware downloads, while analyzing these IOCs and URLs together can help security professionals detect and prevent cyberattacks. 

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

The post Beware Of Malicious PDF Files That Mimic Microsoft 2FA Security Update appeared first on Cyber Security News.

The ransomware will drop a notice on victims’ screens telling them to get in touch with the attackers via the specified email address or Telegram handle within 48 hours, failing which their stolen data would be sold to competitors and made public on the dark web.

The OPIX ransomware variant is commonly disseminated using social engineering techniques including drive-by downloads and phishing emails. 

This software is typically presented as or combined with legitimate/normal content.

Files that are malicious may be executables (.exe,.run, etc.), documents (Microsoft Office, Microsoft OneNote, PDF, etc.), archives (RAR, ZIP, etc.), JavaScript, and more.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

Working Of The New OPIX Ransomware 

According to Symantec, the malware now encrypts user files with a random character string and appends the “.OPIX” extension.

One such file that is transformed from “test.txt” to “B532D3Q9.OPIX” is one example. 

Victims will get a ransom note, commonly named “#OPIX-Help.txt”, telling them to contact the attackers via the specified email or Telegram handle within 48 hours, or their stolen data would be sold to competitors and broadcast on the dark web.

In this case, decryption is typically unfeasible in the absence of attacker intervention. Despite this, cybercriminals frequently fail to deliver the claimed decryption key or software, paying the ransom does not ensure that the files will be recovered. 

Never forget that giving money for criminal activity is what keeps them doing what they do.

To protect your files, it is therefore strongly advised that you maintain backups in several different places (such as remote servers, unplugged storage devices, etc.).

When receiving emails or messages, proceed with caution. Links or attachments included in questionable or irrelevant emails should not be clicked because they may be dangerous.

Indications Of The Threat

The following are the indicators that Symantec has detected and removed this threat.

Adaptive-Based: 

ACM.Untrst-FlPst!g1
ACM.Untrst-RunSys!g1

Behavior-Based

SONAR.SuspBeh!gen16
SONAR.SuspLaunch!g18 
SONAR.SuspLaunch!g250 
SONAR.SuspLaunch!g340 
SONAR.SuspLaunch!gen4 

File-Based:

Trojan Horse
Trojan.Gen.MBT
WS.Malware.1

Machine Learning-Based:

Heur.AdvML.A!300
Heur.AdvML.B
Heur.AdvML.B!100
Heur.AdvML.B!200

Carbon Black-Based:

Existing policies in VMware Carbon Black products detect and block associated harmful signs. 

To maximize the benefits of VMware Carbon Black Cloud reputation service, it is recommended to stop all known, suspect, and PUP malware from running and to delay the execution of cloud scans.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

The post New OPIX Ransomware Encrypting Files With Random Character String appeared first on Cyber Security News.