Cyber Security News of the week — 20.11.2021|27.11.2021
Facebook Bans Pakistani and Syrian Hacker Groups for Abusing its Platform
Meta’s threat intelligence analysts said these apps were a front for two distinct malware strains, a remote access trojan named PJobRAT, which was previously found targeting the Indian military forces, and a previously undocumented implant dubbed Mayhem that’s capable of retrieving contact lists, text messages, call logs, location information, media files, device metadata, and even scrape content on the device’s screen by abusing accessibility services.
Among other SideCopy’s techniques, the hacker gang participated in a number of illicit actions, including hosting rogue app stores, compromising genuine websites to host harmful phishing pages that were aimed to trick individuals into giving up their Facebook credentials. The group was removed from Facebook in August.
Furthermore, Meta also claims it disabled three hacker networks linked to the Syrian government and notably Syria’s Air Force Intelligence —
Syrian Electronic Army aka APT-C-27, which targeted humanitarian organizations, journalists and activists in Southern Syria, critics of the government, and individuals associated with the anti-regime Free Syrian Army with phishing links to deliver a mix of commercially available and custom malware such as njRAT and HmzaRat that are engineered to harvest sensitive user information.
APT-C-37, which targeted people linked to the Free Syrian Army and military personnel affiliated with opposition forces with a commodity backdoor known as SandroRAT and an in-house developed malware family called SSLove via social engineering schemes that duped victims into visiting websites masquerading as Telegram, Facebook, YouTube, and WhatsApp as well as content focussed on Islam.
A government-linked unnamed hacking group that targeted minority groups, activists, opposition in Southern Syria, Kurdish journalists, and members of the People’s Protection Units and Syria Civil Defense, with the operation manifesting in the form of social engineering attacks that entailed sharing links to websites hosting malware-laced apps mimicking WhatsApp and YouTube that installed SpyNote and Spymax remote administration tools on the devices.
Prevent Data Breaches
“To disrupt these malicious groups, we disabled their accounts, blocked their domains from being posted on our platform, shared information with our industry peers, security researchers and law enforcement, and alerted the people who we believe were targeted by these hackers,” the social technology firm’s Mike Dvilyanski, head of cyber espionage investigations, and David Agranovich, director of threat disruption, said.
SharkBot — A New Android Trojan Stealing Banking and Cryptocurrency Accounts
Cybersecurity researchers on Monday took the wraps off a new Android trojan that takes advantage of accessibility features on mobile devices to siphon credentials from banking and cryptocurrency services in Italy, the U.K., and the U.S.
Dubbed “SharkBot” by Cleafy, the malware is designed to strike a total of 27 targets — counting 22 unnamed international banks in Italy and the U.K. as well as five cryptocurrency apps in the U.S. — at least since late October 2021 and is believed to be in its early stages of development, with no overlaps found to that of any known families.
Automatic GitHub Backups
“The main purpose of SharkBot is to initiate money transfers from the compromised devices via Automatic Transfer Systems (ATS) technique evading multi-factor authentication measures (e.g., SCA),” the researchers wrote in a paper.
“Once SharkBot is successfully installed in the victim’s smartphone, attackers can get sensitive banking information through the misuse of Accessibility Services, such as credentials, personal information, current balance, etc., but also to conduct gestures on the infected device.”
Masquerading as media player, live TV, or data recovery software, SharkBot, like its other malware rivals TeaBot and UBEL, continuously prompts users with rogue pop-ups to grant it vast rights just to steal vital information. Where it stands apart is the exploitation of accessibility settings to carry out ATS assaults, which allow the operators to “auto-fill fields in legal mobile banking apps and start money transfers from the compromised devices to a money mule network controlled by the [threat actor].”
The modus operandi efficiently obviates the necessity for enrolling a new device to execute fraudulent operations, while also circumventing two-factor authentication systems put in place by the banking applications.
Prevent Data Breaches
In addition, the malware comes with several features now observed across all Android banking trojans, such as the ability to perform overlay attacks to steal login credentials and credit card information, intercept legitimate banking communications sent through SMS, enable keylogging, and obtain full remote control of the compromised devices.
SharkBot is also famous for the precautions it takes to elude analysis and discovery, including running emulator tests, encrypting command-and-control interactions with a remote server, and concealing the app’s icon from the home screen post-installation. No samples of the virus have been identified in the official Google Play Store, implying that the malicious apps are installed on the consumers’ smartphones either via sideloading or social engineering tactics.
The discovery of SharkBot in the open highlights “how mobile malwares are quickly exploring new ways to perpetrate fraud, seeking to evade behavioural detection countermeasures put in place by different banks and financial services during the last years,” the researchers stated.
and The Ugly
North Korean Hackers Target Cybersecurity Researchers with Trojanized IDA Pro
Lazarus, the North Korea-affiliated state-sponsored gang, is attempting to once again attack security researchers with backdoors and remote access trojans using a trojanized pirated edition of the popular IDA Pro reverse engineering program.
The discoveries were disclosed by ESET security researcher Anton Cherepanov last week in a series of tweets.
IDA Pro is an Interactive Disassembler that’s designed to transform machine language (aka executables) into assembly language, enabling security researchers to investigate the inner workings of a program (malicious or otherwise) as well as acting as a debugger to find flaws.
Automatic GitHub Backups
“Attackers packed the original IDA Pro 7.5 program built by [Hex-Rays] with two malicious components,” the Slovak cybersecurity firm stated, one of which is an internal module named “win fw.dll” that’s executed during installation of the application. This altered version is then organized to load a second component named “idahelper.dll” from the IDA plugins folder on the machine.
Upon successful execution, the “idahelper.dll” program connects to a remote server at “www[.]devguardmap[.]org” to obtain further payloads. The domain is particularly notable for the reason that it’s been previously tied to a similar North Korea-backed effort directed at security experts and reported by Google’s Threat Analysis Group earlier this March.
The covert operation involved the adversaries setting up a fake security company known as SecuriElite alongside a number of social media accounts across Twitter and LinkedIn in an attempt to trick unsuspecting researchers into visiting the company’s malware-laced website so as to trigger an exploit that leveraged a then zero-day in Internet Explorer browser. Microsoft eventually resolved the bug in their Patch Tuesday update for March 2021.
Prevent Data Breaches
Also known by the monikers APT38, Hidden Cobra, and Zinc, the Lazarus Group is believed to be active as early as 2009 and related to a number of attacks for financial gain and stealing sensitive information from compromised systems.
“North Korea’s cyber program offers a growing espionage, theft, and assault danger,” according to the U.S. Office of the Director of National Intelligence 2021 Annual Threat Assessment published earlier this April.
“North Korea has undertaken cyber theft against financial institutions and cryptocurrency exchanges globally, potentially taking hundreds of millions of dollars, probably to fund government goals, such as its nuclear and missile programs.”