Malware Watch - W/E - 100518
Abused Android Password Managers Can Enable Phishing Attacks (10/02/2018)
Android's mobile password management and Instant Apps feature can both be exploited to result in phishing attacks, a team of researchers have warned. Due to design flaws, password managers can be tricked into entering valid credentials into phishing apps. "We then show how an attacker can abuse the recently introduced Instant Apps technology to allow a remote attacker to gain full UI control and, by abusing password managers, to implement an end-to-end phishing attack requiring only few user's clicks. We also found that mobile password managers are vulnerable to "hidden fields" attacks, which makes these attacks even more practical and problematic," the scientists said.
Android's mobile password management and Instant Apps feature can both be exploited to result in phishing attacks, a team of researchers have warned. Due to design flaws, password managers can be tricked into entering valid credentials into phishing apps. "We then show how an attacker can abuse the recently introduced Instant Apps technology to allow a remote attacker to gain full UI control and, by abusing password managers, to implement an end-to-end phishing attack requiring only few user's clicks. We also found that mobile password managers are vulnerable to "hidden fields" attacks, which makes these attacks even more practical and problematic," the scientists said.
DanaBot Malware Growing in Popularity in Targeted US Campaigns (10/02/2018)
The DanaBot banking Trojan which had previously been used to attack Australian organizations has now been adopted in campaign affecting organizations in the US. Proofpoint observed a threat actor switching out the Panda banking Trojan to use DanaBot in one attack and then discovered another campaign that downloaded DanaBot and the Pony information stealing malware.
The DanaBot banking Trojan which had previously been used to attack Australian organizations has now been adopted in campaign affecting organizations in the US. Proofpoint observed a threat actor switching out the Panda banking Trojan to use DanaBot in one attack and then discovered another campaign that downloaded DanaBot and the Pony information stealing malware.
FakeSpy Malware Returns to Take Aim at Android (10/04/2018)
The FakeSpy malware has received an update since it was first discovered by Trend Micro in June and Fortinet says the latest version offers more sophisticated features as its campaign grows. FakeSpy is capable of spreading to Android devices by sending malicious text messages to phone numbers it has received from its attackers. Once FakeSpy infects a device, it asks to become the default SMS app so that it can log text messages and send the information back to its command and control server.
The FakeSpy malware has received an update since it was first discovered by Trend Micro in June and Fortinet says the latest version offers more sophisticated features as its campaign grows. FakeSpy is capable of spreading to Android devices by sending malicious text messages to phone numbers it has received from its attackers. Once FakeSpy infects a device, it asks to become the default SMS app so that it can log text messages and send the information back to its command and control server.
Here Comes Torii - A Sneaky and Persistent IoT Malware (10/02/2018)
A new Internet of Things malware strain called Torii offers a set of sophisticated features to exfiltrate data and uses multiple layers of encryption to stay undetected, the research team at Avast revealed. Torii can infect a range of devices and it provides support for a various architectures, including MIPS, ARM, x86, x64, PowerPC, SuperH, and others. The infection chain starts with a telnet attack on the weak credentials of targeted devices followed by execution of an initial shell script.
A new Internet of Things malware strain called Torii offers a set of sophisticated features to exfiltrate data and uses multiple layers of encryption to stay undetected, the research team at Avast revealed. Torii can infect a range of devices and it provides support for a various architectures, including MIPS, ARM, x86, x64, PowerPC, SuperH, and others. The infection chain starts with a telnet attack on the weak credentials of targeted devices followed by execution of an initial shell script.
Malware Threats Go Fileless to Evade Detection (10/01/2018)
Fileless malware is on the rise and Microsoft's security team issued a warning to alert users to these attacks. In the past, fileless malware was used in very sophisticated cyber attacks, but they have become widespread as criminals have become adept at sidestepping antivirus software.
Fileless malware is on the rise and Microsoft's security team issued a warning to alert users to these attacks. In the past, fileless malware was used in very sophisticated cyber attacks, but they have become widespread as criminals have become adept at sidestepping antivirus software.
NOKKI Malware Has Ties to Reaper Threat Group (10/02/2018)
Researchers at Palo Alto Networks have connected a relationship between NOKKI, a new malware family that was observed targeting Russian and Cambodian speaking individuals and organizations, and the Reaper threat actor, which is affiliated with North Korea. Reaper utilizes, among other tactics, a tailored malware called DOGCALL, which is a remote access Trojan that uses third-party hosting services to upload data and accept commands. DOGCALL has only been attributed to Reaper and no other threat group. While assessing NOKKI, the research team reviewed malicious macros in Word documents that were used to drop NOKKI and noticed that the deobfuscation technique was the same as one used in a previous attack using DOGCALL.
Researchers at Palo Alto Networks have connected a relationship between NOKKI, a new malware family that was observed targeting Russian and Cambodian speaking individuals and organizations, and the Reaper threat actor, which is affiliated with North Korea. Reaper utilizes, among other tactics, a tailored malware called DOGCALL, which is a remote access Trojan that uses third-party hosting services to upload data and accept commands. DOGCALL has only been attributed to Reaper and no other threat group. While assessing NOKKI, the research team reviewed malicious macros in Word documents that were used to drop NOKKI and noticed that the deobfuscation technique was the same as one used in a previous attack using DOGCALL.
Roaming Mantis Malware Adds Sophisticated Features to Its Dangerous Arsenal (10/02/2018)
Kaspersky Lab has analyzed the Roaming Mantis malware and determined that it now supports 27 languages and has been using Web cryptocurrency mining for PCs and an Apple phishing page for iOS devices. It is suspected that thousands of computers have been infected by this malware and stolen a large amount of data from its victims. Roaming Mantis is also trying to spread its malware via prezi.com, with a scam that offers a visitor free content such as videos.
Kaspersky Lab has analyzed the Roaming Mantis malware and determined that it now supports 27 languages and has been using Web cryptocurrency mining for PCs and an Apple phishing page for iOS devices. It is suspected that thousands of computers have been infected by this malware and stolen a large amount of data from its victims. Roaming Mantis is also trying to spread its malware via prezi.com, with a scam that offers a visitor free content such as videos.