Malware Watch - W/E - 9/27/19
App Malware with 2.1 Million Downloads Spotted and Booted from Google Play (09/24/2019)
Symantec notified Google of a batch of malicious apps, with over 2.1 million downloads, found in the Play store. Twenty-five Android Package Kits (APKs), mostly masquerading as a photo utility app and a fashion app, were published under 22 different developer accounts, with the initial sample uploaded in April 2019. These 25 malicious hidden apps share a similar code structure and app content. It is likely that monetary gain was the motivating factor behind these apps. Google has since removed the apps from Play.
Symantec notified Google of a batch of malicious apps, with over 2.1 million downloads, found in the Play store. Twenty-five Android Package Kits (APKs), mostly masquerading as a photo utility app and a fashion app, were published under 22 different developer accounts, with the initial sample uploaded in April 2019. These 25 malicious hidden apps share a similar code structure and app content. It is likely that monetary gain was the motivating factor behind these apps. Google has since removed the apps from Play.
Canadian Authorities Post Alert for TFlower Ransomware (09/25/2019)
The Canadian Center for Cyber Security issued a warning with information regarding a new ransomware that was discovered in July and is dubbed "TFower." Initial infection vector for this malware appears to be through exposed, unpatched Remote Desktop services, but can also include email spam and malicious attachments, deceptive downloads, botnets, malicious ads, Web injects, fake updates, and repackaged and infected installers. Once a malicious entity infects a system, it may attempt to move laterally across the network through tools such as PowerShell Empire, PSExec, etc. The Cyber Center recommends that all system owners apply the latest security patches immediately and system users are reminded to be vigilant when following unsolicited links and opening unexpected document attachments in emails, even if they come from known contacts.
The Canadian Center for Cyber Security issued a warning with information regarding a new ransomware that was discovered in July and is dubbed "TFower." Initial infection vector for this malware appears to be through exposed, unpatched Remote Desktop services, but can also include email spam and malicious attachments, deceptive downloads, botnets, malicious ads, Web injects, fake updates, and repackaged and infected installers. Once a malicious entity infects a system, it may attempt to move laterally across the network through tools such as PowerShell Empire, PSExec, etc. The Cyber Center recommends that all system owners apply the latest security patches immediately and system users are reminded to be vigilant when following unsolicited links and opening unexpected document attachments in emails, even if they come from known contacts.
Fake Ad Blockers on Chrome Store Used Cookie Stuffing Scheme (09/24/2019)
Google has pulled two ad blockers from its Chrome Store after a researcher from AdGuard warned that they had malicious features and were masquerading as legitimate ad blockers. Andrey Meshkov discovered the "AdBlock" and "uBlock" extensions and found that they both used a "cookie stuffing" tactic, which is an ad fraud scheme. Meshkov said, "These two add-ons have more than 1.6 Million 'weekly active users', who were stuffed with cookies of over than 300 Web sites from Alexa Top 10,000. It is difficult to estimate the damage, but I'd say that we are talking about millions of USD monthly." Both extensions used names of legitimate ad blocking products.
Google has pulled two ad blockers from its Chrome Store after a researcher from AdGuard warned that they had malicious features and were masquerading as legitimate ad blockers. Andrey Meshkov discovered the "AdBlock" and "uBlock" extensions and found that they both used a "cookie stuffing" tactic, which is an ad fraud scheme. Meshkov said, "These two add-ons have more than 1.6 Million 'weekly active users', who were stuffed with cookies of over than 300 Web sites from Alexa Top 10,000. It is difficult to estimate the damage, but I'd say that we are talking about millions of USD monthly." Both extensions used names of legitimate ad blocking products.
Hundreds of Gambling Apps Found Hiding in Google Play and iOS App Store (09/26/2019)
Hundreds of apps on Google Play and Apple's iOS App Store claim to be legitimate offerings but are actually gambling apps, the researchers at Trend Micro state. Some of the apps ranked in the Top 100 of the App Store while others had been rated over 100,000 times. Upon notification of these shady apps, Apple and Google pulled them from their respective stores.
Hundreds of apps on Google Play and Apple's iOS App Store claim to be legitimate offerings but are actually gambling apps, the researchers at Trend Micro state. Some of the apps ranked in the Top 100 of the App Store while others had been rated over 100,000 times. Upon notification of these shady apps, Apple and Google pulled them from their respective stores.
Imposter Stockfolio Trading App Lifts Mac User Data (09/24/2019)
A malicious app disguised as a legitimate Mac-based trading app called Stockfolio has been spotted by Trend Micro stealing victim data and uploading it to a Web site. Two versions of the app were seen - the first one contains a pair of shell scripts and connects to a remote site to decrypt its encrypted codes while the second sample, despite using a simpler routine involving a single shell script, incorporates a persistence mechanism. Trend Micro contacted Apple about the imposter app and was informed that the code signing certificate of this fake app's developers was revoked in July.
A malicious app disguised as a legitimate Mac-based trading app called Stockfolio has been spotted by Trend Micro stealing victim data and uploading it to a Web site. Two versions of the app were seen - the first one contains a pair of shell scripts and connects to a remote site to decrypt its encrypted codes while the second sample, despite using a simpler routine involving a single shell script, incorporates a persistence mechanism. Trend Micro contacted Apple about the imposter app and was informed that the code signing certificate of this fake app's developers was revoked in July.
Lazarus Group Behind Dtrack Spy Tool that Targets Indian Financial Institutions (09/24/2019)
Kaspersky discovered a spy tool, which had been spotted in Indian financial institutions and research centers. Called Dtrack, this spyware reportedly was created by the Lazarus group and is being used to upload and download files to victims' systems, record key strokes, and conduct other actions typical of a malicious remote administration Trojan (RAT). Dtrack can give threat actors complete control over infected devices. Criminals can then perform different operations, such as uploading and downloading files and executing key processes. Lazarus is a North Korean threat entity.
Kaspersky discovered a spy tool, which had been spotted in Indian financial institutions and research centers. Called Dtrack, this spyware reportedly was created by the Lazarus group and is being used to upload and download files to victims' systems, record key strokes, and conduct other actions typical of a malicious remote administration Trojan (RAT). Dtrack can give threat actors complete control over infected devices. Criminals can then perform different operations, such as uploading and downloading files and executing key processes. Lazarus is a North Korean threat entity.
No Retirement for GandCrab Ransomware Authors, Connections Made to REvil (09/25/2019)
Although the creators of the profitable GandCrab ransomware-as-a-service announced they were shuttering operations in May, researchers at Secureworks suspect otherwise as the malware's developers have been connected to the REvil (also known as Soinokibi) ransomware. The new group, called Gold Garden, showed significant overlap with the GandCrab crew, including early REvil samples that had elements appearing to refer to GandCrab. Secureworks originally tracked REvil as malware from a completely separate entity.
Although the creators of the profitable GandCrab ransomware-as-a-service announced they were shuttering operations in May, researchers at Secureworks suspect otherwise as the malware's developers have been connected to the REvil (also known as Soinokibi) ransomware. The new group, called Gold Garden, showed significant overlap with the GandCrab crew, including early REvil samples that had elements appearing to refer to GandCrab. Secureworks originally tracked REvil as malware from a completely separate entity.