FlixOnline – this fake Netflix app is hijacking your WhatsApp sessions and stealing credit card data
FlixOnline app lured users by promising free Netflix Premium subscriptions. However, users instead of two months lasting freedom got mobile malware which was hijacking WhatsApp sessions to spread itself.
The Check Point Research team revealed that the malware can capture WhatsApp notifications and take several predefined actions, such as Dismiss or Reply through the Notification Manager.
After FlixOnline gets installed on a device, it asks for overlay permissions, which is a common trick to steal service credentials. It also asks for Battery Optimization Ignore, which prevents a device from auto shut off software to save power. Additionally, the app asks for notification permissions to access WhatsApp-related communications.
Attackers next step? Stealing Netflix credentials and payment data such as credit card number. The information is then transmitted to a Command and Control server.
The real problem: safe and sound… and undetected
The app was available in Google Play Store for about 2 months and was downloaded nearly 500 times. Which is not a bad statistic. There were launched more successful and deadly campaigns within the last 12 months for sure. However, the real problem lies elsewhere. It is a fact that the malware was able to bypass Google Play Store’s app authentication system. In this case, Google Play Store’s built-in protection measures failed entirely.
Looking for a job? Watch out for well-targeted job offers on Linkedin – it’s a malware!
A new spear-phishing campaign is targeting professionals on LinkedIn with weaponized job offers in an attempt to infect targets with a sophisticated backdoor trojan called “more_eggs.”
To increase the odds of success and open rate, the malicious ZIP archive files have the same name as victims’ job titles taken from their LinkedIn profiles. For example if Linkedin’s member position is Account Manager, the malicious zip file would be titled Account Manager position (note the ‘position’ added to the end). Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the fileless backdoor, more_eggs. Once loaded, the sophisticated backdoor can download additional malicious plugins and provide hands-on access to the victim’s computer – said cybersecurity firm eSentire’s Threat Response Unit in analysis. Furthermore, it can act as a conduit to retrieve additional payloads from an attacker-controlled server, such as banking trojans, ransomware, credential stealers, and even use the backdoor as a foothold in the victim’s network so as to exfiltrate data.
The Trojan also abuses legitimate Windows processes such as WMI to evade detection by traditional AV tools.
Campaigns delivering more_eggs using the same modus operandi have been spotted at least since 2018, with the backdoor attributed to a malware-as-a-service (MaaS) provider called Golden Chickens. The adversaries behind this new wave of attacks remain unknown, although more_eggs has been put to use by various cybercrime groups such as FIN6, Cobalt, and EvilNum in the past.
The group is thought to be taking advantage of the high number of COVID-19 redundancies to spread this email campaign.
Discord and Slack full of malware – just one network search turned up 20,000 virus results!
Abuse of collaboration applications is not a new phenomenon. Recent changes to employee workflows caused by the COVID-19 pandemic have led to an increased reliance upon communications platforms like Discord and Slack for conducting business. As predicted now they have been infiltrated by threat actors, who are abusing their legitimate functions to evade security and deliver info-stealers, remote-access trojans (RATs) and other malware.
Various RATs and stealers, including Agent Tesla, AsyncRAT, Formbook and others.
Why did cybercriminals move to collaboration applications?
One of the key challenges associated with malware delivery is making sure that the files, domains or systems don’t get taken down or blocked. Moving to collaborations apps attackers greatly have increased the likelihood that the malicious attachment reaches the end-user. Slack, Discord and other collaboration app platforms use content delivery networks (CDNs) to store the files shared back and forth within channels. Let’s use Slack as an example. Files can be uploaded to Slack, and users can create external links that allow the files to be accessed, regardless of whether the recipient even has Slack installed. And once it has evaded detection by security, it’s just a matter of getting the employee to think it’s genuine business communication, a task made easier within the confines of a collaboration app channel.
This also means attackers can deliver their malicious payload to the CDN over encrypted HTTPS, and that the files will be compressed, further disguising the content. Over the past year Tallos Intelligence Team – which conducted extensive research – observed many common compression algorithms being used, including .ACE, .GZ, .TAR and .ZIP, and several less common types, like .LZH.
CDNs are also handy tools for cybercriminals to deliver additional bugs with multi-stage infection tactics. The researchers saw this behaviour across malware, adding that one Discord CDN search turned up almost 20,000 results in VirusTotal. This technique was frequently used in campaigns associated with RATs, stealers and other types of malware typically used to retrieve sensitive information from infected systems.
Attackers turned the Discord API into an effective tool to exfiltrate data from the network. The C2 communications are enabled through webhooks, which were developed to send automated messages to a specific Discord server.
How to mitigate the risk?
Most organizations use a large number of communication tools. The most frequently used are email, collaboration and messaging platforms, web conferencing chats, and text messages on phones and tablets. In some cases, users communicate with different or sometimes the same people across multiple platforms. It is tiring and leads to lesser awareness of possible risk factors and vector attacks.
What do specialists recommend? Mark Kedgley, CTO at New Net Technologies proposes to focus on the least privileges, as it’s still too common for users to run with local admin rights. Many business solutions provide hardened settings to combat malware and phishing. But not enough organizations make use of them. That is why we should also put in place security controls – change control and vulnerability management.
EtterSilent maldoc builder mimics DocuSign and is used by top cybercriminal gangs
Hackers are using a malicious document builder named ‘EtterSilent’ to run their criminal schemes. As its popularity on underground forums increased, the developer kept improving it to avoid detection from security solutions.
Ads promoting EtterSilent maldoc builder have been published on underground forums, boasting features like bypassing Windows Defender, Windows AMSI (Antimalware Scan Interface), and popular email services, Gmail included.
It comes in two versions, according to the Intel 471 research. One exploits a vulnerability in Microsoft Office, CVE-2017-8570, and one uses a malicious macro.
One version of EtterSilent imitates the digital signature product DocuSign or DigiCert, though when targets click through to electronically sign documents, they are prompted to enable macros. This allows the attackers to target victims with malware.
Because it uses Excel 4.0 XML macros, EtterSilent does not depend on the Visual Basic for Applications (VBA) programming language, which is commonly seen with malicious macros.
Last month EtterSilent was used in a campaign that leveraged another tool, called Bazar loader. In a previous campaign that used EtterSilent, attackers dropped an updated version of Trickbot, a banking trojan. Others, using banking trojans BokBot, Gozi ISFB and QBot have also used EtterSilent, Intel 471 notes.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Xopero began in 2009, founded as a company serving primarily SMB users. Our goal was to create more accessible and affordable secure data protection solution for any businesses. In 2015, Xopero started cooperation with QNAP Inc. – one of the key global NAS providers. This addition expanded our portfolio to include a true backup appliance, In 2017, Xopero fully extended into global market thanks to cooperation with ESET. Our company took the place previously occupied by StorageCraft in the ESET Technological Alliance.