Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for How Trojans take out ...

 Threats

Trojan subscribers represent a time-honored method of relieving Android users of their hard-earned cash. They infiltrate a smartphone under the guise of useful apps and secretly subscribe to paid services. More often than not, the subscription itself is genuine, only the user most likely does not need the service. The   show more ...

creators of such Trojans make money on commission; that is, they receive a certain percentage of what the user spends. In this case, funds are usually deducted from a cell phone account, although in some schemes they can be debited directly from a bank card. Here are the most notable examples of the mobile Trojan subscribers that Kaspersky experts have observed in the past year. Paid subscriptions and confirmation codes in text messages Trojans from the Jocker families usually get distributed through Google Play. Cybercriminals modify genuinely useful apps by adding malicious code to them and uploading to the store under a different name. These could be, for example, apps for text messaging, monitoring blood pressure, or scanning documents. Google Play moderators try to identify such apps, but new ones pop up faster than they can remove those already found. Some of the apps in Google Play that were infected with the Jocker Trojan subscriber Now lets look at how Trojan subscribers work. In a normal situation, to subscribe to a service, a user has to go to the content providers site and click or tap the Subscribe button. To counter automated subscription attempts, service providers ask the user to confirm their intention by entering a code sent in a text. But malware from the Jocker family can bypass this method of protection. After the infected app gets onto the device, in many cases it asks the user for access to text messages. Next, the Trojan opens the subscription page in an invisible window, simulates the tapping of the Subscribe button, steals the confirmation code from the text message, and freely subscribes. In cases where the app functionality does not require access to texts (why give it to a document-scanning app, for example?), Trojan subscribers from the Jocker family request access to notifications. This makes it possible to steal the confirmation code as before, but this time from pop-up notifications about incoming messages. How Trojan subscribers bypass CAPTCHA Trojans from the MobOk family are a bit more sophisticated. They not only steal confirmation codes from texts or notifications, but bypass CAPTCHA — another means of protection against automated subscriptions. To recognize the code in the picture, the Trojan sends it to a special service — last year we investigated the operation of click farms that provide CAPTCHA recognition services. In other respects, it operates similarly to Trojans from the Jocker family. In several cases, MobOk was distributed as the payload of the Triada Trojan, most often through pre-installed apps on some smartphone models, unofficial WhatsApp modifications, or the APKPure alternative app store. Sometimes MobOk-infected apps can be found on Google Play as well. Trojan subscribers from unofficial sources Malware from the Vesub family is also distributed through dubious sources under the guise of apps that are banned from official stores for one reason or another —for example masquerading as apps for downloading content from YouTube or fellow streaming services Tubemate or Vidmate, or as an unofficial Android version of GTA5. In addition, they can appear in these same sources as free versions of popular, expensive apps, such as Minecraft. Trojan subscriber Vesub disguised as Tubemate, Vidmate, GTA5, Minecraft or the somewhat mysterious GameBeyond Unlike malware from the MobOk and Jocker families, Vesub-infected applications often do nothing useful for the user at all. Immediately after installation, they take out an unsolicited subscription and hide the relevant windows from the user while showing an app loading-window on the surface. In some cases theres something useful inside the app infected with MobOk, but these are rare exceptions. Login by phone number GriftHorse.ae Trojans are even less fancy. When run for the first time, they ask the user to enter their phone number, seemingly for login purposes. The subscription is issued as soon as the user enters it and taps the Log In button, and the money is debited from their mobile account. This malware usually presents itself as an app for recovering deleted files, editing photos or videos, blinking the flashlight on incoming calls, navigation, document scanning, translation, and so on. In reality the infected apps offer nothing useful at all. Autopay subscriptions Despite the similar name, GriftHorse.l subscribers use a different scheme: they employ subscriptions with recurring payments. Formally this happens with the users direct consent, but victims may not realize they are signing up for regular automatic payments. The second trick is to make the first payment insignificant, with later charges being noticeably more substantial. Weve already examined a similar scheme as illustrated by fake sites offering subscriptions to training courses. In this case the mechanics are roughly the same, but implemented inside the app. The Trojan is distributed largely through Google Play, and the money is debited directly from a bank card, with payment information being requested to gain access to the content. How not to fall victim to scammers Figuring out how to cancel an unwanted paid subscription can be very tricky. So, as ever, prevention is better than cure. Heres what we recommend to guard against Trojan subscribers: First of all, do not install apps from unofficial sources. This will greatly improve the security of your device. Official sources are way better, but unfortunately not 100% safe either. Therefore, before downloading an app from Google Play or another store, be sure to check out the reviews and ratings. Also look at the date when the app appeared on the platform. Stores proactively remove dangerous fakes, so scammers are forever creating new versions of infected apps. So if an app you want showed up in the store only recently, be wary of it. Give apps minimal access to your device. Before allowing an app to read your texts or notifications, for example, ask yourself if it really needs to. Install a reliable mobile antivirus — this will protect your phone from all digital nasties, including Trojan subscribers.

image for Transatlantic Cable ...

 News

Welcome to episode 249 of the Transatlantic Cable. This week, the team look at some of the more interesting stories in the cybersecurity world. To start, Dave and Jeff look at a concerning story regarding REvil – the infamous ransomware gang that was, until recently, thought to be shut down. The story looks at signs   show more ...

that all might not be as it seems and rumblings that the gang may be about to make a return. From there, they discuss a story around a DeFi hack and how the platform, Fei Protocol, is offering a cool $10 million to return the stolen funds. From there, things get decidedly strange – the first story looks at stalking using Apple AirTags – something thats becoming increasingly common. The next story takes a look at recent news that Russia and America are training dolphins for underwater missions (theres a reference to Austin Powers here, I know it), and the final story looks at how hackers could potentially cause harm through the hacking of love robots.  Yes, really. If you like what you heard, please do consider subscribing. REvil ransomware returns: New malware sample confirms gang is back Rari Fuze hacker offered $10M bounty by Fei Protocol to return $80M loot Tennessee family visiting Disney World says Apple AirTag used to track them Russia deploys trained dolphins at Black Sea naval base Could Hackers Program Sex Robots To Kill?

 Identity Theft, Fraud, Scams

The modified live streams make the original video smaller and put a frame around it advertising malicious sites that it claims will double the amount of cryptocurrency you send them.

 Malware and Vulnerabilities

The Pixel Update Bulletin contains details of security vulnerabilities and functional improvements affecting supported Pixel devices. In total, these two bulletins mention three critical vulnerabilities, two of which only concern Pixel users.

 Trends, Reports, Analysis

A new report by the UK's National Cyber Security Centre (NCSC) has warned of the threats posed by malicious apps. The NCSC's technical director, Ian Levy, said there was "more for app stores to do" on security.

 Identity Theft, Fraud, Scams

The site offers “tweaked apps”, apparently available with a single click and requiring “no jailbreak, no root.” There’s an OnlyFans Premium, Netflix Premium, a Pokemon Go Spoofer Injector, and many more.

 Identity Theft, Fraud, Scams

Regardless of the script they’re following, scammers will say you’ll receive a link on your phone via SMS. They will then ask you not to click the link but merely take a screenshot and send the image back to them.

 Feed

Ubuntu Security Notice 5405-1 - It was discovered that jbig2dec incorrectly handled memory when parsing invalid files. An attacker could use this issue to cause jbig2dec to crash, leading to a denial of service. It was discovered that jbig2dec incorrectly handled memory when processing untrusted input. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code.

 Feed

Craft CMS version 3.7.36 suffers from a password reset poisoning vulnerability. An unauthenticated attacker who knows valid email addresses or account names of Craft CMS backend users is able to manipulate the password reset functionality in a way that the registered users of the CMS receive password reset emails containing a malicious password reset link.

 Feed

Ubuntu Security Notice 5259-2 - USN-5259-1 fixed several vulnerabilities in Cron. This update provides the corresponding update for Ubuntu 18.04 LTS. It was discovered that the postinst maintainer script in Cron unsafely handled file permissions during package install or update operations. An attacker could possibly use this issue to perform a privilege escalation attack.

 Feed

CTBLocker ransomware looks for and executes DLLs in its current directory. Therefore, we can hijack a DLL, execute our own code, and control and terminate the malware pre-encryption. The exploit DLL checks if the current directory is "C:WindowsSystem32" and if not we grab our process ID and terminate. We do   show more ...

not need to rely on hash signatures or third-party products as the malware's flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill as the DLL just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.

 Feed

Cerber ransomware looks for and executes DLLs in its current directory. Therefore, we can hijack a DLL, execute our own code, and control and terminate the malware pre-encryption. The exploit DLL checks if the current directory is "C:WindowsSystem32" and if not we grab our process ID and terminate. We do not   show more ...

need to rely on hash signatures or third-party products as the malware's flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill as the DLL just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.

 Feed

LockerGoga ransomware looks for and loads a DLL named "wow64log.dll" in WindowsSystem32. Therefore, we can drop our own DLL to intercept and terminate the malware pre-encryption. Four processes are created. For instance, there is "imtvknqq9737.exe" running under AppDataLocalTemp, the process name is   show more ...

"imtvknqq" plus an appended random number. Our exploit DLL will simply display a Win32API message box and call exit(). The exploit DLL must export "InterlockedExchange" function or it fails with an error. We do not need to rely on hash signature or third-party products as the malware's own flaw will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill as the DLL just lives on disk waiting. From a defensive perspective, you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.

 Feed

Red Hat Security Advisory 2022-1739-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers the containers for the release.

 Feed

Cryptowall ransomware looks for and executes DLLs in its current directory. Therefore, we can hijack a DLL, execute our own code, and control and terminate the malware pre-encryption. The exploit DLL checks if the current directory is "C:WindowsSystem32" and if not we grab our process ID and terminate. We do   show more ...

not need to rely on hash signatures or third-party products, the malware's flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill as the DLL just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.

 Feed

REvil ransomware looks for and executes DLLs in its current directory. Therefore, we can hijack a DLL, execute our own code, and control and terminate the malware pre-encryption. The exploit DLL checks if the current directory is "C:WindowsSystem32" and if not we grab our process ID and terminate. We do not   show more ...

need to rely on hash signatures or third-party products, the malware's flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill as the DLL just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.

 Feed

Radamant ransomware tries to load a DLL named "PROPSYS.dll" and execute a hidden PE file "DirectX.exe" from the AppDataRoaming directory. Therefore, we can drop our own DLL to intercept and terminate the malware pre-encryption. The exploit DLL checks if the current directory is   show more ...

"C:WindowsSystem32" and if not we grab our process ID and terminate. We do not need to rely on hash signatures or third-party products as the malware's flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill the DLL that just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.

 Feed

Cryptolocker ransomware drops a PE file in the AppDataRoaming directory which then tries to load a DLL named "netapi32.dll". Therefore, we can drop our own DLL to intercept and terminate the malware pre-encryption. The exploit DLL checks if the current directory is "C:WindowsSystem32" and if not we   show more ...

grab our process ID and terminate. We do not need to rely on hash signatures or third-party products as the malware's flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill the DLL that just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.

 Feed

Google has released monthly security patches for Android with fixes for 37 flaws across different components, one of which is a fix for an actively exploited Linux kernel vulnerability that came to light earlier this year. Tracked as CVE-2021-22600 (CVSS score: 7.8), the vulnerability is ranked "High" for severity and could be exploited by a local user to escalate privileges or deny service. The

 Feed

A pay-per-install (PPI) malware service known as PrivateLoader has been spotted distributing a "fairly sophisticated" framework called NetDooka, granting attackers complete control over the infected devices. "The framework is distributed via a pay-per-install (PPI) service and contains multiple parts, including a loader, a dropper, a protection driver, and a full-featured remote access trojan (

 Feed

The China-based threat actor known as Mustang Panda has been observed refining and retooling its tactics and malware to strike entities located in Asia, the European Union, Russia, and the U.S. "Mustang Panda is a highly motivated APT group relying primarily on the use of topical lures and social engineering to trick victims into infecting themselves," Cisco Talos said in a new report detailing

 Feed

Cybersecurity researchers have discovered a new Windows malware with worm-like capabilities and is propagated by means of removable USB devices. Attributing the malware to a cluster named "Raspberry Robin," Red Canary researchers noted that the worm "leverages Windows Installer to reach out to QNAP-associated domains and download a malicious DLL." The earliest signs of the activity are said to

2022-05
Aggregator history
Friday, May 06
SUN
MON
TUE
WED
THU
FRI
SAT
MayJuneJuly