Daily NCSC-FI news followup 2022-01-05

New Zloader Banking Malware Campaign Exploiting Microsoft Signature Verification

thehackernews.com/2022/01/new-zloader-banking-malware-campaign.html An ongoing ZLoader malware campaign has been uncovered exploiting remote monitoring tools and a nine-year-old flaw concerning Microsoft’s digital signature verification to siphon user credentials and sensitive information. Israeli cybersecurity company Check Point Research, which has been tracking the sophisticated infection chain since November 2021, attributed it to a cybercriminal group dubbed Malsmoke, citing similarities with previous attacks. “The techniques incorporated in the infection chain include the use of legitimate remote management software (RMM) to gain initial access to the target machine, ” Check Point’s Golan Cohen said in a report shared with The Hacker News. “The malware then exploits Microsoft’s digital signature verification method to inject its payload into a signed system DLL to further evade the system’s defenses.”. The campaign is said to have claimed 2, 170 victims across 111 countries as of January 2, 2022, with most of the affected parties located in the U.S., Canada, India, Indonesia, and Australia. It’s also notable for the fact that it wraps itself in layers of obfuscation and other detection-evasion methods to elude discovery and analysis.

Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk

research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/ Last seen in August 2021, Zloader, a banking malware designed to steal user credentials and private information, is back with a simple yet sophisticated infection chain. Previous Zloader campaigns, which were seen in 2020, used malicious documents, adult sites and Google ads to infect systems. Evidence of the new campaign was first seen around early November 2021. The techniques incorporated in the infection chain include the use of legitimate remote management software (RMM) to gain initial access to the target machine. The malware then exploits Microsoft’s digital signature verification method to inject its payload into a signed system DLL to further evade the system’s defenses. This evidence shows that the Zloader campaign authors put great effort into defense evasion and are still updating their methods on a weekly basis.

iOS malware can fake iPhone shut downs to snoop on camera, microphone

www.bleepingcomputer.com/news/security/ios-malware-can-fake-iphone-shut-downs-to-snoop-on-camera-microphone/ Researchers have developed a new technique that fakes a shutdown or reboot of iPhones, preventing malware from being removed and allowing hackers to secretly snoop on microphones and receive sensitive data via a live network connection. Historically, when malware infects an iOS device, it can be removed simply by restarting the device, which clears the malware from memory. However, this technique hooks the shutdown and reboot routines to prevent them from ever happening, allowing malware to achieve persistence as the device is never actually turned off. Because this attack, which the researchers call “NoReboot, ” does not exploit any flaws on the iOS and instead relies on human-level deception, it cannot be patched by Apple.

NY OAG: Hackers stole 1.1 million customer accounts from 17 companies

www.bleepingcomputer.com/news/security/ny-oag-hackers-stole-11-million-customer-accounts-from-17-companies/ The New York State Office of the Attorney General (NY OAG) has warned 17 well-known companies that roughly 1.1 million of their customers have had their user accounts compromised in credential stuffing attacks. In such attacks, threat actors make automated and repeated attempts (millions at a time) to access user accounts using credentials (usually user/password pairs) stolen from other online services. This tactic works particularly well against the accounts of those who reuse their credentials across multiple platforms. The attackers’ end goal is to gain access to as many accounts as possible to steal the associated personal and financial information that can be sold on hacking forums or the dark web. The threat actors can also use the info themselves in various identity theft scams or make unauthorized purchases.

Elephant Beetle’ spends months in victim networks to divert transactions

www.bleepingcomputer.com/news/security/elephant-beetle-spends-months-in-victim-networks-to-divert-transactions/ A financially-motivated actor dubbed ‘Elephant Beetle’ is stealing millions of dollars from organizations worldwide using an arsenal of over 80 unique tools and scripts. The group is very sophisticated and patient, spending months studying the victim’s environment and financial transaction processes, and only then moves to exploit flaws in the operation. The actors inject fraudulent transactions into the network and steal small amounts over long periods, leading to an overall theft of millions of dollars. If they are spotted, they lay low for a while and return through a different system. The expertise of ‘Elephant Beetle’ appears to be in targeting legacy Java applications on Linux systems, which is typically their entry point to corporate networks. The actor’s TTPs are exposed in a detailed technical report which the Sygnia Incident Response team shared with Bleeping Computer before publication.

US Police Warn of Parking Meters with Phishing QR Codes

www.bitdefender.com/blog/hotforsecurity/us-police-parking-meters-phishing-qr-codes/ In a hurry to park your car? Don’t want to fumble around in your pocket to find cash for the parking meter, and don’t have the correct payment app installed on your phone?. Well, think carefully before rushing to scan the payment QR code stuck on the side of the meter – it may well be an attempt by fraudsters to phish your financial information. Police are warning that they have discovered bogus QR codes stuck onto public parking meters across Austin, Texas – a city where parking meters don’t display QR codes, and only accept payment via coins, cards or a smartphone app.

Customer support scammers take aim at NFT enthusiasts

blog.malwarebytes.com/scams/2022/01/customer-support-scammers-take-aim-at-nft-enthusiasts/ Adidas has been making waves in the NFT space with a collection of footwear/bored ape crossover sales. Demand was bound to be high among people who collect these things. As a result, Adidas tried to limit the number of sales to two per person. This is along the same lines as trying to prevent bid sniping on eBay, or ticket scalpers purchasing huge numbers of tickets then selling them on at huge profit. See also: console purchase shenanigans. When the idea of scarcity is built into what you’re selling, it makes sense that you’d want to give anyone interested a fair chance to buy the item(s) on sale. Unfortunately, as with all the best laid plans, things went sideways very quickly once the sale opened. When you see what approximates to an apology thread, you know something’s gone wrong. The question is: what?

Remember Norton 360’s bundled cryptominer? Irritated folk realise Ethereum crafter is tricky to delete

www.theregister.com/2022/01/05/norton_360_cryptominer_deletion/ Norton antivirus’s inbuilt cryptominer has re-entered the public consciousness after a random Twitter bod expressed annoyance at how difficult it is to uninstall. The addition of Ncrypt.exe, Norton 360’s signed cryptocurrency-mining binary, to installations of Norton antivirus isn’t new but it seems to have taken the non-techie world a few months to realise what’s going on. Back in June, NortonLifeLock, owner of the unloved PC antivirus product, declared it was offering Ethereum mining as part of its antivirus suite. NortonLifeLock’s pitch, as we reported, was that people dabbling in cryptocurrency mining probably weren’t paying attention to security so what better way than to take up a cryptocurrency miner than installing one from a trusted consumer security brand?

Sweden Launches Psychological Defense Agency To Counter Disinformation

www.forbes.com/sites/emmawoollacott/2022/01/05/sweden-launches-psychological-defense-agency-to-counter-disinformation/ Sweden has created a new government agency dedicated to fighting disinformation, particularly from foreign governments such as Russia, China and Iran. The Swedish Psychological Defense Agency, based in Karlsbad and with an office in Solna, will be headed by director general Henrik Landerholm, a former ambassador, and will have 45 staff. It will work with academics, the military and the media, and will offer support to regions, companies and organisations within the country. The aim is to identify, analyze and respond to ‘inappropriate influences’ and other misleading information.

You might be interested in …

Daily NCSC-FI news followup 2019-06-24

How to remove Ryuk Ransomware (Uninstall guide) csirt.cy/how-to-remove-ryuk-ransomware-uninstall-guide/ Ryuk ransomware is the cryptovirus that targets companies with large ransom demands to make more profit from one attack. However, ransomware can also affect everyday users and corrupt or delete their data. You need a thorough system scan to terminate the malware in time.. According to the […]

Read More

Daily NCSC-FI news followup 2019-11-29

Europol Shuts Down ‘Imminent Monitor’ RAT Operations With 13 Arrests thehackernews.com/2019/11/europol-imminent-monitor-rat.html In a coordinated International law enforcement operation, Europol today announced to shut down the global organized cybercrime network behind Imminent Monitor RAT, yet another hacking tool that allows cybercriminals to gain complete control over a victim’s computer remotely.. see also www.europol.europa.eu/newsroom/news/international-crackdown-rat-spyware-which-takes-total-control-of-victims%E2%80%99-pcs The Olympics Goes […]

Read More

Daily NCSC-FI news followup 2019-08-17

Apples Lawsuit Against a Startup Shows How It Wants to Control the iPhone Hacking Market www.vice.com/en_us/article/d3a8jq/apple-corellium-lawsuit Apple sued Corellium, a company that makes virtual copies of iOS for researchers to practice hacking the iPhone on. NSA asks Congress to permanently reauthorize spying program that was so shambolic, the snoops had shut it down www.theregister.co.uk/2019/08/16/spying_reauthorization_coats/ In […]

Read More