Check Point Research Archives

AppWizard

October 3, 2024

Google bans popular Android app now you must delete it from your phone today

Security experts at Check Point Research have warned Android users to examine their smartphones and recently installed applications due to a malicious app that stole approximately £54,000 from users. The fraudulent application, disguised as WalletConnect, was available on the official Google Play Store for over five months and was downloaded around 10,000 times. It drained digital currencies, including NFTs, by exploiting the trusted WalletConnect service and using fake reviews to appear legitimate. The attackers employed phishing techniques and smart contracts to deceive users into authorizing fraudulent transactions. Although Google has removed the app, users are advised to delete it if they suspect they have downloaded it. This incident highlights the sophistication of cybercriminal tactics in the decentralized finance sector, emphasizing the need for users to be cautious about the applications they download.

AppWizard

October 1, 2024

Android users, delete this ‘dangerous’ crypto app from your phones – Times of India

A cybersecurity firm identified a malicious application called WalletConnect – Airdrop Wallet in the Google Play Store, designed to steal cryptocurrency from users. The app evaded detection for over five months after its introduction in March 2024, targeting Android users and employing evasion techniques to appear legitimate. It exploited the credibility of the WalletConnect protocol and siphoned approximately ,000 (around 58.6 lakh) in cryptocurrency from victims. The app achieved over 10,000 downloads by using fake positive reviews and advanced crypto drainer toolkits to manipulate search rankings. Users were misled into connecting their wallets and directed to phishing sites, resulting in unauthorized transactions. Despite some negative reviews, the developers countered with fake positive feedback to maintain the app's appearance of legitimacy.

AppWizard

September 29, 2024

Google Play Store App Deletion—New Warning As Bitcoin, Crypto Wallets Empty

Check Point Research has identified the first crypto drainer app on the Play Store, which targeted mobile users and was designed to connect decentralized applications with user wallets. The app, which masqueraded as a tool for the Web3 WalletConnect protocol, evaded detection for five months and was downloaded over 10,000 times before being removed. It resulted in the theft of at least 0,000. Once activated, the app directed users to a fraudulent website to verify their wallets and authorize transactions, allowing it to gather sensitive information and withdraw higher-value tokens first. Despite the limited number of identified victims, the app's presence raised concerns about the sophistication of cybercriminal tactics in the decentralized finance sector. Google’s Play Protect has been enhanced to prepare for future threats, and the Play Store is committed to eliminating low-quality apps as Android 15 approaches its release.

AppWizard

September 27, 2024

App installed from Google Play Store was a major scam ripping off 150 Android users

A fraudulent application named WalletConnect was discovered in the Google Play Store, designed to mislead web3 users by mimicking the legitimate WalletConnect protocol. The app, which gained over 10,000 installations, prompted users to connect their cryptocurrency wallets, leading them to authorize transactions that redirected them to a malicious website. This site collected sensitive information and executed token transfers from victims' wallets, marking the first instance of a "crypto drainer" targeting mobile device users. Despite Google Play Protect, the app remained on the Play Store for five months, resulting in approximately ,000 in stolen cryptocurrency before its removal. Users are advised to uninstall the app immediately.

Winsage

September 18, 2024

Windows vulnerability abused braille “spaces” in zero-day attacks

A vulnerability in Windows, tracked as CVE-2024-43461, has been reclassified as previously exploited after being used in attacks by the Void Banshee APT group to deploy information-stealing malware. Initially disclosed in September 2024, it was confirmed to have been exploited before the fix was issued. The flaw was discovered by Peter Girnus from Trend Micro, who noted that it was used in zero-day attacks alongside another vulnerability, CVE-2024-38112. The attacks involved malicious HTA files disguised as PDFs, utilizing braille whitespace characters to hide the true file extension. Following the security update, Windows now accurately displays the .hta extension, although the presence of whitespace may still mislead users. Microsoft also addressed three other actively exploited zero-days during the September Patch Tuesday.

Winsage

September 18, 2024

‘Void Banshee’ Exploits Second Microsoft Zero-Day

Microsoft has reclassified a bug from its September Patch Tuesday update as a zero-day vulnerability, designated CVE-2024-43461, which has been exploited by the threat group "Void Banshee" since before July. This vulnerability affects all supported versions of Windows and allows remote attackers to execute arbitrary code if a victim visits a malicious webpage or clicks an unsafe link. Initially rated 8.8 on the CVSS scale, Microsoft revised its assessment after discovering active exploitation linked to another vulnerability, CVE-2024-38112, which was patched in July 2024. To protect against CVE-2024-43461, Microsoft recommends applying patches from both the July and September updates. CISA added this flaw to its known exploited vulnerabilities database, setting an implementation deadline of October 7 for federal agencies. The vulnerability enables attackers to manipulate browser interfaces and has been used by Void Banshee to deploy Atlantida malware through deceptive files. The coordinated attack chain involving CVE-2024-43461 and CVE-2024-38112 exploits the legacy MSHTML engine, which remains in Windows for compatibility. A study indicated that over 10% of Windows 10 and 11 systems lack endpoint protection, increasing vulnerability to such exploits.

Winsage

September 18, 2024

Microsoft confirms IE zero-day exploited in sneaky update

Microsoft confirmed that the vulnerability CVE-2024-43461 in Internet Explorer was exploited as a zero-day before it could be patched. This flaw, rated 8.8 on the CVSS severity scale, allows attackers to obscure file-type extensions of downloaded files, potentially executing malicious code on users' systems. The vulnerability was reported by Peter Girnus from Trend Micro's Zero Day Initiative (ZDI) and was exploited by the malware-spreading group Void Banshee in conjunction with another vulnerability, CVE-2024-38112. The exploit chain involved using a specially crafted Windows Internet Shortcut file to trigger CVE-2024-43461, leading to the deployment of the Atlantida malware. Microsoft issued a patch for CVE-2024-38112 in July and confirmed the exploitation of CVE-2024-43461 prior to its patch in September. ZDI disclosed the file-type spoofing flaw on July 19, and Microsoft urged customers to apply both updates for comprehensive protection.

Winsage

August 18, 2024

Crypto-clipping malware ‘Styx Stealer’ targets Windows computers

Styx Stealer is a new malware identified by Check Point Research in April 2024, designed to steal cryptocurrency from Windows-based computers. It is a more advanced version of the earlier Phemodrone Stealer and exploits a resolved Windows vulnerability to hijack cryptocurrency transactions and extract sensitive data, including private keys and browser cookies. Styx features a crypto-clipping mechanism that monitors clipboard activity to replace copied wallet addresses with those of the attacker and can identify wallet addresses across nine blockchains, including Bitcoin and Ethereum. The malware is particularly effective against Chromium- and Gecko-based browsers and data from browser extensions, Telegram, and Discord. Styx has an autorun capability and a user-friendly interface for cybercriminals, along with basic anti-analysis techniques to avoid detection. It is distributed via a Telegram account and a dedicated website, with a subscription model for access. At least 54 individuals have reportedly paid approximately ,500 in cryptocurrencies to the developer. The total amount stolen and the extent of infections caused by Styx remain unknown.

Winsage

August 17, 2024

Microsoft’s New Upgrade Decision—Bad News Confirmed For 70% Of All Windows Users

Five actively exploited zero-day vulnerabilities were revealed during the recent Patch Tuesday, which have been added to the U.S. government's Known Exploited Vulnerability catalog. Check Point Research reported an enhanced variant of the Phemedrone Stealer targeting unpatched Windows PCs to steal cryptocurrency. Microsoft announced it would stop prompting Windows 10 users to upgrade to Windows 11, responding to user feedback. However, Microsoft has also shut down a popular workaround that allowed users to bypass Windows 11's hardware requirements. As Windows 10 security support nears its end, concerns grow over millions of users potentially lacking essential security updates. Feedback indicates frustration over the upgrade process and the financial burden of purchasing new computers. Canalys estimates that around 240 million PCs could become e-waste due to incompatibility with Windows 11.

Winsage

August 17, 2024

Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove – Check Point Research

Check Point Research (CPR) has identified a new malware variant called Styx Stealer, which extracts sensitive information from users, including browser data, instant messaging sessions from Telegram and Discord, and cryptocurrency assets. Styx Stealer is linked to the developer Sty1x, associated with the threat actor Fucosreal and the Agent Tesla malware. An operational security failure by the developer led to the accidental leak of sensitive data, allowing CPR to trace the malware back to its creator. Styx Stealer inherits functionalities from Phemedrone Stealer, capable of extracting saved passwords, cookies, auto-fill data, and information from browser extensions and cryptocurrency wallets. It can also capture session data from Telegram and Discord, gather system information, and take screenshots. The malware features auto-start capabilities, clipboard monitoring, and enhanced evasion techniques, and is marketed through a subscription model. In March 2024, a spam campaign distributing a malicious TAR archive containing Agent Tesla malware targeted various industries. CPR identified 54 customers who purchased Styx Stealer and Styx Crypter products, generating approximately ,500 in revenue over two months, with payments accepted in cryptocurrencies like Bitcoin and Monero. Styx Stealer employs evasion techniques to avoid detection, including checks for debugging tools and virtual machine environments.