malware campaign Archives

AppWizard

February 24, 2025

Android App on Google Play Attacking Indian Users To Steal Login Credentials

A sophisticated Android malware campaign named "SpyLend" has infiltrated the Google Play Store, posing as a financial utility app called "Finance Simplified" (package: com.someca.count), targeting Indian users. Launched in February 2025, it has over 100,000 downloads. The app initially appears as a finance calculator but changes its interface based on user geolocation. For Indian users, it loads content from adv[.]rp5[.]org, redirecting them to unauthorized loan applications and external servers to download malicious APKs. SpyLend requests invasive permissions under the guise of identity verification, leading to harassment and blackmail of users. It exploits Android’s WebView API and a custom command-and-control (C2) server to retrieve loan application listings and exfiltrate device metadata. The malware captures clipboard data every three seconds, allowing it to steal sensitive information such as passwords and credit card details. The C2 infrastructure, located at 16[.]163[.]9[.]142, collects stolen SMS messages, call logs, and app lists, with evidence suggesting involvement of Chinese threat actors. Despite Google Play Protect, SpyLend can evade detection through real-time payload updates. Users are advised to review app permissions and avoid third-party APKs, while enterprises are encouraged to implement endpoint detection tools and blacklist certain indicators of compromise.

Tech Optimizer

February 19, 2025

Trojanized game PirateFi discovered on Steam

Free downloads from torrent trackers pose significant risks of malware, prompting security solutions to quarantine suspicious files. A recent incident involved the game PirateFi, which was removed from Steam after being flagged for harboring malware that stole browser cookies and compromised online accounts. The game attracted minimal attention, with around 1,500 downloads and reports of unauthorized transactions among players. Valve advised users to run security scans and suggested reformatting their operating systems, which confused many. The developers, Seaworth Interactive, raised suspicions due to their promotional tactics. Malware incidents on Steam are not new, with past cases like Dynostopia affecting players. Gamers are advised to avoid cheats, choose well-reviewed games, and install dedicated gaming antimalware for protection. Kaspersky Premium offers a gaming mode that minimizes interruptions during gameplay.

Tech Optimizer

November 29, 2024

8.8 Rated PostgreSQL Vulnerability Puts Databases at Risk

Cybersecurity researchers Tal Peleg and Coby Abrams from Varonis have identified a significant security vulnerability in PostgreSQL, designated as CVE-2024-10979, which has a CVSS severity score of 8.8. This vulnerability affects all PostgreSQL versions prior to 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. It allows unprivileged users to manipulate environment variables within the PostgreSQL PL/Perl extension, potentially enabling arbitrary code execution. PostgreSQL's advisory states that this flaw can lead to data theft or system takeover by altering sensitive process environment variables. Users are advised to update to the fixed versions and implement restrictions on allowed extensions and user permissions to mitigate the risk.

Winsage

November 7, 2024

New Winos4.0 Malware Targeting Windows via Fake Gaming Apps

Cybersecurity researchers at Fortinet’s FortiGuard Labs have identified a malware campaign named Winos4.0 that disguises itself as benign gaming applications targeting Microsoft Windows users. This malware framework is similar to threats like Cobalt Strike and Sliver. Users who download these applications inadvertently install Trojan horses that deploy the Winos4.0 framework, which has been found in various gaming-related tools. The malware appears to focus on the education sector, as indicated by its file description “校园政务” (Campus Administration). Winos4.0 is a re-engineered version of the Gh0stRat remote access trojan and consists of modular components for specific tasks. The attack begins with the retrieval of a BMP file from a remote server, leading to the extraction of a DLL file named “you.dll.” This file downloads additional files, including the main malicious file “libcef.dll,” which injects shellcode to establish a connection with a command and control (C2) server. The malware executes various tasks, such as monitoring system information and maintaining a connection to the C2 server. To protect against such threats, users are advised to download applications only from reputable sources, avoid third-party app stores, and scan new files before execution. Regular device scans are recommended, especially after downloading new content.

AppWizard

November 6, 2024

ToxicPanda Malware Targets Banking Apps on Android Devices

A new Android malware named "ToxicPanda" was first identified in late October 2024 and has been reclassified as a unique entity after initial classification under the TgToxic family. It poses a risk through account takeover via on-device fraud and primarily targets retail banking applications on Android devices. The malware has spread significantly in Italy, Portugal, Spain, and various Latin American regions, with over 1,500 devices reported as victims. ToxicPanda allows cybercriminals to gain remote access to infected devices, intercept one-time passwords, and bypass two-factor authentication. The threat actors are likely Chinese speakers, which is unusual for targeting European banking. The malware spreads through social engineering tactics, encouraging users to side-load the malicious app, and exploits Android’s accessibility services for elevated permissions. Cleafy’s analysis indicates that ToxicPanda's command-and-control infrastructure shows evolving operational strategies, and the malware may undergo further modifications. The challenges for security professionals are increasing as malware operators refine their tactics and expand their targets. Cleafy noted that contemporary antivirus solutions have struggled to detect ToxicPanda due to a lack of proactive, real-time detection systems.

Tech Optimizer

October 23, 2024

New Trojan.AutoIt.1443 Hits 28,000 Users via Game Cheats, Office Tool

Cybersecurity experts from Dr.Web have discovered a cyber attack involving Trojan.AutoIt.1443, targeting approximately 28,000 users primarily in Russia and neighboring countries. The malware disguises itself as legitimate applications and is spread through deceptive links on platforms like GitHub and YouTube, leading to password-protected downloads that evade antivirus detection. Key components of the malware include UnRar.exe and scripts named Iun.bat and Uun.bat, which facilitate its installation while erasing traces of activity. The malware scans for debugging tools, establishes network access via Ncat, and manipulates the system registry to maintain persistence. Its operations include cryptomining using SilentCryptoMiner and cryptostealing through a clipper tool that swaps cryptocurrency wallet addresses. The campaign has affected users drawn to pirated software, highlighting the risks of downloading from unverified sources.

AppWizard

September 6, 2024

Found: 280 Android apps that use OCR to steal cryptocurrency credentials

Researchers have identified over 280 malicious applications that exploit optical character recognition (OCR) technology to steal cryptocurrency wallet credentials from compromised Android devices. These apps, disguised as legitimate services, harvest sensitive information like text messages and images but are not found on Google Play, indicating distribution via phishing and dubious websites. The malware uses OCR to extract mnemonic phrases from images, making it easier for attackers to access cryptocurrency wallets. A McAfee researcher uncovered a server with stolen data due to poor security configurations, revealing the attackers' focus on capturing recovery phrases. The malware has evolved to use sophisticated communication methods and obfuscation techniques, complicating detection efforts. Initially targeting South Korea, the malware's recent emergence in the UK indicates a geographic expansion of its operations.

AppWizard

September 3, 2024

This malware disguises itself as a banking app to steal info from Android devices

A sophisticated malware campaign targeting mobile banking customers in Brazil has been identified by ThreatFabric, involving a group called DukeEugene. They use phishing emails to trick users into downloading a malicious Android application named Rocinante, which infiltrates devices to exfiltrate sensitive personal information. The data collected includes personally identifiable information (PII) through counterfeit login pages that mimic legitimate banking portals, capturing details such as device model, telephone number, CPF number, password, and account number. This information is organized and sent to a chat platform accessible to the criminals, enabling further fraudulent activities like wire fraud.

Winsage

August 16, 2024

Windows users hit by all-new advanced malware campaign

Criminal enterprises are targeting Chinese businesses using a Remote Access Trojan (RAT) called ValleyRAT, which can take control of infected Windows endpoints. Researchers at FortiGuard identified this malware, which poses a threat to sectors like ecommerce, finance, sales, and management. The initial breach often occurs through phishing tactics, with attackers distributing loaders disguised as Microsoft Office files. Once inside a system, ValleyRAT uses a multi-stage approach to execute components in memory, making detection difficult. The malware can monitor activities and deploy plugins based on the attackers' goals. The group behind these attacks is known as "Silver Fox," which has previously targeted Chinese organizations. In spring 2023, Weibu Online reported efforts to track Silver Fox, which used SEO poisoning to enhance the visibility of their phishing sites. While the origins of Silver Fox are unclear, some experts suggest they may be of Chinese descent. Businesses are advised to keep antivirus systems updated and educate employees about phishing risks to mitigate breaches.

AppWizard

August 7, 2024

Chameleon Android Banking Trojan Targets Users Through Fake CRM App

Cybersecurity experts have identified the Chameleon Android banking trojan, which is targeting Canadian businesses, particularly in the hospitality sector. Disguised as a Customer Relationship Management (CRM) application, the trojan began its campaign in July 2024, expanding its reach from previous targets in Australia, Italy, Poland, and the U.K. The malware is designed to exploit Business-to-Consumer (B2C) employees and can bypass security measures in Android 13 and later versions. Upon installation, it presents a fake login interface and prompts users with deceptive error messages to reinstall the app, which activates the trojan. Chameleon is capable of executing on-device fraud and can transfer funds from users' accounts while harvesting sensitive information such as credentials and geolocation data. If it compromises a device with access to corporate banking, it poses significant risks to organizations.