modus operandi Archives

Winsage

March 7, 2025

Akira Ransomware Targets Windows Servers via RDP and Evades EDR with Webcam Trick

The Akira ransomware group has demonstrated its ability to bypass Endpoint Detection and Response (EDR) tools by exploiting an unsecured webcam. In 2024, Akira was responsible for 15% of ransomware incidents addressed by the S-RM team. The group typically gains access through remote access solutions and uses tools like AnyDesk.exe. In a recent attempt to deploy ransomware on a Windows server, their initial effort was thwarted by EDR detection. Subsequently, they conducted an internal network scan and targeted a vulnerable webcam, which lacked EDR protection. By compromising the webcam, Akira deployed Linux-based ransomware to encrypt files across the victim’s network. This incident highlights the need for organizations to patch and manage IoT devices, audit networks for vulnerabilities, implement network segmentation, and monitor IoT traffic for anomalies.

AppWizard

February 25, 2025

Popular Android financial help app is actually dangerous malware

Cybersecurity researchers discovered a predatory loan application called SpyLoan on the Google Play Store, which targeted Indian consumers and achieved around 100,000 downloads before being removed. The app presented itself as a financial management tool but required extensive permissions, accessing sensitive user information. User reviews indicated experiences of blackmail and low loan amounts. SpyLoan falsely claimed affiliation with a registered non-banking financial company and redirected users to download a separate loan application from an external site, circumventing some Google safeguards. Google confirmed the app's removal and stated that Android devices are protected against known malware through Google Play Protect.

Winsage

February 18, 2025

Earth Preta APT Exploit Microsoft Utility Tool to Control Windows

Researchers from Trend Micro's Threat Hunting team have identified a cyberattack campaign by the APT group Earth Preta, targeting government entities in the Asia-Pacific region, including Taiwan, Vietnam, Malaysia, and Thailand. The group uses spear-phishing emails and advanced malware to compromise Windows systems, notably employing the Microsoft Application Virtualization Injector (MAVInject.exe) to inject malicious payloads into legitimate processes. The attack typically begins with a malicious file, IRSetup.exe, which drops both legitimate and malicious files onto the system, often accompanied by a decoy PDF posing as an official document. Earth Preta utilizes a modified variant of the TONESHELL backdoor malware, sideloaded using OriginLegacyCLI.exe and a malicious DLL, EACore.dll. This malware communicates with a command-and-control server for data exfiltration and remote operations, offering capabilities such as reverse shell access, file deletion, and persistent storage of victim identifiers. The malware adapts its behavior based on the presence of ESET antivirus software, using different techniques for code injection. Trend Micro attributes this campaign to Earth Preta with medium confidence, noting that the group has compromised over 200 victims since at least 2022, primarily focusing on government entities and using phishing as the initial attack vector.

Winsage

February 13, 2025

A Hacker Group Within Russia’s Notorious Sandworm Unit Is Breaching Western Networks

Microsoft has warned that the Russian hacking group Sandworm's BadPilot unit has shifted its focus from Ukraine to targets in the United States, the United Kingdom, Canada, and Australia. BadPilot operates as an "initial access operation," breaching networks to establish footholds for further exploitation. Over the past three years, their targeting has evolved from Ukraine to a broader range of English-speaking Western nations. The group has targeted various sectors, including energy, telecommunications, and international governments, using known vulnerabilities in software such as Microsoft Exchange and Fortinet's security tools. They install software for persistent access and have been linked to disruptive cyber operations, including the NotPetya malware attack. Currently, there are no indications that BadPilot plans to escalate its activities beyond espionage.

AppWizard

December 3, 2024

SpyLoan Android malware on Google Play installed 8 million times

A recent investigation by McAfee identified 15 SpyLoan Android malware apps on Google Play, which collectively received over 8 million installs, mainly targeting users in South America, Southeast Asia, and Africa. These apps disguised themselves as legitimate financial tools, enticing users with false promises of quick loan approvals. Upon installation, users were required to validate their location and submit sensitive personal information. The malware harvested extensive data from users' devices, including SMS messages, GPS locations, and contact lists. Users who secured loans faced high-interest payments and harassment from the operators, who sometimes contacted the borrowers' family members. Notable apps included Préstamo Seguro-Rápido and Préstamo Rápido-Credit Easy, each with 1,000,000 downloads. Despite Google's app review processes, these malicious apps evaded detection. Users are advised to read reviews, check developer reputations, limit app permissions, and activate Google Play Protect.

AppWizard

November 30, 2024

SpyLoan Android apps on Google play installed 8 million times

A recent investigation by McAfee revealed the existence of 15 SpyLoan applications on Google Play, which have collectively received over 8 million installs, primarily targeting users in South America, Southeast Asia, and Africa. These apps were removed from the Play Store following their discovery, but they highlight ongoing challenges in addressing digital threats. The last significant cleanup of similar SpyLoan applications occurred in December 2023, when over a dozen apps with 12 million downloads were taken down. SpyLoan applications pose as legitimate financial tools, offering misleading loan approvals and coercing users to provide sensitive personal information after validating their identity through a one-time password. They exploit device permissions to access extensive sensitive information, including contact lists, SMS messages, and location data, which are used in extortion schemes. Users who secure loans often face high-interest repayments and harassment from operators, with some scammers contacting borrowers' family members for further pressure. The eight most popular SpyLoan applications include: - Préstamo Seguro-Rápido, Seguro - 1,000,000 downloads (Mexico) - Préstamo Rápido-Credit Easy - 1,000,000 downloads (Colombia) - ได้บาทง่ายๆ-สินเชื่อด่วน - 1,000,000 downloads (Senegal) - RupiahKilat-Dana cair - 1,000,000 downloads (Senegal) - ยืมอย่างมีความสุข – เงินกู้ - 1,000,000 downloads (Thailand) - เงินมีความสุข – สินเชื่อด่วน - 1,000,000 downloads (Thailand) - KreditKu-Uang Online - 500,000 downloads (Indonesia) - Dana Kilat-Pinjaman kecil - 500,000 downloads (Indonesia) Despite Google's app review mechanisms, SpyLoan applications continue to evade detection. Users are advised to read reviews, check the developer's reputation, limit app permissions, and activate Google Play Protect to mitigate risks.

Winsage

November 7, 2024

Winos4.0 Malware Found in Game Apps, Targets Windows Users

A newly identified malware framework called "Winos4.0" targets Windows users through game-related applications. It is a sophisticated variant of Gh0strat, capable of executing remote actions and granting attackers control over compromised systems. Winos4.0 is distributed via seemingly harmless applications, which download a BMP file that extracts and activates the Winos4.0 DLL file. The malware establishes persistence by creating registry keys or scheduled tasks. Its capabilities include clipboard monitoring, system information gathering, and detection of antivirus software and security applications. Winos4.0 targets educational institutions, particularly in "Campus Administration." It maintains communication with command-and-control (C2) servers to download encrypted modules and receive commands for actions like document management and screen capture. Fortinet compares Winos4.0 to frameworks like Cobalt Strike and Sliver, noting its encrypted data exchanges and C2 communication. Users are advised to download applications only from reputable sources.

AppWizard

October 7, 2024

Google Blocks Unsafe Android App Sideloading in India for Improved Fraud Protection

Google is launching a pilot initiative in India to automatically block the sideloading of potentially unsafe Android applications. This initiative includes an enhanced fraud protection feature that aims to protect users from malicious apps installed from non-official sources. The program has already been tested in Singapore, Thailand, and Brazil, successfully preventing nearly 900,000 high-risk installations. It analyzes app permissions in real-time and blocks installations that may misuse sensitive permissions often exploited for financial fraud. The pilot will start next month and will be implemented across all Android devices using Google Play services in India. Developers are encouraged to review their app permissions to align with best practices. This initiative follows the launch of DigiKavach in India, aimed at combating online financial fraud and scams.

Tech Optimizer

September 26, 2024

Illegal movie downloads could be hiding dangerous new malware

Illegal movie sites pose a significant risk to internet users due to the potential for malware infections. A report from Mandiant has identified a new malware called Peaklight, which targets individuals downloading pirated content. Peaklight operates solely in a computer's memory, leaving no trace on the hard drive, making it difficult for traditional antivirus programs to detect. The malware is activated when users download a Windows shortcut file (LNK) disguised as a movie download, which connects to a content delivery network (CDN) to execute harmful JavaScript code and a PowerShell script known as PEAKLIGHT. This script communicates with a remote server to download additional malicious software. Mandiant researchers note that Peaklight is part of a multi-stage execution chain that checks for ZIP archives in specific file paths before downloading more harmful content. To protect against malware, users are advised to avoid pirated content, keep their operating systems and software updated, use strong antivirus software, be cautious of suspicious links and files, utilize strong passwords and two-factor authentication, and be wary of compressed files.

AppWizard

September 25, 2024

You may be one of the 11 million people with these infected Android apps

Google's Android operating system has been compromised by a variant of the Necro Trojan malware, which has infiltrated several applications, including modded versions of WhatsApp and Spotify. Kaspersky identified the Necro Trojan, first discovered in 2019, as a significant threat that infects devices through compromised apps, downloads additional malicious payloads, and can enroll devices in subscription services without user consent. Among the affected legitimate apps on the Google Play Store are the Wuta Camera app, with 10 million downloads, and Max Browser, with over 1 million downloads. Both have been removed by Google, and users are advised to uninstall them. The malware has also been found in various modded gaming apps. The attack has primarily affected Android users in Russia, Brazil, and Vietnam, and the number of infected devices may be higher than reported due to unverified downloads.