modus operandi Archives

Winsage

February 18, 2025

Earth Preta APT Exploit Microsoft Utility Tool to Control Windows

Researchers from Trend Micro's Threat Hunting team have identified a cyberattack campaign by the APT group Earth Preta, targeting government entities in the Asia-Pacific region, including Taiwan, Vietnam, Malaysia, and Thailand. The group uses spear-phishing emails and advanced malware to compromise Windows systems, notably employing the Microsoft Application Virtualization Injector (MAVInject.exe) to inject malicious payloads into legitimate processes. The attack typically begins with a malicious file, IRSetup.exe, which drops both legitimate and malicious files onto the system, often accompanied by a decoy PDF posing as an official document. Earth Preta utilizes a modified variant of the TONESHELL backdoor malware, sideloaded using OriginLegacyCLI.exe and a malicious DLL, EACore.dll. This malware communicates with a command-and-control server for data exfiltration and remote operations, offering capabilities such as reverse shell access, file deletion, and persistent storage of victim identifiers. The malware adapts its behavior based on the presence of ESET antivirus software, using different techniques for code injection. Trend Micro attributes this campaign to Earth Preta with medium confidence, noting that the group has compromised over 200 victims since at least 2022, primarily focusing on government entities and using phishing as the initial attack vector.

Winsage

February 13, 2025

A Hacker Group Within Russia’s Notorious Sandworm Unit Is Breaching Western Networks

Microsoft has warned that the Russian hacking group Sandworm's BadPilot unit has shifted its focus from Ukraine to targets in the United States, the United Kingdom, Canada, and Australia. BadPilot operates as an "initial access operation," breaching networks to establish footholds for further exploitation. Over the past three years, their targeting has evolved from Ukraine to a broader range of English-speaking Western nations. The group has targeted various sectors, including energy, telecommunications, and international governments, using known vulnerabilities in software such as Microsoft Exchange and Fortinet's security tools. They install software for persistent access and have been linked to disruptive cyber operations, including the NotPetya malware attack. Currently, there are no indications that BadPilot plans to escalate its activities beyond espionage.

AppWizard

December 3, 2024

SpyLoan Android malware on Google Play installed 8 million times

A recent investigation by McAfee identified 15 SpyLoan Android malware apps on Google Play, which collectively received over 8 million installs, mainly targeting users in South America, Southeast Asia, and Africa. These apps disguised themselves as legitimate financial tools, enticing users with false promises of quick loan approvals. Upon installation, users were required to validate their location and submit sensitive personal information. The malware harvested extensive data from users' devices, including SMS messages, GPS locations, and contact lists. Users who secured loans faced high-interest payments and harassment from the operators, who sometimes contacted the borrowers' family members. Notable apps included Préstamo Seguro-Rápido and Préstamo Rápido-Credit Easy, each with 1,000,000 downloads. Despite Google's app review processes, these malicious apps evaded detection. Users are advised to read reviews, check developer reputations, limit app permissions, and activate Google Play Protect.

AppWizard

November 30, 2024

SpyLoan Android apps on Google play installed 8 million times

A recent investigation by McAfee revealed the existence of 15 SpyLoan applications on Google Play, which have collectively received over 8 million installs, primarily targeting users in South America, Southeast Asia, and Africa. These apps were removed from the Play Store following their discovery, but they highlight ongoing challenges in addressing digital threats. The last significant cleanup of similar SpyLoan applications occurred in December 2023, when over a dozen apps with 12 million downloads were taken down. SpyLoan applications pose as legitimate financial tools, offering misleading loan approvals and coercing users to provide sensitive personal information after validating their identity through a one-time password. They exploit device permissions to access extensive sensitive information, including contact lists, SMS messages, and location data, which are used in extortion schemes. Users who secure loans often face high-interest repayments and harassment from operators, with some scammers contacting borrowers' family members for further pressure. The eight most popular SpyLoan applications include: - Préstamo Seguro-Rápido, Seguro - 1,000,000 downloads (Mexico) - Préstamo Rápido-Credit Easy - 1,000,000 downloads (Colombia) - ได้บาทง่ายๆ-สินเชื่อด่วน - 1,000,000 downloads (Senegal) - RupiahKilat-Dana cair - 1,000,000 downloads (Senegal) - ยืมอย่างมีความสุข – เงินกู้ - 1,000,000 downloads (Thailand) - เงินมีความสุข – สินเชื่อด่วน - 1,000,000 downloads (Thailand) - KreditKu-Uang Online - 500,000 downloads (Indonesia) - Dana Kilat-Pinjaman kecil - 500,000 downloads (Indonesia) Despite Google's app review mechanisms, SpyLoan applications continue to evade detection. Users are advised to read reviews, check the developer's reputation, limit app permissions, and activate Google Play Protect to mitigate risks.

Winsage

November 7, 2024

Winos4.0 Malware Found in Game Apps, Targets Windows Users

A newly identified malware framework called "Winos4.0" targets Windows users through game-related applications. It is a sophisticated variant of Gh0strat, capable of executing remote actions and granting attackers control over compromised systems. Winos4.0 is distributed via seemingly harmless applications, which download a BMP file that extracts and activates the Winos4.0 DLL file. The malware establishes persistence by creating registry keys or scheduled tasks. Its capabilities include clipboard monitoring, system information gathering, and detection of antivirus software and security applications. Winos4.0 targets educational institutions, particularly in "Campus Administration." It maintains communication with command-and-control (C2) servers to download encrypted modules and receive commands for actions like document management and screen capture. Fortinet compares Winos4.0 to frameworks like Cobalt Strike and Sliver, noting its encrypted data exchanges and C2 communication. Users are advised to download applications only from reputable sources.

AppWizard

October 7, 2024

Google Blocks Unsafe Android App Sideloading in India for Improved Fraud Protection

Google is launching a pilot initiative in India to automatically block the sideloading of potentially unsafe Android applications. This initiative includes an enhanced fraud protection feature that aims to protect users from malicious apps installed from non-official sources. The program has already been tested in Singapore, Thailand, and Brazil, successfully preventing nearly 900,000 high-risk installations. It analyzes app permissions in real-time and blocks installations that may misuse sensitive permissions often exploited for financial fraud. The pilot will start next month and will be implemented across all Android devices using Google Play services in India. Developers are encouraged to review their app permissions to align with best practices. This initiative follows the launch of DigiKavach in India, aimed at combating online financial fraud and scams.

Tech Optimizer

September 26, 2024

Illegal movie downloads could be hiding dangerous new malware

Illegal movie sites pose a significant risk to internet users due to the potential for malware infections. A report from Mandiant has identified a new malware called Peaklight, which targets individuals downloading pirated content. Peaklight operates solely in a computer's memory, leaving no trace on the hard drive, making it difficult for traditional antivirus programs to detect. The malware is activated when users download a Windows shortcut file (LNK) disguised as a movie download, which connects to a content delivery network (CDN) to execute harmful JavaScript code and a PowerShell script known as PEAKLIGHT. This script communicates with a remote server to download additional malicious software. Mandiant researchers note that Peaklight is part of a multi-stage execution chain that checks for ZIP archives in specific file paths before downloading more harmful content. To protect against malware, users are advised to avoid pirated content, keep their operating systems and software updated, use strong antivirus software, be cautious of suspicious links and files, utilize strong passwords and two-factor authentication, and be wary of compressed files.

AppWizard

September 25, 2024

You may be one of the 11 million people with these infected Android apps

Google's Android operating system has been compromised by a variant of the Necro Trojan malware, which has infiltrated several applications, including modded versions of WhatsApp and Spotify. Kaspersky identified the Necro Trojan, first discovered in 2019, as a significant threat that infects devices through compromised apps, downloads additional malicious payloads, and can enroll devices in subscription services without user consent. Among the affected legitimate apps on the Google Play Store are the Wuta Camera app, with 10 million downloads, and Max Browser, with over 1 million downloads. Both have been removed by Google, and users are advised to uninstall them. The malware has also been found in various modded gaming apps. The attack has primarily affected Android users in Russia, Brazil, and Vietnam, and the number of infected devices may be higher than reported due to unverified downloads.

Tech Optimizer

August 24, 2024

Malware Infects Databases With Vulnerable Passwords to Install Crypto Mining Software | Live Bitcoin News

A new strain of malware, PG_MEM, is targeting PostgreSQL-enabled internet-connected devices, capable of infecting around 800,000 databases, primarily in the United States and Poland. It exploits weak passwords to gain unauthorized access, installs files to commandeer database resources for cryptocurrency mining, and evades detection. Attackers use brute-force methods to guess passwords, highlighting vulnerabilities in password management. Many organizations expose their PostgreSQL databases to the internet due to misconfigurations and inadequate identity controls. The first half of 2024 has seen a 400% increase in such cryptojacking attacks, indicating a growing trend in exploiting database vulnerabilities.

Tech Optimizer

August 23, 2024

PostgreSQL Databases the Target of New Malware PG_MEM for Crypto Mining – CIO News

Researchers have identified a new malware strain called PG_MEM that targets PostgreSQL databases for cryptocurrency mining. It uses brute-force techniques to guess weak database credentials, allowing attackers to execute arbitrary shell commands on the host system. The malware exploits improperly configured PostgreSQL databases and utilizes the COPY… FROM PROGRAM SQL command to run malicious payloads, including PG_MEM and PG_CORE, from a remote server. The primary goal is to mine Monero cryptocurrency, but attackers can also steal data and control the compromised server. The attack primarily affects internet-facing PostgreSQL databases with weak passwords due to misconfigurations.