Saturday December 21, 2024

Advisory ID: NTR-061224-01

Summary: 

A new and sophisticated variant of banking malware called Grandoreiro, has been identified, targeting financial institutions and individuals globally. Grandoreiro has evolved with new features and capabilities since it first appeared around 2016. This malware is deployed via phishing emails and malicious websites masquerading as cryptocurrency trading platforms, aiming to steal sensitive financial credentials, perform unauthorised transactions, and exfiltrate cryptocurrency wallet keys.

The malware employs advanced obfuscation techniques to evade detection and uses phishing tactics to lure victims into downloading trojanized installers. These installers contain payloads capable of intercepting two-factor authentication codes and mimicking legitimate banking app activities. This report highlights technical details, IOCs, and actionable steps to mitigate the threat.

Damage/Probability: CRITICAL/HIGH

Platform(s): Finance Apps

Description: 

The new version of Grandoreiro has adopted a cryptographic technique known as Ciphertext Stealing (CTS). It aims to encrypt the malicious code strings. “Grandoreiro has a large and complex structure, which would make it easier for security tools or analysts to detect if its strings were not encrypted. This is likely why they introduced this new technique to complicate the detection and analysis of their attacks.

Grandoreiro operates and adopted new tricks such as the usage of Domain Generation Algorithms (DGAs) in its command and control (C&C) communications to hide its C&C servers, the adoption of Ciphertext Stealing Encryption (CTS) for advanced encryption, mouse behaviour tracking, advanced sandbox evasion codes, aiming to avoid detection. Key tactics include:

Delivery and Persistence: Delivered through spear-phishing emails with malicious links, it downloads as a Windows Installer (MSI) file. It executes embedded DLLs or VBS scripts to retrieve an encrypted payload, transitioning from XOR-based encryption to base64-encoded ZIP files. The malware registers itself on Windows startup for persistence.

Evasion Tactics: Grandoreiro employs advanced techniques to bypass security solutions like antivirus and banking security systems. These include sandbox evasion, binary padding with large BMP files, fraudulent digital certificates, and CAPTCHAs to impede automated analysis. Its C2 communications leverage Domain Generation Algorithms (DGAs) to hide C&C servers.

Encryption Enhancements: Adopting Ciphertext Stealing (CTS) encryption and robust anti-debugging methods in its loader phase complicates detection and analysis.

Credential Theft and Control: The malware monitors browser and email activity, collects host details, and hijacks clipboard content to replace cryptocurrency wallet addresses. Fake banking login screens capture credentials and 2FA codes, enabling attackers to control victims' accounts.

This highly adaptive malware remains a significant threat to financial institutions, combining credential theft, remote control capabilities, and evasion tactics to execute fraudulent activities undetected.

Consequences: 

The discovered malware poses severe risks to both individuals and organizations:

  • Financial loss arising from unauthorized transactions and stolen cryptocurrency assets.
  • Data compromise, as leaked credentials can be sold or reused for broader attacks.
  • In addition to financial theft, Grandoreiro can capture personal information that may be used for identity theft or sold on the dark web.
  • Operational disruption, as persistent infections may hinder IT operations and require extensive remediation.
  • Increased phishing exposure, as users redirected to fraudulent cryptocurrency websites may fall victim to further scams.

Solution:  

The following steps are preventive measures that you could advise your constituents on to protect their infrastructure.

For Organizations:

  • Educate employees on phishing attacks and safe browsing practices to reduce risks. 

  • Deploy advanced endpoint protection solutions that are confirmed to be effective against Grandoreiro and other similar malware.

  • Ensure all systems have up-to-date antivirus solutions.

  • Block access to known malicious and suspicious domains.

  • Regularly update all software, operating systems, and third-party applications to mitigate exploitation risks.

  • Enforce strong password policies and implement multi-factor authentication (MFA) wherever possible.

  • For Individuals:

  • Only interact with verified and legitimate cryptocurrency platforms. Check the domain authenticity before entering sensitive information.

  • Refrain from downloading installers or files from untrusted sources.

  • Use updated security solutions on personal devices.

  • Review financial and cryptocurrency accounts regularly for unauthorized activities.

  • Keep encrypted backups of wallet keys and other sensitive data in offline storage.

References:

Advisory ID: NCC-CSIRT-081124-013

Summary: 

Andromeda, also known as Gamarue is a modular (can download additional malicious modules or payloads based on the attacker's instructions) malware that spreads through phishing and infected websites, enabling attackers to control systems, steal data, and distribute other malware. Despite being disrupted in 2017, updated versions still appear in cyberattacks, posing an ongoing threat.

Damage/Probability: CRTICAL/HIGH

Platform(s): Windows Operating Systems

Description: 

Andromeda malware spreads through phishing emails, malicious attachments, and compromised websites, disguising itself as legitimate software. Once executed, it installs on the target system, avoiding detection through obfuscation and encryption. The malware then connects to command-and-control servers to receive instructions, allowing it to download additional malicious modules like keyloggers or ransomware. Andromeda ensures persistence by modifying system settings and creating tasks to remain active after reboot. Infected systems become part of a botnet, used for DDoS attacks, data theft, and other malicious activities. Its modular and adaptable nature allows it to evolve and continue operating even after takedown efforts.

Consequences: 

Andromeda malware can cause data theft, system compromise, spread additional malware, and disrupt operations, leading to financial losses and privacy breaches.

Solution: 

To mitigate this threat, you are advise to carry out the following:

  • Avoid opening unexpected email attachments and use email filters to block malicious files.
  • Keep systems and software patched to prevent Andromeda exploitation.
  • Provide regular cybersecurity training to help employees identify and avoid phishing, suspicious downloads, and social engineering tactics.
  • Employ comprehensive antivirus or anti-malware software that can detect and remove Andromeda malware and other threats.
  • Use advanced email filtering to block phishing emails and attachments, preventing malware delivery.
  • Monitor network traffic for unusual activity, particularly communications with suspicious IP addresses or command and control (C&C) servers.
  • Disable unnecessary services, ports, and protocols that could be exploited by the malware to maintain communication with its C&C servers.
  • Regularly back up important data and systems to ensure recovery in case of malware infection and minimize data loss.
  • If a system is suspected of being infected, isolate it from the network to prevent further spread of the malware.
  • Deploy End point Detection and Response (EDR) solutions to continuously monitor and analyze endpoint activity for signs of malware infections and suspicious behavior.
  • After removing the malware, restore all altered system configurations, tasks, and registry keys to their original state.

References:

Advisory ID: NCC-CSIRT-311024-012

Summary: 

Zimperium’s zLabs team has discovered a new variant of vishing (voice phishing) malware known as FakeCall. This evolved malware manipulates voice calls by impersonating trusted institutions, tricking users into revealing sensitive information like credit card numbers and banking credentials.

Damage/Probability: CRTICAL/HIGH

Platform(s): Android Operating Systems

Description: 

Researchers report that FakeCall malware infiltrates Android devices by hijacking call functions. The attack typically starts when a user downloads a seemingly harmless APK file (the Android application package format), which acts as a "dropper" to install the main malware. Once active, FakeCall can intercept and manipulate both outgoing and incoming calls, all under the control of a command-and-control (C2) server that covertly directs actions on the device. The malware even mimics a legitimate call interface, making it difficult for users to detect the deception. Moreover, attackers have been known to employ signing keys, allowing the malware to bypass security defenses more effectively.

Consequences: 

The malware exploits mobile-specific features like voice and SMS to gain unauthorized control over the compromised devices. Its advanced tools heighten risks of data theft, privacy breaches, and financial loss, highlighting the need for strong mobile security measures.

Solution: 

To mitigate this threat, you are advise to carry out the following:

  • Avoid downloading APKs from unofficial sources.
  • Use trusted app stores like the Google Play Store.
  • Employ mobile threat detection tools to verify app legitimacy.
  • Limit app permissions, especially for call and messaging functions.
  • Install and regularly update robust mobile antivirus software.
  • Keep Android devices and apps updated to the latest versions.
  • Implement network security to monitor and block command-and-control (C2) traffic.
  • Conduct regular device audits for suspicious activity.
  • Use mobile threat defense solutions to detect and remove malware.
  •  Enable multifactor authentication (MFA) for sensitive app access..

References:

Advisory ID: NCC-CSIRT-170924-010

Summary: 

PlugX is a sophisticated Remote Access Trojan (RAT) known for targeting critical infrastructure, including telecommunications. It enables attackers to remotely control infected systems, infiltrate sensitive data, disrupt network operations, and maintain long-term access to telecom systems. The malware typically spreads through phishing campaigns and exploited vulnerabilities.

Damage/Probability: CRTICAL/HIGH

Platform(s): Windows, Linux, Network Devices, and Telecom Infrastructure systems

Description: 

PlugX malware is typically deployed via phishing emails containing malicious attachments or by exploiting network vulnerabilities. These emails are crafted to deceive users into opening infected files or clicking on links that exploit unpatched vulnerabilities within network systems. In addition to phishing, PlugX can be spread through watering hole attacks, drive-by downloads, or by leveraging network security flaws, making it a versatile and highly adaptable threat.

Once deployed, it allows threat actors to remotely control infected systems, steal data, disrupt services, and create backdoors for future attacks. Its stealth and persistence make it challenging to detect, posing a significant risk to critical telecom infrastructure.

Consequences: 

If the threat occur, the following outcomes may occur:

  • Data Exfiltration:Loss of sensitive user and corporate data.
  • Service Disruption:Downtime or interruptions to telecom services.
  • Network Manipulation: Unauthorized control of network devices and systems.

Solution: 

To mitigate this threat, you are advise to carry out the following:

  • Apply security patches to all network devices and systems regularly.
  • Enhance endpoint security and network monitoring for suspicious activities.
  • Implement email filtering to block phishing emails.
  • Conduct regular cybersecurity awareness training for staff.
  • Enforce network segmentation and access controls.
  • Perform vulnerability assessments and incident response drills.

References:

Advisory ID: ngCERT-2024-0034

Summary: 

ngCERT is issuing an urgent security alert regarding the dangers and risks associated with expired Secure Socket Layer (SSL) certificates, which are increasingly observed within Nigerian cyberspace. SSL is essential for web services as it ensures end-to-end encrypted communication between client and server over the Internet. However, if an SSL certificate on the server side expires, this secure communication is compromised, exposing users to cyber threats. Malicious actors can exploit this vulnerability to execute phishing attacks and Man-in-the-Middle (MitM) attacks, among others, leading to data breaches, data theft, reputational damage, financial losses, and Denial of Service (DoS) attacks. Given these risks, users are advised to renew expired SSL certificates and implement other recommended mitigation steps.

Threat Type(s): Vulnerability

Impact/Vulnerability: CRITICAL/HIGH

Product(s): SSL Certificates

Platform(s): Web Applications

Version(s): All Versions

Description: 

SSL certificates verify the identity of a website owner while enabling secure and encrypted connections for users accessing the server. When an SSL certificate expires, it can no longer ensure a secure connection, exposing organizations to potential attack vectors. Expired SSL certificates are particularly vulnerable to Man-in-the-Middle (MitM) attacks, where an attacker intercepts and eavesdrops on client-server communications, potentially hijacking requests to the web application. This could lead to the theft or alteration of sensitive data. Additionally, cybercriminals might create phishing websites that imitate legitimate sites with expired SSL certificates, using similar URLs to deceive unsuspecting users into divulging sensitive information for malicious purposes.

Consequences: 

Exploitation of the aforesaid flaw could result in:

  1. Unauthorized access
  2. Data breaches and exfiltration
  3. Financial losses
  4. Denial of Service (DoS) attack
  5. Reputational damage 

Solution:  

To mitigate this risk, the following actions are recommended:

  • Immediate Renewal: Renew the expired SSL certificate and install it on the server to re-enable secure communication.
  • Implement Certificate Monitoring: Deploy an automated SSL certificate monitoring system that alerts administrators 30, 15, and 7 days before certificate expiration. This ensures ample time for renewal.
  • Establish Renewal Procedures: Set up a robust process for SSL certificate management, with clear timelines and ownership to avoid missed renewals in the future. Consider using certificate management tools or platforms that automate renewals.
  • Conduct Regular Security Audits: Schedule periodic audits of all SSL certificates across the system to identify any upcoming expirations and ensure all certificates are up to date.
  • User Notification and Trust Restoration: Notify affected users of the issue, informing them that the SSL certificate has been renewed and that secure access has been restored.
  • Review Compliance Requirements: Verify that the expired SSL certificate did not result in any non-compliance issues with relevant security regulations or industry standards. Update documentation and records as necessary to demonstrate renewed compliance.

References:

  1. SSH Transport Protocol Vulnerability
  2. Ransomware Groups Targeting Critical Systems in Nigeria
  3. Hackers Exploit a New Windows Vulnerability to Perform a Zero-Day Attack on Disable Internet Explorer
  4. A New Phishing Technique Evades Security Measures on Apple and Android Devices to Steal Banking Credentials

Page 1 of 21