Advisory ID:   ngCERT-2025-080006

SUMMARY

The Avalanche botnet infrastructure has been identified as one of the largest global network hosting infrastructures, utilized by cyber criminals to perform phishing and malware campaigns, as well as money mule scams. Successful malware infections have resulted in theft of sensitive data, ransomware attacks, deployment of banking trojans and execution of distributed denial-of-service (DDoS) attacks through compromised systems. Although the Avalanche botnet was taken down by foreign law enforcement agencies in 2016, recent investigations revealed traces of the malware infections impacting some systems and IP addresses within Nigeria. Consequently, individuals and organizations are advised to emplace safeguards to mitigate the risks associated with the Avalanche botnet infrastructure and other malware threats..Probability:    High

Damage:      Critical

Probability:  High 

Platform(s):  Windows, web browsers, and email platforms

DESCRIPTION

The Avalanche botnet is capable of providing botnet operators with an extra layer of protection against take-down and domain blocking, enabling malware hosting and distribution services, supporting numerous phishing operations, and the deployment of DoS attacks, including various money laundering schemes. The network makes use of DNS techniques to hide cybercrimes behind the ever-changing network of compromised hosts (systems) acting as proxies. Threat actors deploy spam emails pretending to be trustworthy organisations, which serve as a click-bait for victims to install malicious software attached to the emails. Thereafter, the malware steals personal information, such as passwords and credit card detailsever-changing, granting cybercriminals remote access to an infected computer.

CONSEQUENCES

A successful malware installation and attack process could result in:

1. System compromise.
2. Unauthorised access to sensitive data.
3. Theft of user credentials and other sensitive data.
4. Ransomware attacks.
5. System takeover.
6. Financial loss.
7. DDoS attacks.

SOLUTION/MITIGATION

The following are recommended:

1. Avoid downloading or opening attachments in emails received from unknown sources or unexpectedly from trustworthy users.
2. Ensure that the assets/systems’ operating system, software, antivirus, and plugins are updated.
3. Block all harmful external IP addresses on your network.
4. Activate built-in security features on endpoint devices which scan malware applications.
5. Implement stronger security measures, including firewalls, intrusion detection/prevention systems, anti-phishing solutions, endpoint detection and response solutions, including anti-malware software.
6. Enforce a strong password policy and implement regular password changes.
7. Disable unnecessary services and open ports on endpoint devices and servers within your agency. Only enable services and open ports that are essential for day-to-day operations.

HYPERLINK

• https://www.cisa.gov/news-events/alerts/2016/12/01/avalanche-crimeware-service-infrastructure 
• https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Botnetz-Avalanche/botnet-avalanche_node.html
• https://www.dataleaklawyers.co.uk/blog/avalanche-largest-cybercriminal-phishing-network-dismantled

Advisory ID: NCC-CSIRT-2025-015

Summary: 

The NCC-CSIRT has been notified of critical security vulnerabilities in a wide range of software products. These vulnerabilities, if exploited, could allow attackers to compromise systems, disrupt critical communications, and gain unauthorized access to enterprise and government networks.

These vulnerabilities affect Google Chrome, Microsoft Edge, IBM enterprise solutions, and Asterisk VoIP systems. Exploitation of these flaws could allow attackers to execute arbitrary code, perform remote denial-of-service (DoS) attacks, steal sensitive data, and compromise critical communication and enterprise systems.

Damage/Probability: High/Critical

Product(s): 

• Google Chrome
• Microsoft Edge
• IBM Enterprise Products (Cognos Command Center, Cognos Dashboards on Cloud Pak for Data, Db2 Bridge, QRadar SIEM & Incident Forensics, Sterling Connect, Sterling External Authentication Server, Sterling Secure Proxy, WebSphere Remote Server)
• Asterisk VoIP Software

Version(s): 

• Google Chrome: Versions earlier than 139.0.7258.154 on Linux; Versions 139.0.7258.154 and .155 on Windows and macOS
• Microsoft Edge: Versions before 139.0.3405.125
• Asterisk: 18.26.x prior to 18.26.4, 18.9-cert1x prior to 18.9-cert17, 20.15.x prior to 20.15.2, 21.10.x prior to 21.10.2, 22.5.x before 22.5.2
• IBM Products: Multiple enterprise solutions (as listed above)

Platform(s): 

Linux, Windows, macOS, Cloud-based deployments, Enterprise environments with IBM products, VoIP/PBX Systems.

Description: 

This advisory is based on a security alert issued by the French National Cybersecurity Agency (ANSSI) through its CERT-FR, received by the Office of the National Security Adviser (ONSA). The alert details multiple critical vulnerabilities: 

Google Chrome & Microsoft Edge: Vulnerabilities in outdated versions that could allow attackers to exploit browsers as entry points into enterprise and government systems.

IBM Enterprise Products: Multiple critical flaws across various IBM software solutions, exposing organizations to unauthorized access and system compromise.

Asterisk VoIP Software: Multiple versions were found vulnerable, enabling attackers to trigger remote DoS attacks, potentially disrupting VoIP and PBX operations.

These vulnerabilities carry significant risks, especially considering that web browsers remain primary attack vectors for cybercriminals. Exploitation could enable attackers to bypass security controls, disrupt communication, or gain unauthorized access to sensitive systems.

Impacts: 

• Unauthorized access to enterprise and personal systems
• Service disruption of critical communication infrastructure (VoIP, PBXs)
• Compromise of financial and operational data through IBM enterprise products
• Potential large-scale cyberattacks leveraging browsers as entry points

Solutions: 

• Immediately apply the latest security patches released by Google, Microsoft, IBM, and Asterisk for the affected products.
• Ensure that systems running vulnerable versions are updated to the recommended versions or later.
• Conduct vulnerability scans and continuous monitoring of enterprise systems to detect and mitigate exploitation attempts.
• Educate staff and system administrators on the heightened risks associated with outdated browsers and enterprise applications.
• Strengthen endpoint protection, including web filtering and intrusion detection systems, to prevent initial access through compromised browsers.

References:

• https://www.cert.ssi.gouv.fr/

• https://chromereleases.googleblog.com/

• https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnote-stable-channel

• https://www.ibm.com/support/pages/bulletin/

• https://www.asterisk.org/downloads/security-advisories/

Advisory ID:   ngCERT-2025-080004

SUMMARY

ngCERT is aware of the discovery of “Cobalt Strike Beacon” malware on Nigeria cyberspace. Cobalt Strike Beacon is the central payload of the commercial Cobalt Strike red-team framework, originally designed for penetration testing but increasingly abused by threat actors. The Beacon is a versatile and stealthy implant that provides attackers with command-and-control (C2) capabilities, post-exploitation tools, and the ability to persist in target networks. Its modularity, encryption features, and ability to mimic legitimate traffic make it one of the most commonly observed payloads in advanced cyber intrusions. While a legitimate security tool, Cobalt Strike has been weaponized by ransomware operators, state-backed advanced persistent threats (APTs), and financially motivated cybercriminals. Its widespread misuse has made it a critical security concern for governments, enterprises, and research institutions worldwide.

Probability:    High

Damage:        Critical

Platform(s): Windows, Linux, MacOS)

DESCRIPTION

Cobalt Strike Beacon is a memory resident, modular post exploitation implant built for stealthy, persistent C2 within enterprise environments. It supports multiple communication protocols—including HTTP/S, DNS tunneling, SMB named pipes, and peer-to-peer channels—which allow it to blend into normal network traffic. Beacon traffic is encrypted and obfuscated, often using customized C2 profiles that mimic legitimate web applications and services, complicating detection by traditional network security tools. The Beacon offers a wide range of post-exploitation capabilities, including process injection, privilege escalation, credential dumping, keylogging, file transfer, lateral movement, and persistence mechanisms. It can also dynamically load additional modules, execute PowerShell commands, and deliver secondary payloads such as ransomware. Its sleep and jitter functions enable it to remain dormant for extended periods, awakening at randomized intervals to avoid detection. This adaptability makes it a highly effective and dangerous tool for prolonged network intrusions.

CONSEQUENCES

Successful exploitation of the malware may lead to:

1. Covert Command-and-Control: Secure, stealthy communications that evade intrusion detection.
2. Data Theft: Exfiltration of sensitive organizational data, intellectual property, and credentials.
3. Privilege Escalation & Lateral Movement: Compromise of multiple systems and network segments.
4. Ransomware Deployment: Used as an entry vector by ransomware groups (e.g., LockBit, Conti).
5. Operational Disruption: Prolonged undetected presence leading to costly incident response and downtime.

SOLUTION/MITIGATION

To mitigate the risks, ngCERT recommends the following:

1. Deploy Endpoint Detection and Response (EDR) with behaviour-based detection.
2. Monitor network traffic for anomalies like DNS tunneling and suspicious SMB or HTTP/S activity.
3. Enforce least privilege access controls to limit attacker movement and privilege escalation.
4. Implement Multi-Factor Authentication (MFA) to protect accounts from credential theft.
5. Keep systems and applications patched and up to date to close vulnerabilities.
6. Conduct proactive threat hunting using memory and process analysis to identify hidden activity.
7. Train users on phishing awareness and block malicious delivery methods like macros or loaders.

HYPERLINK

• https://softhandtech.com/is-beacon-a-malware/. Click or tap if you trust this link." data-auth="NotApplicable" data-linkindex="1">https://softhandtech.com/is-beacon-a-malware/
• https://hunt.io/glossary/c2-beaconing. Click or tap if you trust this link." data-auth="NotApplicable" data-linkindex="2">https://hunt.io/glossary/c2-beaconing
• https://vercara.digicert.com/resources/dns-beacons. Click or tap if you trust this link." data-auth="NotApplicable" data-linkindex="3">https://vercara.digicert.com/resources/dns-beacons
• https://hunt.io/blog/rust-beacon-cobalt-strike-cat-south-korea. Click or tap if you trust this link." data-auth="NotApplicable" data-linkindex="4">https://hunt.io/blog/rust-beacon-cobalt-strike-cat-south-korea

Advisory ID: NCC-CSIRT-2025-014

Summary: 

A sophisticated and dangerous Android banking trojan, known as "Hook," is being actively distributed to target users of banking, financial, and cryptocurrency applications. Hook is designed to steal credentials and Personally Identifiable Information (PII) through overlay attacks and has evolved to include capabilities for full remote device takeover, data exfiltration, and ransomware-like features. The primary infection vector is social engineering, tricking users into installing malicious applications from unofficial sources. 

Damage/Probability: High/Critical

Product(s): 

Android Mobile Devices and Applications (Banking, Financial, and Cryptocurrency Apps)

Version(s): 

All versions of Android OS (targeted via malicious apps) 

Platform(s): 

Android OS

Description: 

The Hook trojan operates by masquerading as a legitimate application, such as a utility tool, system update, or a popular app. Once installed, it persistently requests the user to grant it powerful permissions, specifically targeting Android's Accessibility Services.

Upon receiving these permissions, Hook gains the ability to:

• Perform Overlay Attacks: When a user opens a targeted banking or financial app, Hook displays a fake, identical-looking login screen over the real app. The user unknowingly enters their credentials into this malicious window, which are then captured and sent to the attacker's server.
• Act as a Remote Access Tool (RAT): Attackers can establish a remote connection to the infected device, view the screen in real-time, simulate screen taps, log keystrokes, and navigate the device's user interface.
• Intercept Communications: The malware can read SMS messages, allowing it to bypass Two-Factor Authentication (2FA) codes sent via text.
• Exfiltrate Files: Hook can browse the device's file system and steal sensitive documents, photos, and other personal data.

Impacts: 

A successful infection by the Hook trojan can lead to severe consequences, including:

• Direct Financial Loss: Unauthorized access to bank accounts, leading to theft of funds.
• Data Breach: Theft of sensitive personal information, including login credentials for multiple services, contacts, and private files.
• Identity Theft: The stolen information can be used to impersonate the victim and open fraudulent accounts.
• Complete Device Compromise: Attackers can gain full control over the device, using it for further malicious activities.
• Ransomware Attack: The trojan can lock the device's screen and demand a ransom payment for its release.

Solutions: 

All Android users are strongly advised to adopt the following security measures to protect against this threat:

Immediate User Actions:

• Restrict App Sources: Only install applications from the official Google Play Store. Disable the "Install from unknown sources" option in your Android settings.
• Scrutinize Permissions: Be extremely cautious of any application requesting Accessibility Service permissions. These permissions grant extensive control over your device and should only be given to fully trusted applications from reputable developers.
• Enable Google Play Protect: Ensure this built-in security feature is active on your device.
• Update Regularly: Keep your Android operating system and all installed applications updated to the latest versions to ensure you have the most recent security patches.
• Practice Phishing Awareness: Do not click on suspicious links or download attachments from unknown senders in emails, SMS, or messaging apps.
• Use a Mobile Security Solution: Install a reputable antivirus or anti-malware application from a known security vendor.

If an Infection is Suspected:

1. Immediately disconnect the device from all networks (Wi-Fi and Mobile Data).
2. Boot the device into Safe Mode to prevent third-party apps from running and attempt to uninstall the malicious application.
3. If the malicious app cannot be removed, a full factory reset is the most reliable method to ensure the malware is completely eradicated. Note that this will erase all data on the device.
4. After securing your device, immediately change the passwords for your banking, email, and other critical online accounts from a separate, trusted device.

References:

• https://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities

• https://blog.polyswarm.io/hook-android-banking-trojan-evolves

• https://thehackernews.com/2025/08/hook-android-trojan-adds-ransomware.html

• https://www.scworld.com/brief/more-sophisticated-hook-android-banking-trojan-emerges