Advisory ID: NCC-CSIRT-200224-005
Summary:
Group-IB researchers have uncovered a novel Android and iOS malware called 'GoldPickaxe,' which utilizes social engineering tactics to deceive users into scanning their faces and ID documents. These materials are suspected to be utilized for generating deepfakes to gain unauthorized access to banking services. The methods employed by this malware have the potential to be effective on a global scale, posing a risk of adoption by other strains of malware.
Threat Type(s): Malware, Social Engineering, Phishing, and Smishing
Impact/Vulnerability: HIGH/HIGH
Product(s): Android and iOS Mobile Devices
Platform(s): Android, iOS Operating Systems
Version(s): All Versions.
Description:
As per the researchers' findings, individuals targeted by the GoldPickaxe malware receive phishing or smishing messages via the LINE app, often in their native language, posing as government entities or services. These messages aim to deceive recipients into installing deceptive applications, such as a counterfeit 'Digital Pension' app, hosted on websites masquerading as Google Play.
Once installed on a mobile device under the guise of a fraudulent government application, the malware operates semi-autonomously. It secretly performs background functions, including capturing the user's facial data, intercepting incoming SMS messages, soliciting ID documents, and rerouting network traffic through the compromised device using 'MicroSocks.'
For iOS users, the threat actors initially directed victims to a TestFlight URL to install the malicious app, avoiding standard security reviews. Subsequently, upon Apple's removal of the TestFlight app, the attackers transitioned to convincing users into downloading a malicious Mobile Device Management (MDM) profile, granting them control over the devices. Conversely, the Android variant of the malware engages in more malicious activities compared to its iOS counterpart due to Apple's stricter security measures. Additionally, on Android devices, the malware utilizes over 20 different deceptive apps for camouflage.
Consequences:
GoldPickaxe malware can run commands on victims’ devices to access SMS, navigate the filesystem, perform clicks on the screen, upload the 100 most recent photos from the victim's album, download and install additional packages, and serve fake notifications. .
Solution:
- Exercise utmost caution when installing applications, particularly those acquired from unofficial sources outside official app stores such as Google Play and the Apple App Store.
- Conduct thorough research on any application before installation. Validate the developer's credentials, review user feedback, and scrutinize requested permissions to verify their alignment with the app's stated functions.
- Maintain a healthy skepticism toward unsolicited communications claiming to originate from government agencies or service providers.
- Be wary of messages employing urgent threats or attracting offers to pressure recipients.
- Be vigilant for spelling errors, grammatical anomalies, or irregular formatting in hyperlinks before clicking on them.
- Use reputable mobile antivirus and anti-malware solutions, ensuring they are consistently updated.
- Regularly update your device's operating system and security software to mitigate vulnerabilities.
- Implement multi-factor authentication (MFA) for your banking applications to enhance security beyond standard password protection.
- Routinely monitor your bank account statements for any signs of unauthorized or suspicious activity.
- https://www.bleepingcomputer.com/news/security/new-gold-pickaxe-android-ios-malware-steals-your-face-for-fraud/
- https://hothardware.com/news/alarming-android-ios-gold-pickaxe-malware-steal-your-face
- https://marketrealist.com/what-is-the-gold-pickaxe-malware/
- https://www.redpacketsecurity.com/new-gold-pickaxe-android-ios-malware-steals-your-face-for-fraud/#google_vignette
- https://nsaneforums.com/news/security-privacy-news/new-%E2%80%98gold-pickaxe%E2%80%99-android-ios-malware-steals-your-face-for-fraud-r21746/
- https://www.laptopmag.com/software/antivirus-cyber-security/nasty-iphone-android-malware-breaks-into-your-banking-apps-using-your-face-heres-how-it-works
Advisory ID: ngCERT-2024-0004
Summary:
Security researchers discovered three high-severity vulnerabilities in the Google Chrome browser (CVE-2024-1060, CVE-2024-1059, and CVE-2024-1077). According to reports, the vulnerabilities might allow threat actors to remotely exploit Chrome, potentially executing arbitrary code, stealing sensitive user data, or causing system crashes. Meanwhile, Google has released new security updates to address many vulnerabilities in its Chrome browser. Nonetheless, users must take proper actions to mitigate dangers.
Damage/Probability: CRTICAL/HIGH
Description:
The high severity vulnerabilities have been classified as Use-After-Free (UAF), which is a vulnerability scenario resulting from inefficient memory management while developing software applications. For instance, If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program. The UAF flaws were identified as (CVE-2024-1060, CVE-2024-1059 and CVE-2024-1077) respectively, found in the Canvas component, WebRTC component and Network component of Google Chrome. These flaws can allow an attacker to exploit heap corruption via a specially crafted HTML page, exploit stack corruption via a crafted HTML page and facilitate the remote exploitation of heap corruption via a malicious file. The affected systems are Chrome prior to 121.0.6167.139/140 for Windows and Chrome prior to 121.0.6167.139 for Mac and Linux.
Consequences: Successful exploitation of these vulnerabilities could allow for the following:
- Arbitrary code execution in the context of the logged-on user.
- Depending on the privileges associated with the user, an attacker could install malicious programs.
- Attacker could view, change, or delete data.
- Attacker could also create new accounts with full user rights.
Solution:
The aforementioned vulnerabilities have been patched by security update released by Google. Nonetheless, all users are encouraged to:
- Install the most recent updates for their systems, software, and gadgets.
- Remove saved login information or passwords, clear your browser's history.
- Remove cookies from your browser since they can provide hackers access to email services without a user's credentials.
- Refrain from clicking on dubious links that can corrupt your computer.
References:
Advisory ID: NCC-CSIRT-120224-004
Summary:
Microsoft is currently examining an issue where Outlook security alerts are triggered when attempting to open .ICS calendar files subsequent to installing the December 2023 Patch Tuesday Office security updates. An ICS file is a file format for iCalendar in Outlook. Those impacted encounter dialog boxes cautioning them that "Microsoft Office has identified a potential security concern" and that "This location may be unsafe" upon double-clicking locally saved ICS files.
Threat Type(s): Vulnerability
Impact/Vulnerability: HIGH/CRITICAL
Product(s): Microsoft 365
Platform(s): Microsoft Outlook
Version(s): All Versions.
Description:
Upon deploying a security update addressing the Microsoft Outlook information disclosure vulnerability (CVE-2023-35636), the security warning will be displaced. Failure to apply the patch may enable attackers to exploit the vulnerability, potentially tricking users with unpatched Outlook installations into opening maliciously crafted files, thereby compromising their hidden Windows credentials.
Consequences: The attackers can use the victim’s obfuscated Windows credentials to authenticate as the compromised user, gain access to sensitive data, or spread laterally on their network.
Solution:
Impacted users can disable the dialog by following the step-by-step instructions available in the link below:
- https://support.microsoft.com/en-us/office/outlook-prompts-security-notice-opening-ics-files-after-installing-protections-for-microsoft-outlook-information-disclosure-vulnerability-released-dec-12-2023-df8647ef-1828-421b-a266-79120b6190bd
- https://learn.microsoft.com/en-us/answers/questions/1521137/how-can-i-avoid-outlooks-security-warning-on-a-ics
- https://www.bleepingcomputer.com/news/microsoft/microsoft-outlook-december-updates-trigger-ics-security-alerts/
Advisory ID: NCC-CSIRT-050224-003
Summary:
Researchers from AT&T Cybersecurity have discovered new phishing attacks exploiting Microsoft Teams group chat requests to distribute malicious attachments. These attachments install DarkGate malware payloads on the systems of unsuspecting victims. The operators of DarkGate take advantage of Microsoft Teams to execute these attacks, focusing on organizations where administrators have not secured their tenants by disabling the External Access setting.
Threat Type(s): Phishing
Impact/Vulnerability: HIGH/CRITICAL
Product(s): Microsoft Teams.
Platform(s): Microsoft Teams Group Chat
Version(s): All Versions.
Description:
The researchers uncovered that the perpetrators utilized what appears to be a compromised Teams user (or domain) to dispatch over 1,000 malicious Teams group chat invitations. This exploit became feasible due to Microsoft's default enabling of External Access to company chats, granting anyone within the organization the ability to add users to chats, even if they are external to the organization.
Upon acceptance of the chat invitation by the targets, the malicious actors deceive them into downloading a file with a double extension, cleverly named 'Navigating Future Changes October 2023.pdf.msi' a common tactic employed by DarkGate. Once the malware is installed, it establishes communication with its command-and-control server, a component already verified as part of the DarkGate malware infrastructure. This phishing attack is facilitated by Microsoft's default setting, allowing external Microsoft Teams users to message users from other tenants.
Consequences:
Deployment of DarkGate malware payloads along with the phishing impacts.
Solution:
- Exercise caution regarding file sharing by refraining from accepting or opening files from untrusted sources and avoid installation of such files altogether.
- Organization should disable External Access in Microsoft Teams.
- End users should always be trained to pay attention to where unsolicited messages are coming from and should be reminded that phishing can take many forms beyond the typical email. Phishing attack is a type of cyber-attack where attackers impersonate legitimate entities to deceive individuals into providing sensitive information such as passwords, financial details, or personal data, often through deceptive emails, messages, or websites.
https://www.bleepingcomputer.com/news/security/microsoft-teams-phishing-pushes-darkgate-malware-via-group-chats/
https://windowsreport.com/microsoft-teams-darkgate-phishing-attacks/
https://cyber.vumetric.com/security-news/2024/01/30/microsoft-teams-phishing-pushes-darkgate-malware-via-group-chats/
Advisory ID: ngCERT-2024-0003
Summary:
Chameleon, a rapidly evolving Android banking Trojans, has been discovered to be targeting Android users globally. The new Android malware type has the potential to bypass any biometric authentication, steal sensitive information such as login credentials and credit card information, and conduct fraudulent operations via banking applications. Chameleon's ability to disable biometric security measures such as fingerprint and facial unlock makes it more dangerous, with disastrous consequences for Android banking users. This highlights the importance for Android phone owners to take the required precautions to mitigate the aforementioned threat.
Damage/Probability: CRTICAL/HIGH
Description:
Chameleon trojan was found to enable attackers to carry out Account Takeover (ATO) and Device Takeover (DTO) attacks, mostly targeting banking and cryptocurrency apps. The malware is distributed through phishing pages, disguised as legitimate applications/programs and delivered via a legitimate content distribution network (CDN). The new variant is distributed using Zombinder, a dropper-as-a-service (DaaS) used in attacks against Android users. The trojan performs device-specific checks, which are activated when a command is received from the command-and-control (C&C) server, while targeting the 'Restricted Settings' protections added in Android 13. Upon receiving the command, the Trojan presents an HTML page requesting that the user enable the Accessibility service, which allows the malware to perform DTO. After receiving further commands, the malware assesses the device's screen and keyguard status and then uses the Accessibility Event action to bypass biometric authentication while transitioning to PIN authentication. This fall back to standard facilitates theft of PINs, passwords, or graphical keys using keylogging functionalities, by threat actors. The revised Chameleon edition also includes job scheduling using the AlarmManager API, which was seen in other banking trojans but done differently. If the Accessibility option is not enabled, the trojan can move to gathering information about user programs in order to identify the foreground application and display overlays via the 'Injection' activity.
Consequences:
A successful execution of Chameleon banking trojan could result to the following:
- Financial losses from unauthorized transactions.
- Data exfiltration.
- Damage to reputation.
- Privacy breaches.
- Disruption of critical financial operations.
- Privilege escalation on devices.
Solution:
It is therefore recommended that android phone users should:
- Avoid clicking links on emails or text messages, even from seemingly legitimate sources.
- Ensure that their Android devices and apps are up to date with the latest security patches.
- Only download apps from the official Google Play Store.
- Avoid using public Wi-Fi networks for sensitive banking activities.
- Report suspicious activities to your bank immediately.
- Be mindful of social engineering and phishing tactics deployed by cybercriminals.
- Implement mobile device management (MDM) solutions to enforce security policies and remotely manage devices.
- Ensure that Play Protect is enabled at all times.
- Run regular scans to ensure that devices are free of malware and adware.
References: