Advisory ID:   ngCERT-2025-010007

SUMMARY

ngCERT is aware of an increase in Android.Vo1d malware infections within the Nigerian cyberspace. Android.vo1d otherwise known as Void is a recent android trojan campaign reported to have infected over 1.3 million Android TV boxes worldwide, including Nigeria. The malware is identified as a sophisticated backdoor capable of secretly downloading and installing malicious applications on infected devices, particularly those running outdated Android operating systems. Android.vo1d poses a major risk to Android TV box users, with implications on system compromise and takeover, as well as data exfiltration among other negative impacts. Consequently, ngCERT strongly advises individuals and organizations to take immediate steps to safeguard their systems and data from this emerging threat.

Probability:    High

Damage:        Critical

Platform(s):   Android TV Boxes

DESCRIPTION

Android.Vo1d is a backdoor trojan that installs itself deep in the device’s system files and operates covertly by employing advanced techniques to evade detection while establishing persistence. It achieves this by infiltrating the system storage and modifying critical files like install-recovery.sh and daemonsu files. Thereafter, it creates news files, /system/xbin/wd, /system/xbin/vo1d, /system/bin/debuggerd_real and /system/bin/debuggerd. Attackers cleverly disguises the malware by altering the file name “vold,” a system program, to “vo1d,” substituting the lowercase “l” with the number “1”. This trick allows the malware to evade detection while establishing a foothold in infected systems. Additionally, the backdoor’s components, Android.Vo1d.1, Android.Vo1d.3, and Android.Vo1d.5 work concurrently to ensure continued malicious activity. Particularly, Vo1d.1 manages activities and downloads executables files from the C&C server, Vo1d.3 installs and launches the encrypted Android.Vo1d.5 daemon, while monitoring directories and installing APK files, with Vo1d.5 providing additional functionality. Furthermore, TV boxes running older Android versions are particularly vulnerable, as they often lack critical security updates. Some of these devices include the R4 (Android 7.1.2) and KJ-SMART4KVIP (Android 10.1).

CONSEQUENCES

Falling prey to these attacks could potentially lead to:

1. System compromise.
2. Unauthorized access to sensitive data.
3. Data exfiltration.
4. Reputational damage.
5. Service Disruption leading to potential Denial of Service (DoS).

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Regularly update of TV box firmware from official sources.
2. Installation of antivirus software to detect potential infections.
3. Avoid downloading apps or firmware from unofficial sources.
4. Consider replacing TV boxes running on outdated Android versions with newer and more secure models.

HYPERLINK

• https://cybersecuritynews.com/android-tv-box-android-vo1d-malware/
• https://securityonline.info/massive-android-tv-box-infection-over-1-3-million-devices-compromised-by-android-vo1d/
• https://thehackernews.com/2024/09/beware-new-vo1d-malware-infects-13.html
• https://www.androidheadlines.com/2024/09/these-android-tv-boxes-are-infected-by-vo1d-malware.html

dvisory ID: ngCERT-2025-010005

Summary: 

ngCERT has observed a widespread of the Nymaim malware infections across Nigerian cyberspace. The malware originally designed as a ransomware loader has become a multi-functional threat capable of delivering a variety of malicious payloads, such as banking Trojans, ransomware, and remote access tools (RATs). Known for its stealthy and modular design, Nymaim uses advanced techniques to evade detection and maintain persistence on infected systems. By leveraging social engineering, advanced obfuscation, and modularity, Nymaim poses a significant threat to individuals and organizations. Defending against such threats requires a multi-layered approach, including regular software updates, user awareness, and advanced threat detection tools. As Nymaim continues to evolve, staying vigilant and proactive is essential to mitigate its impact.

Damage/Probability: CRITICAL/HIGH

Platform(s): Operating Systems

Description: 

Nymaim malware attack chain reflects a carefully crafted sequence of steps designed to infiltrate systems, evade detection, and achieve the attacker’s objectives. Its initial attack process involves leveraging various entry points to compromise the target’s system. The most common attack vectors include phishing emails, drive-by downloads, compromised websites, execution and payload deployment. Upon execution, Nymaim decrypts and unpacks its malicious code, which is initially stored in an encrypted format. This ensures the payload remains undetected during the initial stages of infection. To maintain access, Nymaim modifies system settings, such as registry keys, to achieve persistence. It may also create scheduled tasks to ensure it runs every time the system starts, even after a reboot. Nymaim connects to a Command-and-Control (C2) server to download additional payloads tailored to the attacker’s objectives.

Consequences: 

Solution:  

ngCERT recommends the following:

• Keep all software and operating systems up to date.

• Regularly monitor network traffic for anomalous behavior.

• Train employees to identify phishing attempts and suspicious links.

• Effective use of anti-malware software and firewall system.

• Encourage reporting of suspicious emails to IT teams promptly.

• Notify stakeholders and comply with any regulatory requirements in case of a data breach.

References:

• https://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded
• https://www.eset.com/int/about/newsroom/press-releases/announcements/nymaim-ransomware-still-active-finding-new-infection-vector-to-spread-black-hat-seo/
• https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim 

Advisory ID: ngCERT-2025-010004

Summary: 

ngCERT is issuing an urgent security alert regarding the infiltration of ViperSoftX malware within Nigerian cyberspace. ViperSoftX is a JavaScript-based Remote Access Trojan (RAT) capable of stealing sensitive information like banking and cryptocurrency details while evading detection and analysis on an infected system. Cybercriminals distribute this malware through infected email attachments, malicious online advertisements, social engineering, and cracked software. When successfully deployed on a system, the Trojan could be used for several malicious activities, leading to system compromise, data exfiltration, financial losses, identity theft, and ransomware attacks. ngCERT advises individuals and organizations to protect their systems and data from ViperSoftX malware immediately.

Damage/Probability: CRITICAL/HIGH

Platform(s): Operating Systems

Description: 

ViperSoftX malware infection begins when cybercriminals lure unsuspecting victims into downloading malicious files from multimedia sites, endpoints of cracked software, eBooks, torrent sites, and malicious emails. Upon execution, ViperSoftX initiates checks to avoid virtual environments and security monitoring, identification of antivirus tools to ascertain the risk of detection, and the running of a PowerShell script to download its core malicious components. Thereafter, the Trojan establishes two-way communication with its C2 servers to receive instructions and exfiltrates sensitive data. Summarily, the attack process involves infection and delivery stage, anti-analysis and security evasion procedures, PowerShell script execution, and rogue browser extension installation such as VenomSoftX, while carrying out cryptocurrency and password management targeting. These are aimed at stealing login credentials, cookies, and autofill data, allowing for a sweeping breach of user accounts and sensitive data. Also, through clipboard hijacking, ViperSoftX copies valid wallet addresses and replaces them with its own, thereby diverting any cryptocurrency transactions away from the victim. It further carries out password manager data extracting, which exposes the entire security framework of the victim’s system to further attacks.

Consequences: 

 Successful exploitation of the vulnerabilities could lead to:

• System compromise

• Unauthorized access to sensitive data.

• Loss and theft of sensitive data.

• Reputation Damage.

• Ransomware attacks.

• Financial loss.

Solution:  

 ngCERT recommends the following: 

• Refrain from opening attachments in emails received unexpectedly from trustworthy users or unreliable sources.

• Ensure that the assets/systems operating system, applications, antivirus, and plugins are up to date.

• Conduct regular system scans and remove detected/potential threats.

• Maintain regular data backups on external devices or reputable cloud storage providers.

• Consider implementing stronger security measures, including firewalls, intrusion detection/prevention systems, anti-phishing solutions, endpoint detection and response solutions including anti-malware software.

• Implement comprehensive security solutions to all necessary devices such as BitLocker, FileVault, and/or device encryption.

• Enforce a strong password policy and implement regular password changes.c

• Disable unused services and open ports on your agency's servers and endpoint devices. Only open ports and activate services that are necessary for daily operations.

References:

• https://thehackernews.com/2023/04/vipersoftx-infostealer-adopts.html

• https://www.pcrisk.com/removal-guides/19945-vipersoftx-rat

• https://cujo.com/blog/vipersoftx-tracking-and-countering-a-persistent-threat/

• https://social.cyware.com/news/vipersoftx-upgraded-with-sophisticated-anti-detection-techniques-7bb40000

• https://medium.com/@survivormansales/how-does-vipersoftx-work-75bbe179df23

Advisory ID: ngCERT-2024-0036

Summary: 

ngCERT has observed the resurgence of Tinybanker Malware, also known as “Tinba” or “Zusy”, which is a sophisticated Malware designed to steal sensitive banking information. This Trojan has been used to attack a large number of popular banking websites around the world. Threat actors infiltrate systems primarily through phishing attacks, malicious downloads, and compromised websites. Once inside, it can capture sensitive data which includes login credentials, keystrokes and allow attackers to gain unauthorized access to users' online banking accounts without any of their knowledge using techniques such as Man-in-the-Browser (MITB) attacks, JavaScript Injection, Keylogging, and Packet Sniffing. Tinybanker is the smallest known trojan at 20KB, which makes it much harder to detect; With its source code published online, there is a continuous emergence of new iterations of the malware which makes it to be considered a very destructive malware strain. Individuals and organizations are advised to take immediate steps to protect their systems and data from Tinybanker malware threats. 

Damage/Probability: CRITICAL/HIGH

Platform(s): Windows Operating Systems

Description: 

The Tinybanker malware is small-sized at 20KB and stealthy which makes it very difficult to detect, it is a modified version of Zeus Trojan that infiltrates systems through phishing emails, compromised websites, and malicious links. It operates by using Man-in-the-browser (MITB) attacks, JavaScript Injection, Keylogging, and Packet Sniffing to access victims' financial information. Once successfully deployed it copies itself as bin.exe in the %AppData% folder. Based on the infected system details, different versions of Tinybanker could appear in various folders using random names and hide their activities by encrypting their memory. When the affected system restarts, bin.exe runs again which keeps Tinybanker active. Tinybanker targets sensitive processes like explorer.exe and svchost.exe on Windows. It could change settings in web browsers like Internet Explorer and Firefox turning off warnings and permitting HTTP content to show on HTTPS sites without alerts. Tinybanker uses encryption for its communication with its control server and uses four C&C domains to remain connected and it has local configuration files to use if it can’t reach a server.

Consequences: 

 Successful exploitation of the vulnerabilities could lead to:

• System compromise.

• Unauthorized access to sensitive data.

• Loss and theft of sensitive data.

• Reputation Damage.

• Ransomware attacks.

• Financial loss.

• DDoS attacks.

Solution:  

 ngCERT recommends the following: 

• Avoid downloading or opening attachments in emails received from untrusted sources or unexpectedly received from trusted users.

• Regularly monitor for irregularities on websites or systems.

• Ensure that the assets/systems operating system, applications, antivirus, and plugins are up to date.

• Regularly backup data on external devices or reputable cloud storage providers.

• Consider implementing stronger security measures, including firewalls, intrusion detection/prevention systems, anti phishing solutions, endpoint detection and response solutions including anti-malware software.

• Enforce a strong password policy, and implement regular password changes.

• Implement comprehensive security solutions to all necessary devices such as BitLocker, FileVault and/or device encryption.

• Disable unnecessary services and open ports on endpoint devices and servers within your agency. Only enable services and open ports that are essential for day-to-day operations.

References:

• https://www.memcyco.com/steps-to-protect-from-tiny-bankertrojan-tinba/

• https://cybeready.com/cyber-attacks/steps-to-protect-from-tinybanker-trojan-tinba

• https://www.imperva.com/learn/application-security/tinybanker-trojan-tbt-tinba/

• https://www.xenonstack.com/insights/virus-banking-trojantinba/

• https://www.wallarm.com/what/how-to-identify-and-preventtiny-banker-trojan

• https://securityintelligence.com/tinba-worlds-smallest-malwarehas-big-bag-of-nasty-tricks/