Advisory ID: ngCERT-2023-0037
Summary: A Pakistani-linked threat actor known as Transparent Tribe is discovered to be deploying malicious apps masquerading as YouTube to distribute CapraRAT mobile remote access trojan (RAT) to Android devices. This underscores the need for individuals particularly in sensitive positions and organisations to take proactive steps to forestall such malicious activities.
Threat Type(s): Malware
Damage/Probability: CRITICAL/HIGH
Description: The malicious apps utilized in these infiltrations are distributed outside of Google Play, the official Android app store, suggesting that victims are likely tricked into downloading and installing them. Two of these apps have been identified to pose as ‘YouTube’, one of which reaches out to a YouTube channel belonging to "Piya Sharma", indicating that the adversary uses romance-based phishing techniques to entice targets into installing the applications.
During installation, these malware apps request for permissions that might initially appear harmless for a media streaming app like YouTube. However, the interface of the apps lacks certain features as the genuine YouTube app but rather functions more like a web browser due to the use of WebView within the trojanized app. Once these permissions have been granted, CapraRAT becomes active on the device, and could serve as a functioning spyware tool. Subsequently, it performs actions such as recording through the microphone and cameras, collecting SMS and call logs, sending SMS messages, taking screen shots, modifying system settings, including accessing and modifying files on the device’s filesystem.
Consequences: A successful download and execution of the CapraRAT Malware on an Android device could have negative consequences. When the apps are installed on a victim’s device, they can collect data, record audio and video, initiate phone calls, as well as gain access to sensitive communication information.
Solution: The following precaution should be heeded to:
- Android users should never install Android applications distributed outside of the Google Play store itself.
- Avoid downloading new social media applications advertised within social media communities.
- Evaluate the permissions requested by an application that you download, particularly for new or previously unfamiliar apps, to ensure you are not being exposed to risk.
- Never install a third-party version of an application that's already present on their device.
References:
Advisory ID: NCC-CSIRT-180923-035
Summary: Cara Lin, a researcher at Fortinet FortiGuard, has detected an advanced phishing campaign. This campaign involves the use of malicious Word documents distributed through phishing emails. These documents lead victims to download a loader, which is a program responsible for preparing an application for execution by the operating system. Once executed, this loader triggers a sequence of malware payloads. The attack exhibits sophisticated methods designed to evade detection and ensure a lasting presence on compromised systems.
Threat Type(s): Phishing and Malware
Impact/Vulnerability: HIGH/CRITICAL
Product(s): Windows Devices
Platform(s): Windows Operating Systems
Version(s): All Versions
Description: As stated by the researcher, a phishing email is utilized to deliver the Word document as an attachment. This document includes a malicious URL intended to persuade victims to download a malware loader. This loader employs a binary padding evasion technique, which involves adding null bytes to increase the file size to 400 MB. Additionally, the Word document incorporates a deliberately blurred image and a counterfeit reCAPTCHA to entice the recipient into clicking on it. Clicking on the image initiates the retrieval of a loader from a remote server. This loader is specifically designed to disseminate various malware, including OriginBotnet for keylogging and password recovery, RedLine Clipper for cryptocurrency theft, enabling it to collect a wide array of data from compromised Windows machines. Moreover, it deploys malware known as AgentTesla, which specializes in harvesting sensitive information.
Consequences: Remote attackers steal credentials, sensitive information, and cryptocurrency.
Solution:
- Avoid suspicious links and URLs
- Be wary of emails containing malicious attachments
- Use FortiGuard Antivirus as a protection to this phishing campaign
References:
https://thehackernews.com/2023/09/sophisticated-phishing-campaign.html?&web_view=true
https://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document
Advisory ID: NCC-CSIRT-130923-034
Summary: Researchers at Citizen Lab have identified zero-click exploits, which are exploits requiring no user interaction, that target two recently patched zero-day vulnerabilities in Apple's systems. A successful exploitation of these vulnerabilities could lead to the deployment of the Pegasus commercial spyware developed by the NSO Group onto iPhones, even those that have been fully updated with the latest security patches. NSO stands for Niv, Shalev, and Omri, and it is an Israeli cyber-intelligence company renowned for its proprietary spyware known as Pegasus. Pegasus is notorious for its capability to conduct remote, zero-click surveillance on smartphones.
Threat Type(s): Spyware
Impact/Vulnerability: HIGH/CRITICAL
Product(s): iPhone, iPad, Macs, and Apple Watch
Platform(s): Apple Operating System
Version(s):
- iPhone 8 and later
- iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- Macs running macOS Ventura
- Apple Watch Series 4 and later
Description: According to the researchers' findings, this exploit revolves around malicious images embedded in PassKit attachments. These harmful images are sent from an attacker's iMessage account to the victim. Furthermore, the zero-click attack identified leverages two vulnerabilities: one relates to a buffer overflow that occurs when processing carefully crafted images, and the other concerns a validation problem that can be manipulated through malicious attachments. Both of these vulnerabilities enable malicious actors to achieve arbitrary code execution on devices such as unpatched iPhones, iPads, Macs, and Apple Watches.
Consequences: Arbitrary code execution on devices such as unpatched iPhones, iPads, Macs, and Apple Watches, automatically triggered without any user interaction.
Solution:
- Update the version of your iPhone, iPad MacOS Ventura, and Apple watch to iOS 16.6.1, iPadOS 16.6.1, macOS Ventura 13.5.2, and watchOS 9.6.2 respectively.
- Victims at risk of the targeted exploit due to their identity or profession (based on Who they are and What they do) should activate Lockdown Mode by following details given in the link below:
https://support.apple.com/en-ca/HT212650
References:
https://www.bleepingcomputer.com/news/security/apple-zero-click-imessage-exploit-used-to-infect-iphones-with-spyware/
https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/
https://support.apple.com/en-ca/HT212650
Advisory ID: NCC-CSIRT-120923-033
Summary: Japan's computer emergency response team (JPCERT) has identified a novel attack method involving the distribution of a malware known as 'MalDoc in PDF'. This technique effectively evades detection by concealing malicious Word files within PDF documents
Threat Type(s): Malware
Impact/Vulnerability: HIGH/CRITICAL
Product(s): PDF
Platform(s): PDF Files
Version(s): All Versions
Description: As indicated by the researchers, the compromised PDF file carrying the malicious Word Docs possesses a polyglot nature. Polyglot files exhibit the ability to be interpreted and executed in multiple ways, depending on the application used to open them. While most scanning engines and tools identify it as a PDF, standard office applications treat it as a typical Word document (.doc). Enclosed within the PDF is a Word document housing a Visual Basic Script (VBS) macro. When this file is accessed as a .doc in Microsoft Office, the VBS macro triggers the downloading and installation of a Microsoft Installer malware (MSI malware) file. However, the specific details about the nature of this installed malware have not been disclosed by the researchers.
Consequences: Attackers employ this attack technique to evade detection and confuse analysis tools. The malicious files may seem harmless in one format, while hiding malicious code in another.
Solution:
- Deactivate the automatic execution of macros in Microsoft Office. How to deactivate disable macros in Microsoft Office.
- Utilize the OLEVBA tool, an analysis tool designed for assessing malicious Word files. This tool can provide an analysis of embedded macros, enabling the identification of potentially malicious components within the file. How to use OLEVBA for marco malware analysis.
- Apply the Yara rule offered by Japan CERT to detect files utilizing the 'MalDoc in PDF' technique. This approach involves displaying a warning screen upon the initiation of Word documents, Excel workbooks, or MHT files (webpage archives saved by a web browser) within a PDF file. This warning prompts users about differing file extensions and requires user acceptance before opening in Word, Excel, or MHT formats
References:
https://blogs.jpcert.or.jp/en/2023/08/maldocinpdf.html
https://www.bleepingcomputer.com/news/security/maldoc-in-pdfs-hiding-malicious-word-docs-in-pdf-files/
Advisory ID: ngCERT-2023-0035
Summary: In a concerning development, cyber criminals have intensified their focus on the general public through sim-swap attacks. Notably, a recent instance involved a remarkably advanced cyber threat actor who successfully carried out a "SIM swapping" attack. The attack was directed at a T-Mobile US, Inc. account linked to an employee of Kroll, demonstrating the growing sophistication of these malicious activities. This incident underscores the urgency of cybersecurity awareness and protection against emerging threats.
Threat Type(s): Mobile Networks/Devices
Damage/Probability: CRITICAL/HIGH
Description: SIM swapping, also referred to as SIM splitting or simjacking, is a malicious technique where criminal actors target mobile carriers to gain access to victims' bank accounts, virtual currency accounts, and other sensitive information. Criminal actors primarily conduct SIM swap schemes using social engineering, insider threat, or phishing techniques.
Social engineering involves a criminal actor impersonating a victim and tricking the mobile carrier into switching the victim's mobile number to a SIM card in the criminal's possession. Criminal actors using insider threat to conduct SIM swap schemes pay off a mobile carrier employee to switch a victim's mobile number to a SIM card in the criminal's possession. Criminal actors often use phishing techniques to deceive employees into downloading malware used to hack mobile carrier systems that carry out SIM swaps.
Once the SIM is swapped, the victim's calls, texts, and other data are diverted to the criminal's device. This access allows criminals to send 'Forgot Password' or 'Account Recovery' requests to the victim's email and other online accounts associated with the victim's mobile telephone number. Using SMS-based two-factor authentication, mobile application providers send a link or one-time passcode via text to the victim's number, now owned by the criminal, to access accounts. The criminal uses the codes to login and reset passwords, gaining control of online accounts associated with the victim's phone profile.
Consequences: A successful SIM swapping attack allows cybercriminals to take over the victim's phone number, which can have serious consequences, including unauthorized access to sensitive information and accounts. Once executed, attackers can intercept SMS messages, monitor voice calls, and gain control over multi-factor authentication codes. This allows them to compromise online accounts, potentially leading to data breaches, financial loss, and identity theft.
Solution: Countermeasures to put into place include:
- Do not advertise information about financial assets, including ownership or investment of cryptocurrency, on social media websites and forums.
- Do not provide your mobile number account information over the phone to representatives that request your account password or pin. Verify the call by dialing the customer service line of your mobile carrier.
- Avoid posting personal information online, such as mobile phone number, address, or other personal identifying information.
- Use a variation of unique passwords to access online accounts.
- Be aware of any changes in SMS-based connectivity.
- Use strong multi-factor authentication methods such as biometrics, physical security tokens, or standalone authentication applications to access online accounts.
- Do not store passwords, usernames, or other information for easy login on mobile device applications.
References: