Advisory ID: NCC-CSIRT-101023-037

Summary: The PEACHPIT Ad Fraud Botnet is part of a larger operation called BADBOX, which involves the sale of off-brand mobile and connected TV (CTV) devices on popular online marketplaces and resale sites. These devices are tainted with Android malware called Triada.

The threat also allows hackers to create messaging accounts on platforms like WhatsApp by pilfering one-time passwords from the compromised devices. Additionally, it enables them to create Gmail accounts that appear legitimate and evade bot detection.

Threat Type(s): Malware

Impact/Vulnerability: HIGH/CRITICAL

Product(s): Android and iOS device types, including mobile phones, tablets, and CTV products.

Platform(s): Android and iOS Operating Systems

Version(s): All Versions

Description: The PEACHPIT botnet’s network of associated apps was discovered in 227 countries and territories, reaching a peak of 121,000 Android devices and 159,000 iOS devices daily. Infections occurred through 39 apps that were downloaded more than 15 million times. 

The attribute of this Ad fraud is the use of counterfeit apps available on significant app marketplaces like the Apple App Store and Google Play Store, as well as apps automatically downloaded onto compromised BADBOX devices. These apps contain a module responsible for creating hidden WebViews that are then used to request, render, and click on ads, and masquerading the ad requests as originating from legitimate apps.

Consequences: The malware-infected devices enabled the operators to steal sensitive data, establish residential proxy exit peers, and carry out ad fraud through fraudulent apps.

Solution: 

• Do not click on ads, especially those that include typos, unfamiliar brand names, or offer services that sound too good to be true.
• If you cannot find any information on the company of a device you are buying, avoid it.
• When buying devices online, you will find a never-ending stream of good deals. When you come across one of those deals that appeals to you, the first thing you should do is research the brand device name.
• If you find information from a reliable source that indicates the brand is both legit and trustworthy, you can continue considering the purchase. Otherwise, do not even bother putting that item in your shopping cart.

References:

https://thehackernews.com/2023/10/peachpit-massive-ad-fraud-botnet.html
https://www.purevpn.com/blog/news/beware-of-devices-with-an-ad-fraud-botnet-named-peachpit/
https://www.zdnet.com/article/newly-discovered-android-malware-has-infected-thousands-of-devices/

Advisory ID: ngCERT-2023-0037

Summary: A Pakistani-linked threat actor known as Transparent Tribe is discovered to be deploying malicious apps masquerading as YouTube to distribute CapraRAT mobile remote access trojan (RAT) to Android devices. This underscores the need for individuals particularly in sensitive positions and organisations to take proactive steps to forestall such malicious activities.

Threat Type(s): Malware

Damage/Probability: CRITICAL/HIGH

Description: The malicious apps utilized in these infiltrations are distributed outside of Google Play, the official Android app store, suggesting that victims are likely tricked into downloading and installing them. Two of these apps have been identified to pose as ‘YouTube’,  one of which reaches out to a YouTube channel belonging to "Piya Sharma", indicating that the adversary uses romance-based phishing techniques to entice targets into installing the applications.

During installation, these malware apps request for permissions that might initially appear harmless for a media streaming app like YouTube. However, the interface of the apps lacks certain features as the genuine YouTube app but rather functions more like a web browser due to the use of WebView within the trojanized app. Once these permissions have been granted, CapraRAT becomes active on the device, and could serve as a functioning spyware tool. Subsequently, it performs actions such as recording through the microphone and cameras, collecting SMS and call logs, sending SMS messages, taking screen shots, modifying system settings, including accessing and modifying files on the device’s filesystem.

Consequences: A successful download and execution of the CapraRAT Malware on an Android device could have negative consequences. When the apps are installed on a victim’s device, they can collect data, record audio and video, initiate phone calls, as well as gain access to sensitive communication information.

Solution: The following precaution should be heeded to:

1. Android users should never install Android applications distributed outside of the Google Play store itself.
2. Avoid downloading new social media applications advertised within social media communities.
3. Evaluate the permissions requested by an application that you download, particularly for new or previously unfamiliar apps, to ensure you are not being exposed to risk.
4. Never install a third-party version of an application that's already present on their device.

References:

• https://www.hackread.com/fake-youtube-android-apps-caprarat/
• https://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/
• https://thehackernews.com/2023/09/transparent-tribe-uses-fake-youtube.html 

Advisory ID: NCC-CSIRT-180923-035

Summary: Cara Lin, a researcher at Fortinet FortiGuard, has detected an advanced phishing campaign. This campaign involves the use of malicious Word documents distributed through phishing emails. These documents lead victims to download a loader, which is a program responsible for preparing an application for execution by the operating system. Once executed, this loader triggers a sequence of malware payloads. The attack exhibits sophisticated methods designed to evade detection and ensure a lasting presence on compromised systems.

Threat Type(s): Phishing and Malware

Impact/Vulnerability: HIGH/CRITICAL

Product(s): Windows Devices

Platform(s): Windows Operating Systems

Version(s): All Versions

Description: As stated by the researcher, a phishing email is utilized to deliver the Word document as an attachment. This document includes a malicious URL intended to persuade victims to download a malware loader. This loader employs a binary padding evasion technique, which involves adding null bytes to increase the file size to 400 MB. Additionally, the Word document incorporates a deliberately blurred image and a counterfeit reCAPTCHA to entice the recipient into clicking on it. Clicking on the image initiates the retrieval of a loader from a remote server. This loader is specifically designed to disseminate various malware, including OriginBotnet for keylogging and password recovery, RedLine Clipper for cryptocurrency theft, enabling it to collect a wide array of data from compromised Windows machines. Moreover, it deploys malware known as AgentTesla, which specializes in harvesting sensitive information.

Consequences: Remote attackers steal credentials, sensitive information, and cryptocurrency.

Solution: 

• Avoid suspicious links and URLs
• Be wary of emails containing malicious attachments
• Use FortiGuard Antivirus as a protection to this phishing campaign

References:

https://thehackernews.com/2023/09/sophisticated-phishing-campaign.html?&web_view=true

https://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document

Advisory ID: NCC-CSIRT-130923-034

Summary: Researchers at Citizen Lab have identified zero-click exploits, which are exploits requiring no user interaction, that target two recently patched zero-day vulnerabilities in Apple's systems. A successful exploitation of these vulnerabilities could lead to the deployment of the Pegasus commercial spyware developed by the NSO Group onto iPhones, even those that have been fully updated with the latest security patches. NSO stands for Niv, Shalev, and Omri, and it is an Israeli cyber-intelligence company renowned for its proprietary spyware known as Pegasus. Pegasus is notorious for its capability to conduct remote, zero-click surveillance on smartphones.

Threat Type(s): Spyware

Impact/Vulnerability: HIGH/CRITICAL

Product(s): iPhone, iPad, Macs, and Apple Watch

Platform(s): Apple Operating System

Version(s): 

• iPhone 8 and later
• iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
• Macs running macOS Ventura
• Apple Watch Series 4 and later

Description: According to the researchers' findings, this exploit revolves around malicious images embedded in PassKit attachments. These harmful images are sent from an attacker's iMessage account to the victim. Furthermore, the zero-click attack identified leverages two vulnerabilities: one relates to a buffer overflow that occurs when processing carefully crafted images, and the other concerns a validation problem that can be manipulated through malicious attachments. Both of these vulnerabilities enable malicious actors to achieve arbitrary code execution on devices such as unpatched iPhones, iPads, Macs, and Apple Watches.

Consequences: Arbitrary code execution on devices such as unpatched iPhones, iPads, Macs, and Apple Watches, automatically triggered without any user interaction.  

Solution: 

• Update the version of your iPhone, iPad MacOS Ventura, and Apple watch to iOS 16.6.1, iPadOS 16.6.1, macOS Ventura 13.5.2, and watchOS 9.6.2 respectively.
• Victims at risk of the targeted exploit due to their identity or profession (based on Who they are and What they do) should activate Lockdown Mode by following details given in the link below:

https://support.apple.com/en-ca/HT212650

References:

https://www.bleepingcomputer.com/news/security/apple-zero-click-imessage-exploit-used-to-infect-iphones-with-spyware/

https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/

https://support.apple.com/en-ca/HT212650