Deconstructing Amadey’s Latest Multi-Stage Attack and Malware Distribution
Background:
McAfee researchers have detected a multi-stage attack that starts with a trojanized wextract.exe, Windows executable used to extract files from a cabinet (CAB) file. It was used to deliver the AgentTesla, Amadey botnet, LockBit ransomware, Redline Stealer, and other malicious binaries. To avoid detection, the attackers use obfuscation and disable Windows Defender through the registry thus stopping users from turning it back on through the Defender settings.
Takeaway:
Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioral analysis defenses and social engineering training. Users should report suspicious files with double extensions such as .EXE.MUI.
Eastern Asian Android Assault – FluHorse
Background:
Active since May 2022, a newly-detected Android stealer dubbed FluHorse spreads mimicking popular apps or as a fake dating application. According to Check Point researchers, FluHorse was targeting East Asia (Taiwan and Vietnam) while remaining undetected for months. This stealthiness is achieved by sticking to minimal functions while also relying on a custom virtual machine that comes with the Flutter user interface software development kit. FluHorse is being distributed via emails that prompt the recipient to install the app and once installed, it asks for the user’s credit card or banking data. If a second factor authentication is needed to commit banking fraud, FluHorse tells the user to wait for 10-15 minutes while intercepting codes by installing a listener for all incoming SMS messages.
Takeaway:
FluHorse’s ability to remain undetected for months makes it a dangerous threat. Users should avoid installing applications following download links received via email or other messaging. Verify the app authenticity on the official company (bank, toll) website.
Learn about our Penetration Testing Services
Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign
Background:
North Korea-sponsored group Kimsuky (Thallium, Velvet Chollima) has been involved in cyberespionage operations since at least 2012. SentinelOne researchers describe its new campaign targeting the Korea Risk Group analysis firm with likely broad targeting involving Asia, Europe, and the United States, including government entities, research universities, and think tanks. The group starts with a meticulously-crafted spearphishing email with a link to a password-protected maldoc containing Microsoft Office macros that activate on document close. The group uses the ReconShark infostealer-downloader, which is a new variant of the group’s custom BabyShark malware family.
Takeaway:
Defense-in-depth is the best way to ensure safety from advanced persistent groups. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.
Not Quite an Easter Egg: a New family of Trojan Subscribers on Google Play
Background:
Active since 2022, a new subscription Trojans dubbed Fleckpe spreads via Google Play via trojanized photo-editing, smartphone-wallpaper, and other similar apps. Eleven Fleckpe-infected apps on Google Play have been installed on more than 620,000 devices, according to Kaspersky researchers. This campaign focused on Thailand, with additional targeting in Indonesia, Malaysia, Poland, and Singapore. The trojanized app loads a heavily obfuscated native library containing a malicious dropper that decrypts and runs a payload from the app assets. The payload contacts the C2 with information about the infected device’s country and carrier. The C2 server returns a paid subscription page that is being opened in an invisible web browser. Fleckpe extracts confirmation codes from notifications and attempts to subscribe on the user’s behalf.
Takeaway:
All eleven Fleckpe-infected apps had been removed from Google Play but the actors might be publishing others. Users should use caution when installing applications and giving them extra permissions. Regularly monitor your statements to identify rogue subscriptions.
New KEKW Malware Variant Identified in PyPI Package Distribution
Background:
Cyble researchers have detected a number of malicious packages on Python Package Index (PyPI) that were delivering the KEKW infostealer-clipper. These packages are archives in wheel distribution format (WHL files). Once activated they install additional libraries, perform virtual environment checks, stop certain anti-malware and debugging processes, and achieve persistence via startup entry. KEKW replaces cryptocurrency wallet addresses, and steals cookies, credentials, and other sensitive information from various sources including browsers, popular applications (email, gaming, retail, ridesharing, and streaming), and text files.
Takeaway:
Software developers should be aware of ongoing index-poisoning campaigns relying on typosquatting of popular libraries. After compromised systems were cleaned from KEKW, the targeted users are advised to change passwords immediately, replace compromised banking cards, and make steps to secure their banking and cryptocurrency deposits.
Learn about our Penetration Testing Services
Subscribe So You Never Miss an Update
