Roaming Mantis Implements New DNS Changer in Its Malicious Mobile App in 2022
(published: January 19, 2023)
Background:
In December 2022, a financially-motivated group dubbed Roaming Mantis (Shaoye) continued targeting mobile users with malicious landing pages. iOS users were redirected to phishing pages, while Android users were provided with malicious APK files detected as XLoader (Wroba, Moqhao). Japan, Austria, France, and Germany were the most targeted for XLoader downloads (in that order). All but one targeted country had smishing as an initial vector. In South Korea, Roaming Mantis implemented a new DNS changer function. XLoader-infected Android devices were targeting specific Wi-Fi routers used mostly in South Korea. The malware would compromise routers with default credentials and change the DNS settings to serve malicious landing pages from legitimate domains.
Takeaway:
The XLoader DNS changer function is especially dangerous in the context of free/public Wi-Fi that serve many devices. Install anti-virus software for your mobile device. Users should be cautious when receiving messages with a link or unwarranted prompts to install software.
Hook: a New Ermac Fork with RAT Capabilities
(published: January 19, 2023)
Background:
ThreatFabric researchers analysed a new Android banking trojan named Hook. It is a rebranded development of the Ermac malware that was based on the Android banker Cerberus. Hook added new capabilities in targeting banking and cryptocurrency-related applications. The malware also added capabilities of a remote access trojan and a spyware. Its device take-over capabilities include being able to remotely view and interact with the screen of the infected device, manipulate files on the devices file system, simulate clicks, fill text boxes, and perform gestures. Hook can start the social messaging application WhatsApp, extract all the messages present, and send new ones.
Takeaway:
Users should take their mobile device security seriously whether they use it for social messaging or actually provide access to their banking accounts and/or cryptocurrency holdings. Similar to its predecessors, Hook will likely be used by many threat actors (malware-as-as-service model). It means the need to protect from a wide range of attacks: SMSishing, prompts to install malicious apps, excessive permissions, etc.
Learn about our Penetration Testing Services
Traffic Signals: The VASTFLUX Takedown
(published: January 19, 2023)
Background:
HUMAN researchers have discovered a massive ad fraud operation dubbed VASTFLUX that was targeting applications on iOS. The actors were able to bid on a slot for in-app advertisement and then run up to 25 invisible video ads under it. VASTFLUX peaked in June 2022, with 12 billion bid requests a day, spoofing 1,700 apps and 120 publishers, and running inside apps on nearly 11 million devices. This campaign used JavaScript obfuscation, blocked certain tracking URLs to evade ad verification tags, and overall enjoyed that in-app advertisements on iOS provide less information to verification providers than ads that run on pages visited within a web browser.
Takeaway:
It took half a year and four rounds of collective mitigations measures to take the VASTFLUX traffic to zero. Users can help monitor for unexpected app behavior such as rapid battery drain and device slow-down. App developers and ad platforms should implement proposed standards for advertising verification and supply chain transparency.
Chinese Playful Taurus Activity in Iran
(published: January 11, 2023)
Background:
Ke3chang (Playful Taurus, APT15, Vixen Panda, Nickel) is a China-sponsored advanced persistent threat group that has been targeting government and diplomatic entities across Africa, the Middle East, North and South America since 2010. In April-December 2022, a new campaign discovered by Palo Alto researchers, targeted Iranian government entities. The campaign utilized three X509 certificates, two related to pfSense firewalls, and an expired certificate related to Senegal’s Ministry of Foreign Affairs infrastructure. Ke3chang used a new version of their custom Turian backdoor, that received some additional obfuscation and a modified network protocol to include the Security Support Provider Interface.
Takeaway:
It is important to proactively hunt for Ke3chang infrastructure, as the group continuously adds new domains, IP addresses, and abused certificates. Defense-in-depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities
IcedID and Infostealers Spread Through Adverts Mimicking Popular Tools
(published: January 18, 2023)
Background:
Several malware delivery campaigns were detected abusing legitimate free and open-source software brands on Google Ads. HP researchers have analyzed two major campaigns delivering IcedID and Vidar Stealer, and smaller campaigns delivering Rhadamanthys Stealer and BatLoader. The attackers were using typosquatting and impersonating popular brands such as Adobe, Audacity, Blender, Discord, Fortinet, GIMP, Microsoft Teams, Notepad++, and many others. Advertisements on the search engine were bought for these copied websites. Users were prompted to a download link leading to an infostealer hosted on a file-sharing service.
Takeaway:
Consider using an ad-blocker service. Before clicking to download a software, check if the domain name is misspelled. As is always the case, end user education and awareness remains a key component in any organization’s protective arsenal. Until search engines get better in recognizing these kinds of redirect abuse, take extra caution with search results, especially promoted ones.
Learn about our Penetration Testing Services
Subscribe So You Never Miss an Update
