Cyber security weekly recap (21-27 Nov.)

Cyber Security Recap 21 27 Nov 1024x685

The infamous Emotet malware is back, and it’s launching a massive spam campaign.

The notorious Emotet malware has reappeared as part of a massive malspam campaign that aims to distribute IcedID and Bumblebee payloads.

Enterprise security firm Proofpoint reported that “hundreds of thousands of emails per day” have been transmitted over Emotet since early November 2022, and that the current activity shows Emotet is back to its full capability, operating as a delivery network for key malware families.

Information that has been made public shows that the United States, United Kingdom, Japan, Germany, Italy, France, Spain, Mexico, and Brazil are all top targets of the malware distribution campaign.

Malware infection chains have been seen using both generic lures and email thread hijacking to get people to open Excel attachments that have macros turned on.

The renewed malware activity comes with modifications to the Emotet loader component that include new commands, and a packer that has been updated to prevent reverse engineering.

New Malware installs malicious browser extensions to steal passwords and cryptos from users.

Recent studies reveal that a Windows information stealer called ViperSoftX is spreading a malicious extension for browsers based on the Chromium open source project.

The rogue browser add-on comes with the ability to monitor user activity, steal credentials and clipboard data, and even conduct cryptocurrency address swaps via an adversary-in-the-middle (AiTM) attack.

Fortinet has described ViperSoftX as a remote access trojan and cryptocurrency stealer.

Avast researcher Jan Rubn wrote in a technical report that this multi-stage stealer demonstrates interesting concealing capabilities, such as camouflaging as little PowerShell scripts in the middle of harmless-looking log files.

The Malicious Capabilities of the Ducktail Malware Operation Continue to Grow.

The Ducktail information stealer’s developers continue to add new features to their malware as part of their ongoing, financially motivated campaign.

According to a new investigation by WithSecure researcher Mohammad Kazem Hassan Nejad, the malware specializes in stealing browser cookies and taking advantage of authenticated Facebook sessions to collect information from the victim’s Facebook account.

The information that has been revealed indicates that the operation’s end goal is to take over any Facebook Business accounts the victim has access to in order to run ads and generate advertising revenue.

The threat actor has changed the way it uses spear-phishing. Now, it starts infection chains by sending spreadsheet documents hosted on Apple’s iCloud and Discord as part of an archive file through channels like LinkedIn and WhatsApp.

Thousands of Android devices were infected with the SharkBot Malware Thanks to a File Manager App.

SharkBot, Android malware that masquerades as file manager apps to commit banking fraud, is back on the official Google Play Store.

According to an investigation published by Bitdefender, the majority of users who downloaded the malicious apps are based in the United Kingdom and Italy.

Initially discovered at the end of 2021, SharkBot is a persistent mobile threat that spreads through both the Google Play Store and other third-party app shops.

One of the main bad things the trojan does is start money transfers from devices that have been infected. It does this by abusing the “Automatic Transfer System” (ATS) method, in which a transaction started through a banking app is intercepted and the payee account is switched with an actor-controlled account.

The threat can also serve as a false login overlay when users try to access real banking apps, and steal their credentials.

Here are the bogus apps, linked to the malware, that have been taken down from the Google Play Store:

  • X-File Manager (com.victorsoftice.llc)
  • FileVoyager (com.potsepko9.FileManagerApp)
  • LiteCleaner M (com.ltdevelopergroups.litecleaner.m)

If a user has installed any of the malicious apps listed above, they should uninstall them and reset their banking account passwords immediately. Users should also turn on Play Store Protect and read reviews and ratings carefully before installing any apps.

Criminals from the Bahamut Group are using bogus Virtual Private Network Apps to spy on Android users.

Targeted attacks on Android users with malicious apps meant to steal private data have been linked to the cyber espionage group Bahamut.

According to a new analysis by ESET, the activity dates back to January 2022 and involves the distribution of rogue VPN software via a bogus SecureVPN website.

To date, researchers have uncovered at least eight unique spyware app variants, all of which are trojanized versions of otherwise respectable VPN programs like SoftVPN and OpenVPN. The Google Play Store does not currently provide any of these applications.

The analysis shows that the mobile campaign run by the Bahamut APT group is still going on and that the same method is still being used to spread Android spyware programs through websites that look like they belong to legitimate businesses.

Interpol Seized $130 Million from Cybercriminals as part of its Global “HAECHI-III” Crackdown Operation.

$130 million worth of virtual assets have been seized by Interpol as part of a global crackdown on cyber-enabled financial crimes and money laundering.

An operation codenamed HAECHI-III took place between June 28 and November 23, 2022, resulting in the capture of 975 suspects and the resolution of over 1,600 pending cases.

Over the course of the five-month operation, roughly 2,800 bank and virtual-asset accounts were frozen for being used to launder the stolen monies.

The United States has banned the import of telecom equipment and surveillance cameras made in China due to concerns for national security.

The Federal Communications Commission (FCC) has declared it will no longer approve electronic equipment manufactured by Huawei, ZTE, Hytera, Hikvision, and Dahua, due to their “unacceptable” risk to U.S. national security.

According to FCC Chairwoman Jessica Rosenworcel’s order, the FCC is dedicated to preserving U.S. national security by ensuring that untrustworthy communications equipment is not approved for use within their borders.  

After being advised that no such equipment should be connected to departmental core networks, government agencies were urged to consider the removal and replacement of such equipment where it is placed on critical sites.


About the author

blank

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment