Tag Archives: Pierluigi Paganini

APT, Breaking News, Hacking, Intelligence, Reports

Kimsuky APT poses as journalists and broadcast writers in its attacks

North Korea-linked APT group Kimsuky is posing as journalists to gather intelligence, a joint advisory from NSA and FBI warns.

A joint advisory from the FBI, the U.S. Department of State, the National Security Agency (NSA), South Korea’s National Intelligence Service (NIS), National Police Agency (NPA), and the Ministry of Foreign Affairs (MOFA), warns that North-Korea-linked Kimsuky APT group has been impersonating journalists and academics in a spear-phishing campaign aimed at individuals employed by research centers and think tanks, academic institutions, and news media organizations.

Kimsuky cyberespionage group (aka ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, APT43) was first spotted by Kaspersky researcher in 2013. At the end of October 2020, the US-CERT published a report on Kimusky’s recent activities that provided information on their TTPs and infrastructure.

The APT group mainly targets think tanks and organizations in South Korea, other victims were in the United States, Europe, and Russia.

In the latest Kimsuky campaign, the state-sponsored group focused on nuclear agendas between China and North Korea, relevant to the ongoing war between Russia and Ukraine.

“Some targeted entities may discount the threat posed by these social engineering campaigns, either because they do not perceive their research and communications as sensitive in nature, or because they are not aware of how these efforts fuel the regime’s broader cyber espionage efforts. However, as outlined in this advisory, North Korea relies heavily on intelligence gained by compromising policy analysts.” reads the joint advisory. “Further, successful compromises enable Kimsuky actors to craft more credible and effective spearphishing emails that can be leveraged against more sensitive, higher-value targets.” 

The APT group has persistently refined its social engineering tactics, making its spear-phishing campaigns progressively harder to detect.

Kimsuky spear-phishing campaigns are often prepared with a detailed information-gathering activity aimed at identifying potential targets, then threat actors create a tailored network of online personas to appear more realistic and appealing to their victims.

Threat actors often impersonate real journalists and broadcast writers to appear as a credible front and make inquiries to prominent about political events in the Korean peninsula.

“Usually, the questions will revolve around current events and whether U.S. experts believe North Korea will re-join talks with the U.S., whether they believe North Korea will resume testing its missiles, and how they see China responding.” continues the advisory. “In many instances, Kimsuky actors do not attach malware to their initial email. Instead, they first send an introductory email to inquire about interview opportunities.”

The state-sponsored hackers initially send the request for the interview to the victims, the initial messages don’t contain malicious attachments or links. Once the attackers gained the victim’s trust the attackers send the questionnaire to the victim.

If the target does not respond to the spear-phishing emails, the threat actors send a follow-up message a few days later.

In some attacks, the state-sponsored hackers impersonated South Korean academic scholars asking to researchers at think tanks to participate in a survey, such as on North Korean nuclear issues and denuclearization on the Korean Peninsula or requesting an email interview.

In additional instances, Kimsuky operatives assume the identities of respected researchers affiliated with South Korean think tanks, then send spear-phishing emails to political figures and North Korean experts.

Kimsuky actors were also observed impersonating officials handling North Korean policies within governmental entities like the South Korean National Assembly or the presidential office.

Additionally, the APT group also impersonates operators or administrators of popular web portals claiming that a victim’s account has been locked following suspicious activity or fraudulent use.

The advisory includes potential mitigation measures for email recipients and recipients’ systems administrators.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

Breaking News, Cyber Crime, Malware

New Linux Ransomware BlackSuit is similar to Royal ransomware

Experts noticed that the new Linux ransomware BlackSuit has significant similarities with the Royal ransomware family.

Royal ransomware is one of the most notable ransomware families of 2022, it made the headlines in early May 2023 with the attack against the IT systems in Dallas, Texas.

The human-operated Royal ransomware first appeared on the threat landscape in September 2022, it has demanded ransoms up to millions of dollars.

The Royal ransomware is written in C++, it infected Windows systems and deletes all Volume Shadow Copies to prevent data recovery. The ransomware encrypts the network shares, that are found on the local network and the local drives, with the AES algorithm

In early May, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) to provide organizations, tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with this ransomware family.

According to government experts, the Royal ransomware attacks targeted numerous critical infrastructure sectors including, manufacturing, communications, healthcare and public healthcare (HPH), and education.

In May, multiple cybersecurity experts spotted a new ransomware family called BlackSuit, including Palo Alto Unit42 experts.

In the same period, some researchers linked the new ransomware to the Royal ransomware.

Then Trend Micro researchers initially analyzed a Windows 32-bit sample of the ransomware from Twitter.

BlackSuit appends the .blacksuit extension to the name of the encrypted files, drops a ransom note into each directory containing the encrypted files, and adds the reference to its TOR chat site in the ransom note along with a unique ID for each of its victims.

BlackSuit ransomware operators also set up a data leak site.

Trend Micro researchers compared an x64 VMware ESXi version of Blacksuit targeting Linux machines with the Royal ransomware and discovered an extremely high degree of similarity between the two families.

“After comparing both samples of the Royal and BlackSuit ransomware, it became apparent to us that they have an extremely high degree of similarity to each other.” reads the analysis published by TrendMicro. “In fact, they’re nearly identical, with 98% similarities in functions, 99.5% similarities in blocks, and 98.9% similarities in jumps based on BinDiff, a comparison tool for binary files.”

The comparison revealed 93.2% similarity in functions, 99.3% in basic blocks, and 98.4% in jumps based on BinDiff.

The researchers mapped the command-line arguments accepted by BlackSuit, and noticed that it introduces different argument strings compared to Royal ransomware.

“The emergence of BlackSuit ransomware (with its similarities to Royal) indicates that it is either a new variant developed by the same authors, a copycat using similar code, or an affiliate of the Royal ransomware gang that has implemented modifications to the original family.” concludes the report.

“One possibility for BlackSuit’s creation is that, since the threat actors behind Royal (and Conti before it) are one of the most active ransomware groups in operation today, this may have led to increased attention from other cybercriminals, who were then inspired to develop a similar ransomware in BlackSuit. Another option is that BlackSuit emerged from a splinter group within the original Royal ransomware gang.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

Breaking News, Security

CISA adds Progress MOVEit Transfer zero-day to its Known Exploited Vulnerabilities catalog

US CISA added actively exploited Progress MOVEit Transfer zero-day vulnerability to its Known Exploited Vulnerabilities catalog.

US Cybersecurity and Infrastructure Security Agency (CISA) added a Progress MOVEit Transfer SQL injection vulnerability, tracked as CVE-2023-34362, to its Known Exploited Vulnerabilities Catalog.

Threat actors are actively exploiting a zero-day vulnerability in the Progress MOVEit Transfer file transfer product to steal data from organizations.

MOVEit Transfer is a managed file transfer that is used by enterprises to securely transfer files using SFTP, SCP, and HTTP-based uploads

The vulnerability is a SQL injection vulnerability, it an be exploited by an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database.

“a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to MOVEit Transfer’s database.” reads the advisory published by the company. “Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.”

The vulnerability affects all MOVEit Transfer versions, it doesn’t affect the cloud version of the product. The company also shared Indicators of Compromise (IoCs) for this attack and urges customers that notice any of the indicators to immediately contact its security and IT teams.

Multiple security firms are warning that the vulnerability has been actively exploited in the wild.

GreyNoise researchers have observed scanning activity for the login page of MOVEit Transfer located at /human.aspx as early as March 3rd, 2023, for this reason, the experts recommend Progress customers to review potentially malicious activity that was recorded in the last 90 days.

By May 31, Rapid7 experts discovered approximately 2,500 instances of MOVEit Transfer publicly accessible on the internet, with a significant portion located in the United States.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this flaw by June 23, 2023.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

Breaking News, Hacking, Malware, Security

New botnet Horabot targets Latin America

A new botnet malware dubbed Horabot is targeting Spanish-speaking users in Latin America since at least November 2020.

Cisco Talos researchers were observed deploying a previously unidentified botnet, dubbed Horabot, that is targeting Spanish-speaking users in the Americas. The botnet is used to deliver a banking trojan and spam tool to the infected systems, Horabot has been active since at least November 2020.

The bot allows operators to control the victim’s Outlook mailbox, steal contacts’ email addresses, and send phishing emails with malicious HTML attachments. The banking trojan deployed as part of the campaign can collect the victim’s login credentials for various online accounts, operating system information and keystrokes. The malware also allows bypassing 2FA by stealing one-time security codes and can steal soft tokens from the victim’s online banking applications.

The spam tool allows to compromise Gmail, Outlook, and Yahoo! webmail accounts to send out spam emails.

Most of the victims are in Mexico, limited infections were reported in Uruguay, Brazil, Venezuela, Argentina, Guatemala, and Panama. Based on Talos analysis, the threat actors behind the campaign may be located in Brazil.

The attack chain commences with a tax-themed phishing email written in Spanish, posing as a tax receipt notification. The message is written to trick users into opening the attached malicious HTML file.

“When a victim opens the HTML file attachment, an embedded URL is launched in the victim’s browser, redirecting to another malicious HTML file from an attacker-controlled AWS EC2 instance.” reads the analysis published by Talos. “The content displayed on the victim’s browser lures them to click an embedded malicious hyperlink which downloads a RAR file.”

Upon opening the contents of the file, a PowerShell downloader script is executed. The script retrieves a ZIP file containing the main payloads from a remote server, then reboots the victim’s machine.

The banking Trojan and the spam tool are executed after restarting the system.

The banking trojan employed in this campaign is a 32-bit Windows DLL written in the Delphi programming language, the researchers noticed overlaps with other Brazilian Trojans like Mekotio and Casbaneiro.

“In analyzing the phishing emails used in the campaign, Talos identified that users in organizations across several business verticals — including accounting, construction and engineering, wholesale distributing and investment firms — have been affected. However, the attacker uses Horabot and the spam tool in this campaign to further propagate the attack by sending additional phishing emails to the victim’s contacts, meaning Spanish-speaking users from organizations in additional verticals are likely also affected.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

Breaking News, Cyber Crime, Data Breach, Malware

Point32Health ransomware attack exposed info of 2.5M people

After the recent ransomware attack, Point32Health disclosed a data breach that impacted 2.5 million Harvard Pilgrim Health Care subscribers.

In April, the non-profit health insurer Point32Health took systems offline in response to a ransomware attack that took place on April 17. The insurer immediately launched an investigation into the incident with the help of third-party cybersecurity experts to determine the extent of the incident.

The organization notified law enforcement and regulators.

Most impacted systems are related to Harvard Pilgrim Health Care, which in mid-April announced on Facebook that it was experiencing technical issues with its website and phone lines.

At the time of the attack, the company did not provide details about the attack, such as the family of ransomware that compromised its systems and the number of impacted individuals.

Now Point32Health revealed threat actors have exfiltrated data from the Harvard Pilgrim systems between March 28, 2023 and April 17, 2023. The company has notified the US Department of Health and Human Services that over 2.55 million individuals’ information was compromised in the ransomware attack, reported SecurityWeek.

“Harvard Pilgrim Health Care (“Harvard Pilgrim”) is providing notice of a data security incident that may affect the privacy of certain individuals’ protected health information and/or personal information.” reads a notice published by the company. “On April 17, 2023, Harvard Pilgrim discovered a cybersecurity ransomware incident that impacted systems that support Harvard Pilgrim Health Care Commercial and Medicare Advantage Stride℠ plans (HMO)/(HMO-POS). We are working with third-party cybersecurity experts to conduct a thorough investigation into this incident and remediate the situation.”

As of the time of writing, no ransomware group has taken responsibility for the attack.

Stolen data include names, addresses, phone numbers, birth dates, Social Security numbers, health insurance account information, taxpayer identification numbers, and clinical information, including medical history, diagnoses, and treatment details.

The security breach impacted former and current customers, as well as current and former members of Health Plans Inc. between June 2020 and present.

Harvard Pilgrim pointed out that it is not aware of any fraudulent use of stolen information.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Point32Health )

Breaking News, Hacking, Security

MOVEit Transfer software zero-day actively exploited in the wild

Threat actors are exploiting a zero-day flaw in Progress Software’s MOVEit Transfer product to steal data from organizations.

Threat actors are actively exploiting a zero-day vulnerability in the Progress MOVEit Transfer file transfer product to steal data from organizations.

MOVEit Transfer is a managed file transfer that is used by enterprises to securely transfer files using SFTP, SCP, and HTTP-based uploads.

The vulnerability is a SQL injection vulnerability, it an be exploited by an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database.

“a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to MOVEit Transfer’s database.” reads the advisory published by the company. “Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.”

The vulnerability affects all MOVEit Transfer versions, it doesn’t affect the cloud version of the product. The company also shared Indicators of Compromise (IoCs) for this attack and urges customers that notice any of the indicators to immediately contact its security and IT teams.

Multiple security firms are warning that the vulnerability has been actively exploited in the wild.

GreyNoise researchers have observed scanning activity for the login page of MOVEit Transfer located at /human.aspx as early as March 3rd, 2023, for this reason, the experts recommend Progress customers to review potentially malicious activity that was recorded in the last 90 days.

“While we have not observed activity directly related to exploitation, all of the 5 IPs we have observed attempting to discover the location of MOVEit installations were marked as “Malicious” by GreyNoise for prior activities.” reads the alert published by GreyNoise. “The primary artifact, observed through publicly available information, is the presence of a webshell named human2.aspx. This is a post-exploitation file artifact that is written to the filesystem by a malicious actor allowing them to execute arbitrary commands. GreyNoise is observing scanning activity looking to identify the presence of the human2.aspx webshell dropped as part of the post-exploitation activity.”

By May 31, Rapid7 experts discovered approximately 2,500 instances of MOVEit Transfer publicly accessible on the internet, with a significant portion located in the United States.

“Our teams have so far observed the same webshell name in multiple customer environments, which may indicate automated exploitation.” reported Rapid7.

Threat actors exploit the vulnerability to establish a webshell (‘human2.aspx’) in the ‘wwwroot’ folder of the MOVEit software.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, MOVEit Transfer)

Breaking News, Cyber warfare, Hacking, Intelligence, Mobile

Russia’s FSB blames the US intelligence for Operation Triangulation

Russia’s intelligence Federal Security Service (FSB) said that the recent attacks against iPhones with a zero-click iOS exploit as part of Operation Triangulation were carried out by US intelligence.

Researchers from the Russian firm Kaspersky have uncovered a previously unknown APT group that is targeting iOS devices with zero-click exploits as part of a long-running campaign dubbed Operation Triangulation.

The experts uncovered the attack while monitoring the network traffic of its own corporate Wi-Fi network dedicated to mobile devices using the Kaspersky Unified Monitoring and Analysis Platform (KUMA).

According to Kaspersky researchers, Operation Triangulation began at least in 2019 and is still ongoing.

The attack chains commenced with a message sent via the iMessage service to an iOS device. The message has an attachment containing an exploit. The expert explained that the message triggers a remote code execution vulnerability without any user interaction (zero-click).

Shortly after Kaspersky’s disclosure, Russia’s FSB accused the US intelligence for the attacks against the iPhones. According to Russian intelligence, thousands of iOS devices belonging to domestic subscribers and diplomatic missions and embassies have been targeted as part of Operation Triangulation.

“The Federal Security Service of the Russian Federation, together with the Federal Security Service of Russia, uncovered a reconnaissance operation by American intelligence services carried out using Apple mobile devices (USA).” reads the announcement published by FSB. “It was found that several thousand telephone sets of this brand were infected. At the same time, in addition to domestic subscribers, facts of infection of foreign numbers and subscribers using SIM cards registered with diplomatic missions and embassies in Russia, including the countries of the NATO bloc and the post-Soviet space, as well as Israel, SAR and China, were revealed.”

The operations aimed at gathering intelligence from diplomats from NATO countries, Israel, China and Syria.

FSB believe that Apple supported the US intelligence in this cyberespionage campaign.

“Thus, the information received by the Russian special services testifies to the close cooperation of the American company Apple with the national intelligence community, in particular the US NSA, and confirms that the declared policy of ensuring the confidentiality of personal data of users of Apple devices is not true.” concludes FSB. “The company provides the US intelligence services with a wide range of opportunities to control both any person of interest to the White House, including their partners in anti-Russian activities, and their own citizens.”

The exploit used in the attack downloads multiple subsequent stages from the C2 server, including additional exploits for privilege escalation. The final payload is downloaded from the same C2 and is described by Kaspersky as a fully-featured APT platform.

Then the initial message and the exploit in the attachment are deleted.

The researchers noticed that the malicious toolset does not support persistence, likely due to the limitations of the OS. The devices may have been reinfected after rebooting. 

The attack successfully targeted iOS 15.7, the analysis of the final payload has yet to be finished. The malicious code runs with root privileges, it supports a set of commands for collecting system and user information, and can run arbitrary code downloaded as plugin modules from the C2 server.

Kaspersky provided the list of C2 domains involved in the attack.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Triangulation)

APT, Breaking News, Malware, Mobile

Operation Triangulation: previously undetected malware targets iOS devices

A previously undocumented APT group targets iOS devices with zero-click exploits as part of a long-running campaign dubbed Operation Triangulation.

Researchers from the Russian firm Kaspersky have uncovered a previously unknown APT group that is targeting iOS devices with zero-click exploits as part of a long-running campaign dubbed Operation Triangulation.

The experts uncovered the attack while monitoring the network traffic of its own corporate Wi-Fi network dedicated to mobile devices using the Kaspersky Unified Monitoring and Analysis Platform (KUMA).

According to Kaspersky researchers, Operation Triangulation began at least in 2019 and is still ongoing.

“The targets are infected using zero-click exploits via the iMessage platform, and the malware runs with root privileges, gaining complete control over the device and user data” reads the analysis published by Kaspersky.

Due to the difficulty of inspecting modern iOS devices internally, the researchers created offline backups of the devices to analyze. Then they used the Mobile Verification Toolkit’s mvt-ios to scrutinize the backups and ultimately collected evidence indicating traces of compromise.

The backups contain a partial copy of the filesystem, including part of the user data and service databases. By analyzing the timestamps of files, folders, and database records, the researchers were able to reconstruct a timeline of the events that occurred on the device. The researchers used the mvt-ios utility to generate a sorted timeline of the events, which is stored in a file named ‘timeline.csv.’

The analysis of the timeline revealed that the attack chains commenced with a message sent via the iMessage service to an iOS device. The message has an attachment containing an exploit. The expert explained that the message triggers a remote code execution vulnerability without any user interaction (zero-click).

The exploit used in the attack downloads multiple subsequent stages from the C2 server, including additional exploits for privilege escalation. The final payload is downloaded from the same C2 and is described by Kaspersky as a fully-featured APT platform.

Then the initial message and the exploit in the attachment are deleted.

The researchers noticed that the malicious toolset does not support persistence, likely due to the limitations of the OS. The devices may have been reinfected after rebooting. 

The attack successfully targeted iOS 15.7, the analysis of the final payload has yet to be finished. The malicious code runs with root privileges, it supports a set of commands for collecting system and user information, and can run arbitrary code downloaded as plugin modules from the C2 server.

“The single most reliable indicator that we discovered is the presence of data usage lines mentioning the process named “BackupAgent”. This is a deprecated binary that should not appear in the timeline during regular usage of the device.” concludes Kaspersky. “An even less implicit indicator of compromise is inability to install iOS updates. We discovered malicious code that modifies one of the system settings file named com.apple.softwareupdateservicesd.plist. We observed update attempts to end with an error message “Software Update Failed. An error ocurred downloading iOS”.”

Kaspersky provided the list of C2 domains involved in the attack, at least two of them currently show the following banner:

About the author: Jurgita Lapienytė, Chief Editor at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Triangulation)

Breaking News, Security

California-based workforce platform Prosperix leaks drivers licenses and medical records

Prosperix leaked nearly 250,000 files. The breach exposed job seekers’ sensitive data, including home addresses and phone numbers.

Prosperix, formally Crowdstaffing, calls itself a “workforce innovation” company that develops software solutions for businesses to build an “extraordinary” workforce. It lists KPMG, Walmart, NBCUniversal and Avon among brands that trust the company.

On May 1st, the Cybernews research team discovered a misconfigured Amazon AWS bucket. The misconfiguration led to the exposure of approximately 250,000 files. 42,000 of them contained the sensitive data of job seekers, namely:

  • Full names
  • Dates of birth
  • Occupation history
  • Home addresses
  • Phone numbers
  • Email addresses

According to the researchers, most of these files were employment authorization documents, driving licenses, resumes, filled job application forms, diploma certificates and transcripts. Some of them were medical records – including urine tests and vaccination records.

The issue was quickly solved by the company. Cybernews reached out for an official comment but has yet to receive a reply.

The potential risks

A data leak like this can have many negative consequences for both the company and the affected job seekers.

“Individuals’ personal information (PII) such as full names, dates of birth, emails, phone numbers, and home addresses can be exploited for identity theft, spear phishing attacks, and other sorts of fraud,” our researchers warned.

For example, fraudsters could abuse such data to launch sham recruiting agencies. “This would be rather easy as fraudsters would already possess enough information about the potential victims to make their targeted scam look like appealing employment opportunities.”

Most of the employment authorization documents and driving licenses that were exposed appear to be expired. However, the leaky bucket dates back to 2017.

“Its exposure could presumably mean that those documents have been accessible for a considerable amount of time,” researchers warned.

Prosperix should focus on the following areas to mitigate risks:

  • Encryption: setting default server-side encryption for existing Amazon S3 buckets.
  • Auditing and logging: regularly checking server access logs
  • Employee training: enhancing knowledge and awareness of data security.

This isn’t the first time the Cybernews research team has stumbled upon exposed job seeker data. Last year, international job search engine Jooble.org put itself and its clients at risk by leaving a 470GB database unprotected.

The lion’s share of the database was composed of different job postings and searchers for companies. Our findings also indicated that Eastern European job seekers were at risk because the leaked data contained their personal information.

Leaks like this put job seekers at risk, so they should educate themselves on how to spot common job search-related scam techniques.

“For example, criminals tend to ask for money, financial information, or detailed personal information early in the application process. They also suggest conducting interviews through social media chats, set up fake company names with little to no social media presence, and offer salaries that are suspiciously high for the role,” they said.

Job seekers should do their homework by attentively looking into the company’s history and online presence. It’s also a good idea to contact the company through official channels.

Are you a job seeker? Suggestions for you are available in the original post at CyberNews:

https://cybernews.com/security/prosperix-leaks-drivers-licenses-medical-records/

About the author: Jurgita Lapienytė, Chief Editor at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SpinOk)

Breaking News, Cyber Crime, Hacking, Malware, Mobile, Security

Apps with over 420 Million downloads from Google Play unveil the discovery of SpinOk spyware

Researchers discovered spyware, dubbed SpinOk, hidden in 101 Android apps with over 400 million downloads in Google Play.

The malicious module is distributed as a marketing SDK that developers behind the apps embedded in their applications and games, including those available on Google Play.

Upon executing the module, the malware-laced SDK connects to the C2 sending back a large amount of system information about the infected device. Info sent to the C2 includes data from sensors (e.g. gyroscope, magnetometer, etc.) that allows operators to determine if the malware is running on a real device or an emulator environment. The C2 in turn sends a list of URLs to the module, which opens them in the WebView to display advertising banners.

The malicious SDK also expands the capabilities of JavaScript code executed on webpages containing ads. The researchers observed that the module adds many features to the code, including the ability to:

  • obtain the list of files in specified directories,
  • verify the presence of a specified file or a directory on the device,
  • obtain a file from the device, and
  • copy or substitute the clipboard contents.

The operators of the trojan module can use these capabilities to gather sensitive information and files from a victim’s device. An instance of this would be accessing files that are accessible to apps containing Android.Spy.SpinOk. To steal the files, threat actors only have to inject the corresponding code into the HTML page of the advertisement banner.

Doctor Web specialists found this trojan module and several modifications of it in a number of apps distributed via Google Play. Some of them contain malicious SDK to this date; others had it only in particular versions or were removed from the catalog entirely. Our malware analysts discovered it in 101 apps with at least 421,290,300 cumulative downloads.”

Doctor Web estimated that millions of Android device owners are at risk of becoming victims of cyber espionage, and the security firm immediately shared its findings with Google.

Below is the list of the 10 most popular apps using the Android.Spy.SpinOk trojan SDK:

  • Noizz: video editor with music (at least 100,000,000 installations),
  • Zapya – File Transfer, Share (at least 100,000,000 installations; the trojan module was present in version 6.3.3 to version 6.4 and is no longer present in current version 6.4.1),
  • VFly: video editor&video maker (at least 50,000,000 installations),
  • MVBit – MV video status maker (at least 50,000,000 installations),
  • Biugo – video maker&video editor (at least 50,000,000 installations),
  • Crazy Drop (at least 10,000,000 installations),
  • Cashzine – Earn money reward (at least 10,000,000 installations),
  • Fizzo Novel – Reading Offline (at least 10,000,000 installations),
  • CashEM: Get Rewards (at least 5,000,000 installations),
  • Tick: watch to earn (at least 5,000,000 installations).

The full list of apps is available here.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SpinOk)