Advanced malware targeting Windows devices

Aug 18 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that holds cybercriminals in the same regard as King Charles, Prince William & Rishi Sunak hold umm women’s football. Specifically, the final which England are in! #NoShows 😂

It’s Friday, folks, which can only mean one thing… It’s time for our weekly segment!!!

It goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it.

Congrats, the cybercriminals are no match… for your patch! Check out these just freshly hatched patches!! 🩹🩹🩹

🌐 Google released Chrome 116 with fixes for 26 vulnerabilities, 21 found by outsiders.

  • 🔒 Eight high-severity bugs were identified, mostly related to memory safety.

  • 🔍 Noteworthy bug is CVE-2023-2312, a use-after-free issue, rewarded with $30,000 bounty.

  • 🔧 Other high-severity bugs: use-after-free in Device Trust Connectors (CVE-2023-4349),

  • Fullscreen flaw (CVE-2023-4350), Network bug (CVE-2023-4351).

  • 📆 New Chrome 116 versions out for Mac, Linux, and Windows.

But wait, there’s more…

🔒 Google's Chrome update 🌐 alerts users about removed extensions 🚫

In Chrome 117, users get notifications 📢 if an add-on is unpublished, violates store policy, or is malware 🦠. New "Safety check" 🛡️ category in settings flags these extensions for privacy and security 🕵️‍♂️.

Wonderbar!

Now, on to today’s hottest cybersecurity stories:

  • 🔍Zscaler scales cybersphere, uncovers info-stealing ‘Statc Stealer’ malware 👾

  • 📱 New Apple iOS 16 malware hacks Airplane Mode, keeps data running to scam app 👿

  • 🍚 China-linked ‘Bronze Starlight’ targets gambling sector with Cobalt Strike beacons 🎲

We need a fix, STATc! 😬

🔍 Zscaler finds Statc Stealer: advanced malware targeting Windows devices for data theft, with a focus on cryptocurrency wallets. 🌐 Crafted in C++, it disguises as MP4 ads in browsers like Chrome.

📊 How it works

Victims click on ads, activating a fake PDF installer and a downloader binary. A PowerShell script fetches the malware from a remote server.

The malware avoids detection with anti-sandbox and anti-reverse engineering measures. It connects to a C2 server, using HTTPS to send stolen data. 🕵️‍♂️

⚠️ Impact

The malware masquerades as Google ads, stealing passwords, credit card info, and crypto wallet details. Targets Chrome, Edge, Firefox, Brave, Opera, and Yandex browsers.

Unauthorised access could lead to identity theft and crypto scams for individuals, while businesses risk financial loss and reputation damage.

🛡️ Takeaway

Statc Stealer highlights the need for stronger cybersecurity.

Protect yourself and your business with education, robust antivirus solutions, and network monitoring.

Stay vigilant against evolving threats. 💼 Safeguard valuable assets from sophisticated techniques.

I came across ZZZ money club during the crypto market bull run when everyone’s a winner, even during the bear market this discord group has been amazing at giving information on projects and ways to make passive income in various ways.

The group is very active and everyone in this private discord group is very chatty and helpful.

Its run by Yourfriendandy and Decadeinvestor, you can find them here on YouTube, both top guys with great content.

If you are interested in joining the group you can through the link below.

Hackers: Can I trick it? iOS YOU CAN! 💀🎶😂

🔒 A new iOS 16 exploit technique has emerged, reported by cybersecurity researchers at Jamf Threat Labs. 📱 The method manipulates Airplane Mode to secretly maintain network access on Apple devices, even if victims believe they're offline.

🕵️‍♂️ How it works

The attacker deceives users by creating a fake Airplane Mode UI that disconnects most apps, leaving only the attacker's app connected. 🌐 This trickery occurs after successfully compromising the device.

✈️ Airplane Mode typically disables wireless features, but this method maintains cellular network access, allowing a hidden malicious app to continue functioning. 📶 CommCenter manages changes to cellular data access, while SpringBoard handles UI modifications.

📝 To execute this ruse, the attacker uses CommCenter to block data access for specific apps, resembling Airplane Mode. They achieve this through a hooked function that alters the UI to mimic Airplane Mode activation. The user perceives the change but isn't aware of the ongoing connection.

⚙️ An SQL database within CommCenter records app data access statuses, enabling selective blocking or allowing of Wi-Fi and cellular data for each app.

⚠️ Notably, this technique doesn't rely on a specific OS vulnerability. Instead, it capitalises on manipulating user interfaces to achieve persistence.

🛡️ Apple commented that this technique isn't tied to a specific OS flaw but rather demonstrates a method for adversaries to maintain control after compromising a device.

🚫 As security challenges evolve, it underscores the importance of staying informed and proactive in the face of emerging threats.

📢 Stay vigilant against deceptive tactics and ensure your devices are protected with up-to-date security measures. 🌐

This technique highlights the need for a multi-layered approach to cybersecurity to safeguard against evolving attack strategies.

🗞️ Extra, Extra! Read all about it! 🗞️

Each fortnite, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 💰 Daily Dough: Bite-sized investing ideas, wisdom, news, and trends you need to grow your dough!

  • 📈 ProductivityGlide: A bite-sized email for your most productive day yet!

  • 🏫 AI Marketing School: The latest AI Marketing tools, techniques, and news delivered biweekly.

Let us know what you think!

Same old China, always spying 🙈

🌐 China-based cyber attack campaign targets Southeast Asian gambling sector using Cobalt Strike beacons, notes cybersecurity firm SentinelOne.

The threat actor known as Bronze Starlight or Emperor Dragonfly exploits vulnerabilities in Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan to deploy these beacons.

They're associated with using short-lived ransomware families as a smokescreen to conceal its espionage motives. Sneaky, sneaky!

🔒 The campaign, resembling ESET's Operation ChattyGoblin, deploys modified chat app installers to download a .NET malware loader, which decrypts and executes Cobalt Strike beacon code. ⚙️

Interestingly, attempts to halt execution in specific countries like Canada, France, and the U.S. indicate a narrow target scope.

🧩 Notably, one malware loader is signed with a stolen certificate from Ivacy VPN, a Singapore-based VPN provider.

The side-loaded DLL files resemble HUI Loader variants, seen in past China-based groups like APT10 and TA410, revealing interconnected operations.

🛡️ These actions shed light on the complexity of the Chinese threat landscape, showcasing shared tactics and malware usage.

📢 Attribution remains complex due to intertwined relationships and shared infrastructure among various Chinese nation-state actors.

As threats evolve, staying vigilant and adopting multi-layered defences is crucial for cybersecurity. 🌐

See you on Monday, folks! Stay safe 🛡️🛡️🛡️

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles