New Process Injection Techniques Pose Threat to Windows Systems! ๐Ÿšจ

Dec 13 2023

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that shows cybercriminals all the respect that Elon Musk shows the CEO of Disney ๐Ÿ™ˆ โ€œWalt Disney is turning in his grave.โ€ ๐Ÿ’€๐Ÿ’€๐Ÿ’€ #RIPBobIger

Todayโ€™s hottest cybersecurity news stories:

  • ๐Ÿค“ Researchers discover potential โ€˜PoolPartyโ€™ in Windows systems ๐ŸŠ

  • ๐Ÿ“ฑ Android users beware! Malicious โ€˜SpyLoanโ€™ apps defraud millions ๐Ÿ’ธ

  • โŒ› Link between โ€˜Sandmanโ€™ APT and Chinaโ€™s KEYPLUG uncovered ๐Ÿ•ต๏ธ

Windows: We donโ€™t swim in your toilet so donโ€™t pee in our Pool ๐Ÿ™ˆ๐Ÿ’€๐Ÿคฃ

๐Ÿ” New Process Injection Techniques Pose Threat to Windows Systems! ๐Ÿšจ

A revelation at Black Hat Europe 2023 introduces PoolPartyโ€”a collection of eight dynamic process injection techniques, boasting flexibility and evading endpoint detection and response (EDR) systems.

๐Ÿ› ๏ธ PoolParty's Arsenal

SafeBreach researcher Alon Leviev underscores the versatility of PoolParty, working seamlessly across all processes. These techniques prove more adaptable than current injection methods, making them a potent threat.

๐Ÿค– How PoolParty Works

Rooted in the Windows user-mode thread pool, PoolParty targets worker factories to insert various work items into a target process. Leviev explains the exploitation of start routines with malicious shellcode.

๐ŸŒ PoolParty vs. Top EDR Solutions

PoolParty demonstrates its prowess by achieving a 100% success rate against popular EDR solutions, including those from CrowdStrike, Cybereason, Microsoft, Palo Alto Networks, and SentinelOne.

๐Ÿšจ Evolving Threats in Cybersecurity

Leviev warns about the ongoing challenge of undetectable techniques like PoolParty, emphasising the need for constant innovation in cybersecurity defence strategies.

๐Ÿ” Stay Vigilant: Update Your Defences!

In light of PoolParty's threat, it's crucial to stay vigilant and update your defences against evolving cyber threats. Leviev concludes with a call for proactive measures in the ever-changing security landscape. ๐Ÿš€

The Spy Who Sฬถhฬถaฬถgฬถgฬถeฬถdฬถ Scammed Me ๐Ÿ•ต๏ธโ€โ™‚๏ธ๐Ÿ”ซ๐Ÿ•บ๐Ÿป๐Ÿ‘“๐Ÿฆท

๐Ÿ•ต๏ธโ€โ™‚๏ธ Alert: SpyLoan – 18 Malicious Android Apps Exposed! ๐Ÿšจ

Cybersecurity researchers unveil 18 malicious loan apps on Google Play, collectively downloaded over 12 million times. Disguised as helpful loan services, these apps aim to defraud users by offering high-interest-rate loans while collecting personal and financial information for blackmail.

๐ŸŒ Targeted Regions

Tracked by Slovak cybersecurity company ESET under the name SpyLoan, these apps specifically target users in Southeast Asia, Africa, and Latin America.

๐Ÿ”ฅ Google Takes Action

The list of now-removed apps includes familiar names like AA Kredit, Amor Cash, and Oro Prรฉstamo, all taken down by Google.

๐ŸŽฃ Phishing Rods of choice

Infection pathways include SMS messages, Twitter, Facebook, and YouTube. Users are urged to avoid downloading from third-party stores and scam websites.

๐Ÿ‘ค Risks and Tactics

SpyLoan operators resort to blackmail and harassment tactics, pressuring victims into payments by threatening to release sensitive photos and videos on social media.

๐Ÿ›ก๏ธ Mitigating Risks

To protect against spyware threats, stick to official app sources, validate app authenticity, and scrutinise reviews and permissions before installation.

๐Ÿ” Android Banking Trojan Resurgence

The SpyLoan discovery follows the resurgence of TrickMo, an Android banking trojan masquerading as a streaming app. It steals screen content, downloads runtime modules, and utilises overlay injection for credential extraction.

๐Ÿ‘€ Stay Informed, Stay Safe!

Stay vigilant against deceptive apps and evolving threats. SpyLoan serves as a stark reminder of the risks users face when seeking financial services online. ๐Ÿ›ก๏ธ๐Ÿ“ฑ

๐ŸŽฃ Catch of the Day!! ๐ŸŒŠ๐ŸŸ๐Ÿฆž

๐Ÿƒย The Motley Fool: โ€œFool me once, shame on โ€” shame on you. Fool me โ€” you can't get fooled again.โ€ Good olโ€™ George Dubya ๐Ÿ˜‚ Let us tell whoโ€™s not fooling around though; thatโ€™s the Crรผe ๐Ÿ‘€ at Motley Fool. Youโ€™d be a fool (alright, enough already! ๐Ÿ™ˆ) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! ๐Ÿ› Kidding aside, if you check out their website theyโ€™ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets ๐Ÿค‘ย (LINK)

๐Ÿšตย Wander: Find your happy place. Cue Happy Gilmore flashback ๐ŸŒ๏ธโ›ณ๐ŸŒˆ๐Ÿ•Š๏ธ Mmmm Happy Placeโ€ฆ ๐Ÿ˜‡ So, weโ€™ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, itโ€™s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway ๐Ÿž๏ธ๐Ÿ˜ย (LINK)

๐ŸŒŠย Digital Ocean: If you build it they will come. Nope, weโ€™re not talking about a baseball field for ghosts โšพ๐Ÿ‘ป๐Ÿฟ (Great movie, to be fair ๐Ÿ™ˆ). This is the Digital Ocean whoโ€™ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website youโ€™ll find yourself catching the buzz even if you canโ€™t code (guilty ๐Ÿ˜‘). But if you can and youโ€™re looking for somewhere to test things out or launch something new or simply enhance what youโ€™ve got, weโ€™d recommend checking out their services foโ€™ sho ๐Ÿ˜‰ And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! ๐ŸŒฟย (LINK)

The Sands of Taiwan โŒ›๐Ÿ˜ฌ๐Ÿ’€

๐ŸŒ APT Alert: Sandman and KEYPLUG's Tactical Overlaps Revealed!

Joint research reveals tactical overlaps between the enigmatic APT Sandman and the China-based threat cluster using the KEYPLUG backdoor. Microsoft and PwC track this activity as Storm-0866 (Red Dev 40).

๐Ÿ” Shared Infrastructure

Sandman and Storm-0866/Red Dev 40 exhibit commonalities in infrastructure control, domain naming, and management practices. LuaDream and KEYPLUG coexist in the same victim networks, indicating shared development practices.

๐Ÿ“… Timeline

SentinelOne exposed Sandman in September 2023, detailing attacks on telecom providers in the Middle East, Western Europe, and South Asia. Storm-0866 targets entities in the Middle East and South Asian subcontinent.

๐Ÿ›ก๏ธ Commonalities

Both LuaDream and KEYPLUG share development indicators, infrastructure, and functionalities. Notable overlaps include C2 domains and support for QUIC and WebSocket protocols, suggesting coordinated operations.

๐Ÿ” Uncommon Tactics

Threat actors, including nation-state aligned groups, are increasingly using uncommon programming languages like Lua, DLang, and Nim to evade detection. Lua-based malware, rare in the wild, indicates sophisticated and persistent threats.

๐ŸŒ Complex Chinese Threat Landscape

The research highlights the complexity of the Chinese threat landscape, emphasising strong overlaps in operational infrastructure, targeting, and tactics.

๐Ÿ‘€ Stay Informed, Stay Secure!

Vigilance is key in navigating the evolving landscape of advanced persistent threats. Understanding shared tactics aids in proactive cybersecurity measures. ๐Ÿ›ก๏ธ๐ŸŒ

๐Ÿ—ž๏ธ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.

  • Libby Copa:ย The Rebel Newsletter helps writers strengthen their writing and creative practice, navigate the publishing world, and turn their art into an act of rebellion.

  • Techspresso:ย Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles