Jul 02 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that has cybercriminals crying like Ronaldo ๐ญ๐ญ๐ญ That miss could have Costa. Slovakians today: Diogo breaking me heart ๐ #EURO2024 โฝ
Todayโs hottest cybersecurity news stories:
๐ฑ Android users beware! CapraRAT disguises as popular apps ๐ญ
๐ค Data-stealing malware hidden in Indian software firms products ๐พ
๐จ๐ปโ๐ป OpenSHH vulnerability dubbed โregreSSHionโ could lead to RCE ๐ฐ๏ธ
We can see straight through you! ๐ The threat actor Transparent Tribe continues its malicious streak by distributing malware-laced Android apps through social engineering campaigns. ๐จ๐ฑ
CapraTube Campaign Expands Targeting Scope ๐
SentinelOne security researcher Alex Delamotte revealed that these APKs embed spyware into curated video browsing applications. The latest expansion targets mobile gamers, weapons enthusiasts, and TikTok fans. ๐ฎ๐ซ๐ต
The campaign, dubbed CapraTube, was first outlined in September 2023. Transparent Tribe uses these weaponized apps to deliver CapraRAT, a modified version of AndroRAT. This spyware captures a wide range of sensitive data by impersonating legitimate apps like YouTube. ๐น๐ต๏ธโโ๏ธ
New Malicious APKs Identified ๐
SentinelOne identified several new malicious APK files:
Crazy Game (com.maeps.crygms.tktols)
Sexy Videos (com.nobra.crygms.tktols)
TikToks (com.maeps.vdosa.tktols)
Weapons (com.maeps.vdosa.tktols)
CapraRAT uses WebView to launch URLs to YouTube or CrazyGames[.]com. In the background, it abuses permissions to access locations, SMS messages, contacts, call logs, make phone calls, take screenshots, and record audio and video. ๐บ๏ธ๐ง๐๐ธ๐ค
Spyware Enhancements ๐
A notable change in CapraRAT is that permissions like READ_INSTALL_SESSIONS, GET_ACCOUNTS, AUTHENTICATE_ACCOUNTS, and REQUEST_INSTALL_PACKAGES are no longer requested. This suggests a shift towards using the tool primarily for surveillance rather than as a backdoor. ๐๐
Additional Threats: Snowblind Banking Malware โ ๏ธ
The disclosure coincides with Promon revealing Snowblind, a novel type of Android banking malware. Similar to FjordPhantom, Snowblind bypasses detection methods and uses the accessibility services API surreptitiously. By intercepting and manipulating system calls using the seccomp functionality, Snowblind can steal credentials, export data, and disable 2FA or biometric verification. ๐ฆ๐๐
Stay vigilant and ensure your devices are secure against these evolving threats! ๐ก๏ธ๐ฑ
Whether youโre starting or scaling your companyโs security program, demonstrating top-notch security practices and establishing trust is more important than ever.
Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money โ while helping you build customer trust.
And, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.
Conceptworld, an Indian software company, recently faced a significant supply chain attack affecting installers for three of their products: Notezilla, RecentX, and Copywhiz. ๐ ๏ธ๐ป
Discovery and Response ๐ก๏ธ
Rapid7, a cybersecurity firm, identified the compromise on June 18, 2024. Conceptworld quickly responded, resolving the issue within 12 hours of notification on June 24. ๐๐
Malicious Installers Unveiled ๐ต๏ธโโ๏ธ
The trojanized installers were designed to distribute information-stealing malware. The affected versions had a larger file size compared to the legitimate ones. Once installed, the malware could:
Steal browser credentials ๐๐
Extract cryptocurrency wallet information ๐ฐ๐ช
Log clipboard contents and keystrokes โจ๏ธ๐
Download and execute additional payloads ๐ฅ๐ฃ
How the Malware Operates ๐ฅ๏ธ
Upon launching the infected installer, users saw the usual installation prompts. However, in the background, it executed a malicious binary "dllCrt32.exe" and a batch script "dllCrt.bat". This setup ensured persistence by creating a scheduled task to run the main payload every three hours. ๐๐
Additionally, another file "dllBus32.exe" was executed, connecting to a command-and-control (C2) server to steal sensitive data and retrieve more payloads. The malware targeted credentials from browsers like Google Chrome and Mozilla Firefox and multiple cryptocurrency wallets including Atomic, Coinomi, Electrum, Exodus, and Guarda. It also harvested files with specific extensions (.txt, .doc, .png, and .jpg). ๐๐ธ
What to Look For ๐จ
Rapid7 noted that the malicious installers were unsigned and had an inconsistent file size compared to legitimate installers. Users who downloaded Notezilla, RecentX, or Copywhiz in June 2024 should check for signs of compromise and consider re-imaging affected systems. โ ๏ธ๐ฅ๏ธ
Stay vigilant and ensure your software comes from trusted, verified sources! ๐ก๏ธ๐ฆ
OpenSSH maintainers have issued security updates to address a critical flaw (CVE-2024-6387), codenamed regreSSHion, that could allow unauthenticated remote code execution with root privileges on glibc-based Linux systems. ๐ก๏ธ๐ป
Vulnerability Details ๐
The flaw exists in the OpenSSH server component (sshd), which listens for client connections:
CVE-2024-6387: Signal handler race condition allowing RCE as root on glibc-based Linux systems.
Discovered by: Bharat Jogi, senior director of the threat research unit at Qualys.
Affected Versions: OpenSSH 8.5p1 to 9.7p1; Versions prior to 4.4p1 if not patched for CVE-2006-5051 and CVE-2008-4109.
๐ต๏ธโโ๏ธ Impact and Exploitability
Potentially vulnerable instances: 14 million OpenSSH server instances exposed to the internet.
Regression of: An 18-year-old flaw (CVE-2006-5051) reintroduced in October 2020.
Exploitation time: Under lab conditions, requires 6-8 hours of continuous connections.
Platforms affected: Likely macOS and Windows, though unconfirmed.
Exploit Mechanics ๐
The race condition is triggered if a client fails to authenticate within 120 seconds, leading to an async-signal-unsafe call in sshdโs SIGALRM handler.
Result: Full system compromise, arbitrary code execution with highest privileges, data theft, persistent access.
Mitigation and Recommendations ๐
Patch immediately: Users should apply the latest security updates.
Network Controls: Limit SSH access through network-based controls and enforce network segmentation.
Regression Testing: Highlighted importance to prevent reintroduction of known vulnerabilities.
๐จ Summary
This vulnerability represents a significant security risk, enabling threat actors to achieve a full system compromise on unpatched systems. Given the potential impact, prompt action is crucial. Update your systems, enforce stringent network controls, and ensure thorough regression testing in your security practices. ๐ก๏ธ๐
๐๏ธ Extra, Extra! Read all about it! ๐๏ธ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
๐ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐
๐ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐
๐ย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐พ
Let us know what you think.
So long and thanks for reading all the phish!