Transparent Tribe Unleashes Malware-Laced Android Apps ๐ŸŽฏ

Jul 02 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that has cybercriminals crying like Ronaldo ๐Ÿ˜ญ๐Ÿ˜ญ๐Ÿ˜ญ That miss could have Costa. Slovakians today: Diogo breaking me heart ๐Ÿ’” #EURO2024 โšฝ

Todayโ€™s hottest cybersecurity news stories:

  • ๐Ÿ“ฑ Android users beware! CapraRAT disguises as popular apps ๐ŸŽญ

  • ๐Ÿค Data-stealing malware hidden in Indian software firms products ๐Ÿ’พ

  • ๐Ÿ‘จ๐Ÿปโ€๐Ÿ’ป OpenSHH vulnerability dubbed โ€˜regreSSHionโ€™ could lead to RCE ๐Ÿ›ฐ๏ธ

Abra, Abra-CapraRAT, I wanna reach out and grab ya ๐Ÿ€

๐Ÿšจ Transparent Tribe Unleashes Malware-Laced Android Apps ๐ŸŽฏ

We can see straight through you! ๐Ÿ‘€ The threat actor Transparent Tribe continues its malicious streak by distributing malware-laced Android apps through social engineering campaigns. ๐Ÿšจ๐Ÿ“ฑ

CapraTube Campaign Expands Targeting Scope ๐Ÿ”

SentinelOne security researcher Alex Delamotte revealed that these APKs embed spyware into curated video browsing applications. The latest expansion targets mobile gamers, weapons enthusiasts, and TikTok fans. ๐ŸŽฎ๐Ÿ”ซ๐ŸŽต

The campaign, dubbed CapraTube, was first outlined in September 2023. Transparent Tribe uses these weaponized apps to deliver CapraRAT, a modified version of AndroRAT. This spyware captures a wide range of sensitive data by impersonating legitimate apps like YouTube. ๐Ÿ“น๐Ÿ•ต๏ธโ€โ™‚๏ธ

New Malicious APKs Identified ๐Ÿ“œ

SentinelOne identified several new malicious APK files:

  • Crazy Game (com.maeps.crygms.tktols)

  • Sexy Videos (com.nobra.crygms.tktols)

  • TikToks (com.maeps.vdosa.tktols)

  • Weapons (com.maeps.vdosa.tktols)

CapraRAT uses WebView to launch URLs to YouTube or CrazyGames[.]com. In the background, it abuses permissions to access locations, SMS messages, contacts, call logs, make phone calls, take screenshots, and record audio and video. ๐Ÿ—บ๏ธ๐Ÿ“ง๐Ÿ“ž๐Ÿ“ธ๐ŸŽค

Spyware Enhancements ๐Ÿ”’

A notable change in CapraRAT is that permissions like READ_INSTALL_SESSIONS, GET_ACCOUNTS, AUTHENTICATE_ACCOUNTS, and REQUEST_INSTALL_PACKAGES are no longer requested. This suggests a shift towards using the tool primarily for surveillance rather than as a backdoor. ๐Ÿ”๐Ÿ”‘

Additional Threats: Snowblind Banking Malware โš ๏ธ

The disclosure coincides with Promon revealing Snowblind, a novel type of Android banking malware. Similar to FjordPhantom, Snowblind bypasses detection methods and uses the accessibility services API surreptitiously. By intercepting and manipulating system calls using the seccomp functionality, Snowblind can steal credentials, export data, and disable 2FA or biometric verification. ๐Ÿฆ๐Ÿ”‘๐Ÿ”

Stay vigilant and ensure your devices are secure against these evolving threats! ๐Ÿ›ก๏ธ๐Ÿ“ฑ

Join the live session: automate compliance & streamline security reviews

Whether youโ€™re starting or scaling your companyโ€™s security program, demonstrating top-notch security practices and establishing trust is more important than ever.

Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money โ€” while helping you build customer trust.

And, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.

Join Vantaโ€™s 45-minute live session on July 9th at 12 pm PST to see the platform in action and ask your questions.

Hackers: I fancy an Indian takeaway ๐Ÿ’€

๐Ÿšจ Supply Chain Attack Hits Indian Software Company ๐Ÿ’พ

Conceptworld, an Indian software company, recently faced a significant supply chain attack affecting installers for three of their products: Notezilla, RecentX, and Copywhiz. ๐Ÿ› ๏ธ๐Ÿ’ป

Discovery and Response ๐Ÿ›ก๏ธ

Rapid7, a cybersecurity firm, identified the compromise on June 18, 2024. Conceptworld quickly responded, resolving the issue within 12 hours of notification on June 24. ๐Ÿ‘๐Ÿ”’

Malicious Installers Unveiled ๐Ÿ•ต๏ธโ€โ™€๏ธ

The trojanized installers were designed to distribute information-stealing malware. The affected versions had a larger file size compared to the legitimate ones. Once installed, the malware could:

  • Steal browser credentials ๐ŸŒ๐Ÿ”‘

  • Extract cryptocurrency wallet information ๐Ÿ’ฐ๐Ÿช™

  • Log clipboard contents and keystrokes โŒจ๏ธ๐Ÿ“

  • Download and execute additional payloads ๐Ÿ“ฅ๐Ÿ’ฃ

How the Malware Operates ๐Ÿ–ฅ๏ธ

Upon launching the infected installer, users saw the usual installation prompts. However, in the background, it executed a malicious binary "dllCrt32.exe" and a batch script "dllCrt.bat". This setup ensured persistence by creating a scheduled task to run the main payload every three hours. ๐Ÿ•’๐Ÿ”„

Additionally, another file "dllBus32.exe" was executed, connecting to a command-and-control (C2) server to steal sensitive data and retrieve more payloads. The malware targeted credentials from browsers like Google Chrome and Mozilla Firefox and multiple cryptocurrency wallets including Atomic, Coinomi, Electrum, Exodus, and Guarda. It also harvested files with specific extensions (.txt, .doc, .png, and .jpg). ๐Ÿ“‚๐Ÿ“ธ

What to Look For ๐Ÿšจ

Rapid7 noted that the malicious installers were unsigned and had an inconsistent file size compared to legitimate installers. Users who downloaded Notezilla, RecentX, or Copywhiz in June 2024 should check for signs of compromise and consider re-imaging affected systems. โš ๏ธ๐Ÿ–ฅ๏ธ

Stay vigilant and ensure your software comes from trusted, verified sources! ๐Ÿ›ก๏ธ๐Ÿ“ฆ

OpenSHHesame ๐Ÿง™โ€โ™‚๏ธ Talk about pent up regreSSHion ๐Ÿ˜ฌ

๐Ÿšจ OpenSSH Releases Critical Security Update ๐Ÿ†•

OpenSSH maintainers have issued security updates to address a critical flaw (CVE-2024-6387), codenamed regreSSHion, that could allow unauthenticated remote code execution with root privileges on glibc-based Linux systems. ๐Ÿ›ก๏ธ๐Ÿ’ป

Vulnerability Details ๐Ÿ“Œ

The flaw exists in the OpenSSH server component (sshd), which listens for client connections:

  • CVE-2024-6387: Signal handler race condition allowing RCE as root on glibc-based Linux systems.

  • Discovered by: Bharat Jogi, senior director of the threat research unit at Qualys.

  • Affected Versions: OpenSSH 8.5p1 to 9.7p1; Versions prior to 4.4p1 if not patched for CVE-2006-5051 and CVE-2008-4109.

๐Ÿ•ต๏ธโ€โ™‚๏ธ Impact and Exploitability

  • Potentially vulnerable instances: 14 million OpenSSH server instances exposed to the internet.

  • Regression of: An 18-year-old flaw (CVE-2006-5051) reintroduced in October 2020.

  • Exploitation time: Under lab conditions, requires 6-8 hours of continuous connections.

  • Platforms affected: Likely macOS and Windows, though unconfirmed.

Exploit Mechanics ๐Ÿ”

  • The race condition is triggered if a client fails to authenticate within 120 seconds, leading to an async-signal-unsafe call in sshdโ€™s SIGALRM handler.

  • Result: Full system compromise, arbitrary code execution with highest privileges, data theft, persistent access.

Mitigation and Recommendations ๐Ÿ”„

  • Patch immediately: Users should apply the latest security updates.

  • Network Controls: Limit SSH access through network-based controls and enforce network segmentation.

  • Regression Testing: Highlighted importance to prevent reintroduction of known vulnerabilities.

๐Ÿšจ Summary

This vulnerability represents a significant security risk, enabling threat actors to achieve a full system compromise on unpatched systems. Given the potential impact, prompt action is crucial. Update your systems, enforce stringent network controls, and ensure thorough regression testing in your security practices. ๐Ÿ›ก๏ธ๐Ÿ”’

๐Ÿ—ž๏ธ Extra, Extra! Read all about it! ๐Ÿ—ž๏ธ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ๐Ÿ›ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐Ÿ“…

  • ๐Ÿ’ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐Ÿ†“

  • ๐Ÿ“ˆย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐Ÿ‘พ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles