More Evidence Of Android Malware Hijacking Free
Forensic evidence of this active Android Trojan attack, which we have named FlyTrap, points to malicious parties out of Vietnam running this session hijacking campaign since March 2021. These malicious applications were initially distributed through both Google Play and third-party application stores. Zimperium zLabs reported the findings to Google, who verified the provided research and removed the malicious applications from the Google Play store. However, the malicious applications are still available on third-party, unsecured app repositories, highlighting the risk of sideloaded applications to mobile endpoints and user data.
More evidence of Android malware hijacking
Hackers can also use malware to collect and sell your device and contact information, until you're flooded with robocalls, texts and, oh yeah, more ads; and they can send links for more malware to everyone on your contacts list.
This year, the city of Baltimore was hit by a type of ransomware named RobbinHood, which halted all city activities, including tax collection, property transfers, and government email for weeks. This attack has cost the city more than $18 million so far, and costs continue to accrue. The same type of malware was used against the city of Atlanta in 2018, resulting in costs of $17 million.
Astaroth is a fileless malware campaign that spammed users with links to a .LNK shortcut file. When users downloaded the file, a WMIC tool was launched, along with a number of other legitimate Windows tools. These tools downloaded additional code that was executed only in memory, leaving no evidence that could be detected by vulnerability scanners. Then the attacker downloaded and ran a Trojan that stole credentials and uploaded them to a remote server.
Adware called Fireball infected 250 million computers and devices in 2017, hijacking browsers to change default search engines and track web activity. However, the malware had the potential to become more than a mere nuisance. Three-quarters of it was able to run code remotely and download malicious files.
TrickBot malware is a type of banking Trojan released in 2016 that has since evolved into a modular, multi-phase malware capable of a wide variety of illicit operations. Learn more about what makes TrickBot highly concerning here.Read: What is TrickBot Malware
On Jan. 15, 2022, a set of malware dubbed WhisperGate was reported to have been deployed against Ukrainian targets. The incident is widely reported to contain three individual components deployed by the same adversary, including a malicious bootloader that corrupts detected local disks, a Discord-based downloader and a file wiper. The activity occurred at approximately the same time multiple websites belonging to the Ukrainian government were defaced. Learn more>
Android is an open ecosystem by design, which has its benefits but also makes the OS more vulnerable to malicious apps than Apple's iOS. Google has made progress here; a recent report noted that bad actors have had to get more creative in order to get their malware-laden apps onto Android devices. But that same report found that Trojan dropper apps netted over 300,000 downloads on Google Play recently in order to scoop up people's banking details.
Trojanized apps downloaded from unsecured marketplaces are another crossover hacker threat to Androids. Major Android app stores (Google and Amazon) keep careful watch on the third-party apps; but embedded malware can get through either occasionally from the trusted sites, or more often from the sketchier ones. This is the way your phone ends up hosting adware, spyware, ransomware, or any other number of malware nasties.
After publication, the identified operations and malware domains were taken down. For three months there was no apparent further activity from the actor. However, in the same week of September a series of spearphishing attempts once again targeted a set of otherwise unrelated individuals, employing the same tactics as before. Bahamut remains active, and its operations are more extensive than first disclosed. Our primary contribution in this update is to implicate Bahamut in what are likely counterterrorism-motivated surveillance operations, and to further affirm our belief that the group is a hacker-for-hire operation. Toward this we document a previously unnoticed link with a campaign targeting South Asia that was published last year. This post extends the previous publication with recent activity and lends more evidence to our past hypotheses about the political nature of its operations.
Domain Name Server (DNS) hijacking, also named DNS redirection, is a type of DNS attack in which DNS queries are incorrectly resolved in order to unexpectedly redirect users to malicious sites. To perform the attack, perpetrators either install malware on user computers, take over routers, or intercept or hack DNS communication.
On April 19, 2021, a cybersecurity firm reported a new set of fraudulent Android apps in the Google Play store, primarily targeting users in Southwest Asia and the Arabian Peninsula. The apps, suspected to belong to the "Joker" malware, work by hijacking SMS message notifications to carry out billing fraud. More than 700,000 downloads were recorded before the apps were removed from the platform.
Researchers further uncovered an earlier campaign tied to GoldenSpy malware that came installed with Chinese tax software. New evidence suggests that GoldenSpy was preceded by another piece of malware that employed similar capabilities to infect taxpayers within China. This earlier version of GoldenSpy is called GoldenHelper."
On September 2, Nepalese police arrested five Chinese nationals in connection with cyberattacks that cost Nepalese banks more than 35 million rupees (over $300,000). The attackers targeted the Nepal Electronic Payment System, which was established to coordinate cash withdrawals at 17 Nepalese banks, and inserted malware that directed ATMs to process withdrawal requests without first verifying with member banks. Staff at one Nepali bank discovered the theft when ATMs began running out of cash sooner than expected and informed authorities. Police recovered 12.63 million rupees (more than $110,000) during the arrests.
The Ursnif banking Trojan, which was discovered in 2007, was repurposed in a campaign targeting Japanese banks that began in 2016. Ursnif, also known as Gozi ISFB, is a popular malware that steals information on infected Windows devices. Ursnif has been deployed in a new campaign that specifically targets banks in Japan. The malware terminates itself on devices outside of the country. The campaign uses a distribution network of spam botnets and compromised web servers to deliver the Trojan. Between 2016 and 2017, researchers at Palo Alto Networks observed millions of infected emails sent to banks in Japan. Researchers have not been able to identify the operation behind the campaign, but evidence suggests it may be connected to the Cutwill Botnet, a cyber criminal operation active since 2007.
In May 2016 and January 2017, the National Bank of Blacksburg, based in the state of Virginia, was hit by phishing emails that enabled intruders to install malware and pivot into the Star Network, a U.S. bank card processing service. The 2017 attack gave wider access to bank networks and enabled the thieves to withdraw $1.8 million over the course of a weekend, taking total losses to $2.4 million. According to a lawsuit filed by the bank against its insurer to recover more of its losses, an investigation after the second attack concluded that both incidents were by the same group, using tools and servers of Russian origin.
In February 2018, it was revealed that thirty-six people from seven countries had been indicted in the United States for their alleged involvement in the Infraud Organization, which law enforcement officials say sells stolen personal and financial information. More than half a billion dollars was lost by the victims, the U.S. Department of Justice said, with a trail going back to October 2010. The organization was said to have more than 10,000 registered members who bought and sold illicit products including malware, data from credit card dumps, and information needed for identity fraud.
In March 2009, a security firm discovered an online data trove of stolen information from 160,000 computers infected by Zeus malware, including devices at Metro City Bank. A criminal gang also used Zeus in a global scheme to wire millions of dollars from five banks to overseas accounts, according to U.S. and UK officials who made more than 100 arrests in October 2010. The gang recruited mules to launder the stolen funds and withdraw money from ATMs around the world.
Since smss.exe launches before the Windows subsystem loads, it calls configuration subsystem to load the hive present at HKLMSYSTEMCurrentControlSetControlhivelist. Also, smss.exe will launch anything present in the BootExecute key at HKEY_LOCAL_MACHINESYSTEMControlSet002ControlSession Manager. It should always have the value of autocheck autochk*. If there are more values in it, then probably the malware is likely to launch at boot.
Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.
By the end of 2016, the CIA's hacking division, which formally falls under the agency's Center for Cyber Intelligence (CCI), had over 5000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other "weaponized" malware. Such is the scale of the CIA's undertaking that by 2016, its hackers had utilized more code than that used to run Facebook. The CIA had created, in effect, its "own NSA" with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified.