NCSC and CISA want to balance connectivity with resilience

Read More

While indicators of compromise (IoCs) and attackers’ tactics, techniques, and processes (TTPs) remain central to threat intelligence, cyber threat intelligence (CTI) needs have grown over the past few years, driven by things like digital transformation, cloud computing, SaaS propagation, and remote worker support. In fact, these changes have led to a CTI subcategory focused on digital risk protection. DRP is broadly defined as, “telemetry, analysis, processes, and technologies used to identify and mitigate risks associated with digital assets.”

I’ve earlier examined ESG research on enterprise CTI programs based on. CISOs are investing here but challenges remain. I’ve also dug into the CTI lifecycle. Nearly three-quarters (74%) of organizations claim they employ a lifecycle, but many describe bottlenecks in one or several of the lifecycle phases.

To read this article in full, please click here

Read More

Pentagon leak reveals US concerns over technology push

Read More

IT outsourcer claims customer, employee and supplier info may be at risk

Read More

Authored by Dexter Shin 

McAfee Mobile Research Team found an Android banking trojan signed with a key used by legitimate apps in South Korea last year. By design, Android requires that all applications must be signed with a key, in other words a keystore, so they can be installed or updated. Because this key can only be used by the developer who created it, an application signed with the same key is assumed to belong to the same developer. That is the case of this Android banking trojan that uses this legitimate signing key to bypass signature-based detection techniques. And these banking trojans weren’t distributed on Google Play or official app stores until now. This threat had been disclosed to the company that owns the legitimate key last year and the company has taken precautions. The company has confirmed that they have replaced the signing key and currently, all their legitimate apps are signed with a new signing key. 

Android malware using a legitimate signing key 

While tracking the Android banking trojan Fakecalls we found a sample using the same signing key as a well–known app in Korea. This app is developed by a reputable IT services company with extensive businesses across various sectors, including but not limited to IT, gaming, payment, and advertising. We confirmed that most of the malicious samples using this key pretend to be a banking app as they use the same icon as the real banking apps. 

Figure 1. Malware and legitimate app on Google Play 

Distribution method and latest status 

Domains verified last August when we first discovered the samples are now down. However, we investigated URLs related to this malware and we found similar ones related to this threat. Among them, we identified a phishing site that is still alive during our research. The site is also disguised as a banking site. 

Figure 2. A phishing page disguised as a Korean banking site 

We also found that they updated the domain information of this web page a few days before our investigation. 

So we took a deeper look into this domain and we found additional unusual IP addresses that led us to the Command and control(C2) server admin pages used by the cybercriminals to control the infected devices. 

 

Figure 3. Fakecalls Command and control(C2) admin pages 

How does it work 

When we check the APK file structure, we can see that this malware uses a packer to avoid analysis and detection. The malicious code is encrypted in one of the files below. 

Figure 4. Tencent’s Legu Packer libraries 

After decrypting the DEX file, we found some unusual functionality. The code below gets the Android package information from a file with a HTML extension. 

 Figure 5. Questionable code in the decrypted DEX file 

This file is in fact another APK (Android Application) rather than a traditional HTML file designed to be displayed in a web browser. 

Figure 6. APK file disguised as an HTML file 

When the user launches the malware, it immediately asks for permission to install another app. Then it tries to install an application stored in the “assets” directory as “introduction.html”. The “introduction.html” is an APK file and real malicious behavior happens here. 

Figure 7. Dropper asks you to install the main payload 

When the dropped payload is about to be installed, it asks for several permissions to access sensitive personal information. 

Figure 8. Permissions required by the main malicious application 

It also registers several services and receivers to control notifications from the device and to receive commands from a remote Command and Control server. 

 Figure 9. Services and receivers registered by the main payload

By contrast, the malware uses a legitimate push SDK to receive commands from a remote server. Here are the complete list of commands and their purpose. 

 

Command name 
Purpose 

note 
sms message upload 

incoming_transfer 
caller number upload 

del_phone_record 
delete call log 

zhuanyi 
set call forwarding with parameter 

clear_note 
delete sms message 

assign_zhuanyi 
set call forwarding 

file 
file upload 

lanjie 
block sms message from specified numbers 

allfiles 
find all possible files and upload them 

email_send 
send email 

record_telephone 
call recording on 

inout 
re-mapping on C2 server 

blacklist 
register as blacklist 

listener_num 
no function 

no_listener_num 
disable monitoring a specific number 

rebuild 
reset and reconnect with C2 

deleteFile 
delete file 

num_address_list 
contacts upload 

addContact 
add contacts 

all_address_list 
call record upload 

deleteContact 
delete contacts 

note_intercept 
intercept sms message from specified numbers 

intercept_all_phone 
intercept sms message from all 

clear_date 
delete all file 

clear_phone_contact 
delete all contacts 

clear_phone_record 
delete all call log 

per_note 
quick sms message upload 

soft_name 
app name upload 

 

Cybercriminals are constantly evolving and using new ways to bypass security checks, such as abusing legitimate singing keys. Fortunately, there was no damage to users due to this signing key leak. However, we recommend that users install security software on their devices to respond to these threats. Also, users are recommended to download and use apps from the official app stores. 

McAfee Mobile Security detects this threat as Android/Banker regardless of the application, is signed with the previously legitimate signing key. 

 

Indicators of Compromise 

 

SHA256 
Name 
Type 

7f4670ae852ec26f890129a4a3d3e95c079f2f289e16f1aa089c86ea7077b3d8 
신한신청서 
Dropper 

9e7c9b04afe839d1b7d7959ad0092524fd4c6b67d1b6e5c2cb07bb67b8465eda 
신한신청서 
Dropper 

21ec124012faad074ee1881236c6cde7691e3932276af9d59259df707c68f9dc 
신한신청서 
Dropper 

9621d951c8115e1cc4cf7bd1838b8e659c7dea5d338a80e29ca52a8a58812579 
신한신청서 
Dropper 

60f5deb79791d2e8c2799e9af52adca5df66d1304310d1f185cec9163deb37a2 
보안인증서 
Banker 

756cffef2dc660a241ed0f52c07134b7ea7419402a89d700dffee4cc6e9d5bb6 
보안인증서 
Banker 

6634fdaa22db46a6f231c827106485b8572d066498fc0c39bf8e9beb22c028f6 
보안인증서 
Banker 

52021a13e2cd7bead4f338c8342cc933010478a18dfa4275bf999d2bc777dc6b 
보안인증서 
Banker 

125772aac026d7783b50a2a7e17e65b9256db5c8585324d34b2e066b13fc9e12 
보안인증서 
Banker 

a320c0815e09138541e9a03c030f30214c4ebaa9106b25d3a20177b5c0ef38b3 
보안인증서 
Banker 

c7f32890d6d8c3402601743655f4ac2f7390351046f6d454387c874f5c6fe31f 
보안인증서 
Banker 

dbc7a29f6e1e91780916be66c5bdaa609371b026d2a8f9a640563b4a47ceaf92 
보안인증서 
Banker 

e6c74ef62c0e267d1990d8b4d0a620a7d090bfb38545cc966b5ef5fc8731bc24 
보안인증서 
Banker 

 

Domains: 

http[://]o20-app.dark-app.net 
http[://]o20.orange-app.today 
http[://]orange20.orange-app.today 

The post Fakecalls Android Malware Abuses Legitimate Signing Key appeared first on McAfee Blog.

Read More

We learned some remarkable new details this week about the recent supply-chain attack on VoIP software provider 3CX. The lengthy, complex intrusion has all the makings of a cyberpunk spy novel: North Korean hackers using legions of fake executive accounts on LinkedIn to lure people into opening malware disguised as a job offer; malware targeting Mac and Linux users working at defense and cryptocurrency firms; and software supply-chain attacks nested within earlier supply chain attacks.

In late March 2023, 3CX disclosed that its desktop applications for both Windows and macOS were compromised with malicious code that gave attackers the ability to download and run code on all machines where the app was installed. 3CX says it has more than 600,000 customers and 12 million users in a broad range of industries, including aerospace, healthcare and hospitality.

3CX hired incident response firm Mandiant, which released a report on Wednesday that said the compromise began in 2022 when a 3CX employee installed a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for X_TRADER, a software package provided by Trading Technologies.

“This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack,” reads the April 20 Mandiant report.

Mandiant found the earliest evidence of compromise uncovered within 3CX’s network was through the VPN using the employee’s corporate credentials, two days after the employee’s personal computer was compromised.

“Eventually, the threat actor was able to compromise both the Windows and macOS build environments,” 3CX said in an April 20 update on their blog.

Mandiant concluded that the 3CX attack was orchestrated by the North Korean state-sponsored hacking group known as Lazarus, a determination that was independently reached earlier by researchers at Kaspersky Lab and Elastic Security.

Mandiant found the compromised 3CX software would download malware that sought out new instructions by consulting encrypted icon files hosted on GitHub. The decrypted icon files revealed the location of the malware’s control server, which was then queried for a third stage of the malware compromise — a password stealing program dubbed ICONICSTEALER.

Meanwhile, the security firm ESET today published research showing remarkable similarities between the malware used in the 3CX supply chain attack and Linux-based malware that was recently deployed via fake job offers from phony executive profiles on LinkedIn. The researchers said this was the first time Lazarus had been spotted deploying malware aimed at Linux users.

As reported in a recent series last summer here, LinkedIn has been inundated this past year by fake executive profiles for people supposedly employed at a range of technology, defense, energy and financial companies. In many cases, the phony profiles spoofed chief information security officers at major corporations, and some attracted quite a few connections before their accounts were terminated.

Mandiant, Proofpoint and other experts say Lazarus has long used these bogus LinkedIn profiles to lure targets into opening a malware-laced document that is often disguised as a job offer. This ongoing North Korean espionage campaign using LinkedIn was first documented in August 2020 by ClearSky Security, which said the Lazarus group operates dozens of researchers and intelligence personnel to maintain the campaign globally.

Microsoft Corp., which owns LinkedIn, said in September 2022 that it had detected a wide range of social engineering campaigns using a proliferation of phony LinkedIn accounts. Microsoft said the accounts were used to impersonate recruiters at technology, defense and media companies, and to entice people into opening a malicious file. Microsoft found the attackers often disguised their malware as legitimate open-source software like Sumatra PDF and the SSH client Putty.

Microsoft attributed those attacks to North Korea’s Lazarus hacking group, although they’ve traditionally referred to this group as “ZINC“. That is, until earlier this month, when Redmond completely revamped the way it names threat groups; Microsoft now references ZINC as “Diamond Sleet.”

The ESET researchers said they found a new fake job lure tied to an ongoing Lazarus campaign on LinkedIn designed to compromise Linux operating systems. The malware was found inside of a document that offered an employment contract at the multinational bank HSBC.

“A few weeks ago, a native Linux payload was found on VirusTotal with an HSBC-themed PDF lure,” wrote ESET researchers Peter Kalnai and Marc-Etienne M.Leveille. “This completes Lazarus’s ability to target all major desktop operating systems. In this case, we were able to reconstruct the full chain, from the ZIP file that delivers a fake HSBC job offer as a decoy, up until the final payload.”

ESET said the malicious PDF file used in the scheme appeared to have a file extension of “.pdf,” but that this was a ruse. ESET discovered that the dot in the filename wasn’t a normal period but instead a Unicode character (U+2024) representing a “leader dot,” which is often used in tables of contents to connect section headings with the page numbers on which those sections begin.

“The use of the leader dot in the filename was probably an attempt to trick the file manager into treating the file as an executable instead of a PDF,” the researchers continued. “This could cause the file to run when double-clicked instead of opening it with a PDF viewer.”

ESET said anyone who opened the file would see a decoy PDF with a job offer from HSBC, but in the background the executable file would download additional malware payloads. The ESET team also found the malware was able to manipulate the program icon displayed by the malicious PDF, possibly because fiddling with the file extension could cause the user’s system to display a blank icon for the malware lure.

Kim Zetter, a veteran Wired.com reporter and now independent security journalist, interviewed Mandiant researchers who said they expect “many more victims” will be discovered among the customers of Trading Technologies and 3CX now that news of the compromised software programs is public.

“Mandiant informed Trading Technologies on April 11 that its X_Trader software had been compromised, but the software maker says it has not had time to investigate and verify Mandiant’s assertions,” Zetter wrote in her Zero Day newsletter on Substack. For now, it remains unclear whether the compromised X_Trader software was downloaded by people at other software firms.

If there’s a silver lining here, the X_Trader software had been decommissioned in April 2020 — two years before the hackers allegedly embedded malware in it.

“The company hadn’t released new versions of the software since that time and had stopped providing support for the product, making it a less-than-ideal vector for the North Korean hackers to infect customers,” Zetter wrote.

Read More