Jonathan Care’s Post

FINLAND AUTHORITIES WARN OF ANDROID MALWARE CAMPAIGN TARGETING BANK USERS Source: Security Affairs Date Published: May 6, 2024 Excerpt: Traficom, Finland’s Transport and Communications Agency, issued a warning regarding a current Android malware campaign aimed at bank accounts. Traficom reported that clients of multiple banks received text messages in the Finnish language that instruct recipients to call a service number, from which the bank user is directed to install malware on the Android device. Threat actors used a phone number that seems to be the number of a domestic telecom operator or a local network. The text messages purportedly from various companies, claiming debt collection or unusual account activity. The messages urge recipients to call a specified service number. Upon calling, recipients are warned of potential fraud and recommended to secure their device by downloading antivirus software. Then the victims receive a follow-up text message containing a link to a security software which is actually malware disguised as McAfee antivirus. Once installed, the malware grants access to the victim’s applications and messages, including online banking, allowing crooks to steal funds from the victim’s online bank." To read the complete article see: https://lnkd.in/du2gwEeE

“Scammers send SMS messages impersonating banks, instructing victims to install a fake McAfee app, which is actually malware.” It seems a new variant of SMS-led malware is in town. Threat actors often test their SMS links with regular SIM cards before initiating phishing campaigns, leaving Telco operators unable to protect subscribers or business customers. However, installing a network-based solution called Zero Trust SMS can safeguard them. It’s just a matter of time before every person in every country is more vulnerable to SMS phishing than they are via email, social media and the open web. https://lnkd.in/gVW7wTsF

The Medusa Android banking trojan has made a comeback with new, streamlined variants targeting users across seven countries, including the United States, United Kingdom, Canada, France, Italy, Spain, and Turkey[1][3]. First detected in May 2024, these updated versions of the malware, also known as TangleBot, have been engineered to be more stealthy and efficient[2][4]. Key features of the new Medusa variants include: * Reduced permission requirements, making the malware less conspicuous during initial analysis[4] * New capabilities such as screenshot capture, app uninstallation, and black screen overlay[1][4] * Retention of original functionalities like SMS manipulation, keylogging, and screen control[2] The malware is primarily spread through: * SMS phishing campaigns * Dropper apps disguised as legitimate applications, including a fake sports streaming app called "4K Sports"[2] * Distribution via five distinct botnets: AFETZEDE, UNKN, PEMBE, ANAKONDA, and TONY[2] Cybersecurity firm Cleafy, which discovered these new variants, warns that the malware's enhanced stealth and expanded geographical reach could potentially lead to widespread deployment[1][3]. The use of multiple distribution channels, including third-party platforms and social media, increases the risk of hundreds of thousands of downloads[2]. To protect against Medusa and similar threats, Android users are strongly advised to download apps only from official sources and remain vigilant against suspicious SMS messages or app update prompts[2]. Citations: [1] https://lnkd.in/eKCA3R22 [2] https://lnkd.in/eDUZYZkM [3] https://lnkd.in/eJvUuTsS [4] https://lnkd.in/eEaZeQ_q [5] https://lnkd.in/eFhMYCz5

Uncovering an Iranian mobile malware campaign Sophos X-Ops researchers discover a cluster of credential-harvesting apps targeting Iranian bank customers During a recent proactive hunt for malicious mobile malware, Sophos X-Ops researchers from SophosLabs discovered a group of four credential-harvesting apps targeting customers of several Iranian banks. Most of the apps are signed using the same – possibly stolen – certificate, and share various classes and strings. The apps target the following banks:   ✓ Bank Mellat ✓ Bank Saderat ✓ Resalat Bank ✓ Central Bank of Iran All the apps, which were available for download between December 2022 and May 2023, collect internet banking login credentials and credit card details, and have several other capabilities – including hiding their icons to maintain stealth, and intercepting incoming SMS messages which some banks use as part of multi-factor authentication schemes. While this is expected functionality for mobile banking malware, we did come across a few quirks in this campaign which intrigued us – including an unusual C2 mechanism, a possibly stolen certificate, and indicators of possible future campaigns. A list of the apps, hosting domains, and C2 domains we discovered during this investigation is available on our GitHub repository at https://lnkd.in/dSZD7icq. #phishing #smishing #bankingsecurity #sophoslabs #sophosmdr #cybersecurity

The threat actors behind the Mispadu banking Trojan have become the latest to exploit a now-patched Windows SmartScreen security bypass flaw to compromise users in Mexico. The attacks entail a new variant of the malware that was first observed in 2019, Palo Alto Networks Unit 42 said in a report published last week. Propagated via phishing mails, Mispadu is a Delphi-based information stealer known to specifically infect victims in the Latin American (LATAM) region. In March 2023, Metabase Q revealed that Mispadu spam campaigns harvested no less than 90,000 bank account credentials since August 2022. It's also part of the larger family of LATAM banking malware, including Grandoreiro, which was dismantled by Brazilian law enforcement authorities last week. Cybersecurity The latest infection chain identified by Unit 42 employs rogue internet shortcut files contained within bogus ZIP archive files that leverage CVE-2023-36025 (CVSS score: 8.8), a high-severity bypass flaw in Windows SmartScreen. It was addressed by Microsoft in November 2023. "This exploit revolves around the creation of a specifically crafted internet shortcut file (.URL) or a hyperlink pointing to malicious files that can bypass SmartScreen's warnings," security researchers Daniela Shalev and Josh Grunzweig said. "The bypass is simple and relies on a parameter that references a network share, rather than a URL. The crafted .URL file contains a link to a threat actor's network share with a malicious binary." Mispadu, once launched, reveals its true colors by selectively targeting victims based on their geographic location (i.e., Americas or Western Europe) and system configurations, and then proceeds to establish contact with a command-and-control (C2) server for follow-on data exfiltration. In recent months, the Windows flaw has been exploited in the wild by multiple cybercrime groups to deliver DarkGate and Phemedrone Stealer malware in recent months. Mexico has also emerged as a top target for several campaigns over the past year that have been found to propagate information stealers and remote access trojans like AllaKore RAT, AsyncRAT, Babylon RAT. This constitutes a financially-motivated group dubbed TA558 that has attacked the hospitality and travel sectors in the LATAM region since 2018.

Anatsa is a potent strain of banking trojan malware designed to infiltrate computers and mobile devices to steal sensitive financial data. So far, it has targeted users in the US, UK, Germany, Austria, and Switzerland, with over 30,000 installations observed in early 2023. It focuses on regions known for their robust banking sectors, gaining notoriety for its intricate design and devastating impact on individuals and financial institutions. Its modus operandi includes: 1. Keylogging and data theft 2. Man-in-the-middle attacks 3. Account takeover As Feedzai's David García points out, this banking trojan poses a significant threat to the financial services sector. Learn how to develop a proactive approach to address this threat through advanced technology, strategic planning, employee education, and cybersecurity partnerships. #BankingIndustry #Cybersecurity #Malware #FinancialServices https://hubs.la/Q023xRnJ0

🚨 New Android Banking Trojan Threat: Medusa Updates Unveiled 🚨 Cybersecurity researchers have discovered an updated version of the Medusa Android banking trojan targeting users in Canada, France, Italy, Spain, Turkey, the U.K., and the U.S. This sophisticated malware, also known as TangleBot, has been active since July 2023, with recent fraud campaigns observed in May 2024. Medusa's latest iteration features a "lightweight permission set" and capabilities like displaying full-screen overlays and remotely uninstalling applications. Initially identified in July 2020, Medusa can read SMS messages, log keystrokes, capture screenshots, record calls, and perform unauthorized fund transfers. The malware spreads through phishing and untrusted sources, exploiting Android's accessibility services API to enable permissions. This updated version uses a black screen overlay to deceive users into thinking their device is locked or powered off while conducting malicious activities. 🔍 Read more about these findings on https://lnkd.in/gtpPKGVT #Cybersecurity #AndroidTrojan #MedusaTrojan #CyberThreats #DataProtection #TechNews #CDeX

🌐 A recent report from The Hacker News has unveiled a new banking Trojan on the loose - ChaveCloak. 😱 Here's a quick rundown of what you need to know to keep your digital assets safe. 🌐 Target: Banking Institutions ChaveCloak has set its sights on financial institutions, aiming to exploit vulnerabilities and compromise sensitive banking information. 🏦 This isn't just another run-of-the-mill threat; it's a potent force that demands our immediate attention. 🕵️ Stealth Mode Engaged One of ChaveCloak's most alarming features is its ability to operate in stealth mode. 🕶️ It can discreetly infiltrate systems, making detection a real challenge. This Trojan is all about staying under the radar while wreaking havoc behind the scenes. 🛡️ Evading Traditional Defenses What's more concerning is that ChaveCloak has been crafted to bypass traditional security measures. 🔒 Firewalls and antivirus software may not be sufficient to stop this digital menace, emphasizing the need for cutting-edge cybersecurity protocols. 🚀 Constant Evolution ChaveCloak isn't resting on its laurels; it's constantly evolving to adapt to security updates. This makes it a dynamic threat that requires a proactive approach from the cybersecurity community. 💪 Staying ahead of the game is crucial to ensure our digital defenses remain robust. 👥 Community Alert Let's collaborate as a community to share information, insights, and best practices. 🤝 By staying informed and supporting each other, we can collectively strengthen our defenses against ChaveCloak and similar threats. 🔒 Protect Yourself: Action Steps * Update your antivirus and anti-malware software regularly. * Educate yourself and your team on the latest phishing tactics. * Implement multi-factor authentication for an added layer of security. 🤔 What are your thoughts on this emerging threat? Have you encountered any suspicious activity? Share your insights in the comments below! Let's keep the conversation flowing and stay one step ahead in the digital security game. Together, we can build a safer online environment! 💻🛡️ #Cybersecurity #ChaveCloak #DigitalSecurity #StayInformed Spread the word and let's stay ahead of the curve! 🌐💙 https://lnkd.in/gXErYj8p

#cybertechdave100daysofcyberchallenge Day 98 - 100 Days of Cyber A trojan that has banks as its targets is back in the wild internet. It is the Grandoreiro banking trojan and it had seemingly been defeated by the authorities in March of 2024. The campaign has phishing attacks and has casted its net in over 60 countries. The goal of the phishing attack is to get the user to download an executable. This is what is scary about this malware, “The custom loader is artificially inflated to more than 100 MB to bypass anti-malware scanning software. It's also responsible for ensuring that the compromised host is not in a sandboxed environment, gathering basic victim data to a command-and-control (C2) server, and downloading and executing the main banking trojan.“ Advice: don’t download anything unless you forward the email to your security team. They will let you know if something is amiss. https://lnkd.in/gzM6iW5P

⚠️ ALERT: Finland's Transport and Communications Agency (Traficom) issued a warning on Android malware campaign targeting online bank accounts! 🚨 Spoofed messages posing as banks or payment providers like MobilePay are circulating, using local telecom operator disguises. Only end-to-end digital security is key, connect with us for cyber solutions! #SimpleCyber #Cybersecurity #CyberNews