Germany: Backdoor found in four smartphone models; 20,000 users infected

By: Catalin Cimpanu

German cyber-security agency warns against buying or using four low-end smartphone models.

The German Federal Office for Information Security (or the Bundesamt für Sicherheit in der Informationstechnik — BSI) has issued security alerts today warning about dangerous backdoor malware found embedded in the firmware of at least four smartphone models sold in the country.

Impacted models include the Doogee BL7000, the M-Horse Pure 1, the Keecoo P11, and the VKworld Mix Plus (malware present in the firmware, but inactive). All four are low-end Android smartphones.

PHONES INFECTED WITH BACKDOOR TROJAN

The BSI said the phones’ firmware contained a backdoor trojan named Andr/Xgen2-CY.

UK cyber-security firm Sophos Labs first spotted this malware strain in October 2018. In a report it published at the time, Sophos said the malware was embedded inside an app named SoundRecorder, included by default on uleFone S8 Pro smartphones.

Sophos said Andr/Xgen2-CY was designed to work as an unremovable backdoor on infected phones.

The malware’s basic design was to start running once the phone was turned on, collect details about an infected phone, ping back its command-and-control server, and wait for future instructions.

According to Sophos, Andr/Xgen2-CY could collect data such as:

  • The device’s phone number
  • Location information, including longitude, latitude, and a street address
  • IMEI identifier and Android ID
  • Screen resolution
  • Manufacturer, model, brand, OS version
  • CPU information
  • Network type
  • MAC address
  • RAM and ROM size
  • SD Card size
  • Language and country
  • Mobile phone service provider

More: https://www.zdnet.com/article/germany-backdoor-found-in-four-smartphone-models-20000-users-infected/

What’s Farsi for ‘as subtle as a nuke through a window’? Foreign diplomats in Iran hit by renewed Remexi nasty Iran, spying on foreigners within its borders? Shocked, shocked, we tell you

By: Shaun Nichols

A newly uncovered spyware-slinging operation appears to have been targeting foreign diplomats in Iran for more than three years.

Researchers at Kaspersky Lab said this week that a new build of the Remexi software nasty, first seen in 2015, has been spotted lurking on multiple machines within Iran, mostly those located within what we assume are foreign embassy buildings. The Windows-targeting surveillance-ware was previously associated with a hacking group known as Chafer, and an examination of the latest strain suggests it is of Iranian origin.

“The malware can exfiltrate keystrokes, screenshots, browser-related data like cookies and history, decrypted when possible,” Kaspersky’s Denis Legezo said of the infection.

“The attackers rely heavily on Microsoft technologies on both the client and server sides: the Trojan uses standard Windows utilities like Microsoft Background Intelligent Transfer Service (BITS) bitsadmin.exe to receive commands and exfiltrate data.”

Curiously, Legezo said he does not yet know how the malware is spreading in the wild, just that it is targeting “foreign diplomatic entities” based within Iran.

“So far, our telemetry hasn’t provided any concrete evidence that shows us how the Remexi malware spread,” we’re told.

“However, we think it’s worth mentioning that for one victim we found a correlation between the execution of Remexi’s main module and the execution of an AutoIt script compiled as PE, which we believe may have dropped the malware.”

Once on a victim’s machine, the spyware is very persistent, hiding out in scheduled tasks, Userinit and Run registry keys in the HKLM hive, depending on the version of Windows it has infected. Data is exfiltrated to command and control servers using Microsoft’s bitsadmin.exe transfer utility.

According to timestamps in the malware, its development appears to have been completed in March 2018, though there are a few sections of the code that appear to be much older.

More:  https://www.theregister.co.uk/2019/01/31/iran_embassies_malware/

Attackers Connect with Malware via Malicious Memes

By: Kacy Zurkus

A new type of malware has been found listening for commands from malicious memes posted on Twitter, according to new research from Trend Micro.

Cyber-criminals are using the social site as an unwilling conduit in communicating with its mothership through the use of steganography, a tactic that hides a payload inside an image in order to evade detection. The payload also instructs the malware to take a screenshot and collect system information from the infected computer, Aliakbar Zahravi wrote in a recent blog post.

“This new threat (detected as TROJAN.MSIL.BERBOMTHUM.AA) is notable because the malware’s commands are received via a legitimate service (which is also a popular social networking platform), employs the use of benign-looking yet malicious memes, and it cannot be taken down unless the malicious Twitter account is disabled. Twitter has already taken the account offline as of December 13, 2018,” the blog said.

In late October, the malware authors posted malicious memes in two separate tweets. Using a Twitter account run by the malware operator, the malware listens for a command embedded in the memes. Once downloaded from the Twitter account onto the victim’s machine, the malware parses in order to act as the command-and-control (C&C) service for the malware, according to Zahravi.

More: https://www.infosecurity-magazine.com/news/attackers-connect-with-malware-via/

The source code of the Exobot Android banking trojan has been leaked online

By: Pierluigi Paganini

The source code of the Exobot Android banking trojan has been leaked online, researchers already verified its authenticity.

The source code of the Exobot Android banking trojan has been leaked online and experts believe that we will soon assist at a new wave of attacks based on the malware.

The Exobot Android banking trojan was first spotted at the end of 2016 when its authors were advertising it on the dark web.

The authors were advertising it saying that it can be used for phishing attacks, it implements various features of most common banking Trojan such as intercepting SMS messages.

Exobot is a powerful banking malware that is able of infecting even smartphones running the latest Android versions.

In January, the authors decided to stop working at the malware and offered for sale its source code.

Now researchers from Bleeping Computer confirmed to have received a copy of the source code from an unknown individual and shared it with malware researchers from ESET and ThreatFabric in order to verify its authenticity.

“The code proved to be version 2.5 of the Exobot banking trojan, also known as the “Trump Edition,” one of Exobot’s last version before its original author gave up on its development.” reads a blog postpublished by Bleeping Computer.

Exobot Android banking trojan

According to experts from ThreatFabric the version provided to Bleeping Computer was leaked online in May. It seems that one of the users that purchased the malicious code decided to leak it online.

More: https://securityaffairs.co/wordpress/74678/malware/exobot-source-code-leaked.html

Malware Delivers Cryptor or Miner, Trojan’s Choice

By: Kacy Zurkus

A long-existing Trojan family still functioning today has spawned new malicious samples of malware, which infects its victims with either a cryptor or a miner, according to Kaspersky Lab.

Distributed through spam emails with documents attached, the samples are related to the Trojan-Ransom.Win32.Rakhni family. “After opening the email attachment, the victim is prompted to save the document and enable editing. The victim is expected to double-click on the embedded PDF file. But instead of opening a PDF the victim launches a malicious executable,” researchers wrote.

The Trojan decides which payload should be downloaded onto the victim’s PC at the moment the malicious executable is launched. “The fact that the malware can decide which payload it uses to infect the victim provides yet another example of the opportunistic tactics used by cybercriminals,” said Orkhan Mamedov, malware analyst, Kaspersky Lab.

“They will always try to benefit from their victims: either by directly extorting money (cryptor), by the unauthorized use of user resources for their own needs (miner), or by exploiting the victim in the chain of malware distribution (net-worm).”

Since first discovered in 2013, the malware writers have changed the way their Trojans get keys. Where they were once locally generated, they are now received from the command and control (C&C). They’ve also altered the algorithms used, going from exclusively using a symmetric algorithm and evolving through a commonly used scheme of symmetric and asymmetric.

Analysts have recently discovered 18 symmetric algorithms used simultaneously. The crypto-libraries are also different, as is the distribution method, which has ranged from spam to remote execution. In the recently spotted samples, criminals added a new mining capability feature.

More: https://www.infosecurity-magazine.com/news/malware-delivers-cryptor-or-miner/

HeroRat Controls Infected Android Devices via Telegram

By: Ionut Arghire

A newly detailed Android remote access Trojan (RAT) is leveraging Telegram’s bot functionality to control infected devices, ESET reveals.

Dubbed HeroRat, the malware has been spreading since at least August 2017. As of March 2018, the Trojan’s source code has been available for free on Telegram hacking channels, resulting in hundreds of variants emerging in attacks.

Although the source code is available for free, one of these variants is being sold on a dedicated Telegram channel at three price points, depending on functionality. A support video channel is also available, the security company has discovered.

“It is unclear whether this variant was created from the leaked source code, or if it is the ‘original’ whose source code was leaked,” ESET’s Lukas Stefanko notes in a blog post.

HeroRat differs from other Telegram-abusing Android RATs in that it has been developed from scratch in C#, using the Xamarin framework, Stefanko says. This is a rare combination for Android malware, as previously analyzed Trojans were written in standard Android Java.

Moreover, the malware author has adapted the Telegram protocol to the used programming language. Instead of using the Telegram Bot API as other RATs, the new threat uses Telesharp, a library for creating Telegram bots with C#. All communication to and from the infected devices is performed using the Telegram protocol.

The new malware is being distributed via third-party app stores, social media, and messaging apps, in various appealing guises (apps promising free Bitcoins, free Internet, and more followers on social media), mostly in Iran.

The malicious program is compatible with all Android versions, but it requires users to grant it a broad range of permissions, sometimes even activating its app as device administrator. Based on these permissions, the threat can then erase all data on the device, lock the screen, change passwords, and change password rules.

After the installation has been completed and the malware is launched, a popup appears (in either English or Persian), claiming that the app can’t run and that it is being uninstalled. The victim is then informed the uninstallation has been completed, and the app icon disappears.

The malware, however, continues to run in the background, and the attacker can start using Telegram’s bot functionality to control the newly infected device. A bot operated via the Telegram app controls each compromised device, Stefanko says.

HeroRat can spy on victims and exfiltrate files from the infected devices. It can intercept text messages, steal contacts, send text messages, and make calls, record audio and screen, obtain device location, and control the device’s settings.

These capabilities are accessible through clickable buttons in the Telegram bot interface, making it very easy for attackers to control victimized devices.

More: https://www.securityweek.com/herorat-controls-infected-android-devices-telegram

Cybercriminals Hijack Router DNS to Distribute Android Banking Trojan

By: Swati Khandelwal

Security researchers have been warning about an ongoing malware campaign hijacking Internet routers to distribute Android banking malware that steals users’ sensitive information, login credentials and the secret code for two-factor authentication.

In order to trick victims into installing the Android malware, dubbed Roaming Mantis, hackers have been hijacking DNS settings on vulnerable and poorly secured routers.

DNS hijacking attack allows hackers to intercept traffic, inject rogue ads on web-pages and redirect users to phishing pages designed to trick them into sharing their sensitive information like login credentials, bank account details, and more.

Hijacking routers’ DNS for a malicious purpose is not new. Previously we reported about widespread DNSChanger and Switcher—both the malware worked by changing the DNS settings of the wireless routers to redirect traffic to malicious websites controlled by attackers.

Discovered by security researchers at Kaspersky Lab, the new malware campaign has primarily been targeting users in Asian countries, including South Korea, China Bangladesh, and Japan, since February this year.

Once modified, the rogue DNS settings configured by hackers redirect victims to fake versions of legitimate websites they try to visit and displays a pop-up warning message, which says—”To better experience the browsing, update to the latest chrome version.”

MORE: https://thehackernews.com/2018/04/android-dns-hijack-malware.html