Neu Cyber Threats – 25th February 2021
Cyber criminals have been discovered switching backslashes in phishing email URLs in order to evade email filters. This has led to a near 6,000% rise in attacks using “malformed URL prefixes”, which helps deliver phishing email campaigns successfully.
To the naked eye, the URLs can look normal, but look carefully and the recipient will be able to identify that normal protocols are not being followed, such as ‘http://’ or ‘https://’, instead they use ‘http:/\’ in their URL prefix. The cyber criminals are aware that the slashes in the address are largely unimportant, so browsers and many scanners don’t look at them.
The tactic is reminiscent of ‘typosquatting’. This is where cyber criminals deliberately incorrectly spell a business’ name, such as ‘ebuy.com’ — to try and trick unobservant users into clicking. Nowadays, most people know to look for these kinds of email scams, so threat actors have evolved, changing URL prefixes as another way to catch out recipients.
The attack tactic was first noted last October, and has gained momentum ever since — with attacks between January and early February spiking by 5,933%. The phishing email looks like it has been sent via a voicemail service, and the email contains a link to play the voice message which looks something like, ‘Play Audi Date.wav’, and redirects the user to a malicious site. The site even features a reCAPTCHA feature to give the victim a false sense of security, showing the sophistication of the attack.
What follows is a false Office login page, which attempts to steal the user’s credentials, by asking for a username and password. As a result, Office 365 users are far more likely to experience this type of breach. It’s recommended that IT departments or providers search the business’ emails for messages containing URLs that match the threat’s pattern (http:/\), before removing any matches found.
Wider Phishing Awareness Training for employees remains very important for businesses. By ensuring employees are trained to a high standard in identifying potential cyber threats, businesses are giving themselves the best chance of avoiding any damaging data breaches.
A mysterious malware called Silver Sparrow has been found on 30,000 Apple Macs around the world – becoming the second known malware to target Macs with Apple’s M1 chip.
Silver Sparrow has been executing on victim’s machines with the final payload yet to be determined, as the malware waits for further instructions from its authors. macOS endpoints across 153 countries, primarily in Canada, France, Germany, the United Kingdom and the United States, are known to have been infected.
The M1 system-on-a-chip (SoC) was released by Apple in autumn 2020, marking the first time that the tech giant created its own internal chip, with it bringing benefits, such as faster performance for native applications and extended battery life among other features.
Researchers found that none of the nearly 30,000 affected hosts downloaded what would be the next or final payload, at the time of writing. This would presumably be a component that would carry out malicious actions like data exfiltration, cryptomining, ransomware, adware or DDoS bot enslavement, to name a few possibilities. While the goal of the malware is still a mystery, there’s no doubt it is a huge danger to Apple users.
We advise Apple users to be aware of any incoming patches or updates that are made available to try and eradicate Silver Sparrow’s infection, and the risk of any further infections. Ensure automatic updates are set on your devices for the updates to be made as soon as they are available.
Windows users have been targeted by a new version of the notorious Massloger trojan, which is now using a compiled HTML (CHM) file format to start the initial infection chain. Masslogger is spyware designed to swipe victims’ credentials from Microsoft Outlook, Google Chrome and various instant-messenger accounts.
The campaign was discovered in January to be targeting users in Europe. When this particular Masslogger variant launched its infection chain, it disguised its malicious RAR files as Compiled HTML (CHM) files. This is a new move for Masslogger, and helps the malware avoid email solution services, which would otherwise block the email attachment based on its RAR file extension. This latest campaign involving Masslogger may stem for the Dark Web, as the trojan, which was released last April, has been known to have been sold on these underground forums between cyber criminals.
Phishing emails that contained legitimate looking subject lines related to business were circulated with the spyware inside. One email, for example, was entitled, ‘domestic customer inquiry” and told the recipient, “At the request of our customer, please send your attached best quotes.” These emails contained RAR attachments, although the filename extension for the files, typically .rar, was switched to .chm by the attackers.
After the active infection process starts, a PowerShell script is executed, which eventually results in the main PowerShell loader infecting the device. Once the credentials from targeted applications are retrieved, they are uploaded to the exfiltration server with a filename containing the username, two-letter country ID, unique machine ID and the timestamp for when the file was created.
The credentials that Masslogger can log and exfiltrate can bring a business to its knees, with the potential for huge amounts of confidential data to be stolen, and an end result of thousands of pounds worth of damage for businesses.
Neuways would advise to never engage with an email you’re suspicious of, contains unexpected attachments and is from a user you do not recognise. The prevalence of phishing attacks is on the rise, as cyber criminals have been bombarding businesses with emails and calls over the past 12 months in particular. Don’t be the next business to fall foul of a scam.
A cyber criminal gang, known as ScamClub have been taking advantage of a flaw in Apple’s Safari browser to reach over 50 million users with a three-month malicious ad campaign.
The Safari bug, which was patched on 2 December 2020, resulted in malware being pushed to mobile iOS Chrome and macOS desktop browsers. The campaign redirected traffic to scam sites that flogged gift cards, prizes and malware to victims. Versions of Apple’s Safari browser running on macOS Big Sur 11.0.1 and Google’s iOS-based Chrome browser were affected.
The attacks exploited a flaw in the open-source WebKit engine, as the malicious campaign exploited a privilege-escalation vulnerability, tracked as CVE-2021–1801. It’s not known how many victims the campaign claimed or what type of malicious activity the threat actors may have engaged in after the exploit was abused.
The cyber crime gang, ScamClub, are well known and over the last three years they have hijacked hundreds-of-millions of browser sessions with malvertising campaigns that redirect users to adult and gift card scams. They typically bombard users with flooded ad-delivery systems, rather than tailor attacks to a smaller number of recipients.
Over the last 3 months, ScamClub has delivered over 50 million malicious impressions, with as many as 16 million a day – showing the sheer number of potential victims their scams can claim. This type of attack can be difficult for businesses to handle, given the potential number of malicious ads being distributed.
Thankfully, as this most recent exploit has been updated, Apple users need only ensure that they have updated their Safari browser to avoid the latest ScamClub campaign.
An Android app that’s been downloaded more than 1 billion times is riddled with flaws that lets attackers hijack app features or overwrite existing files to execute malicious code.
The app is called SHAREit, and allows Android app users to share files between friends or devices. Despite being reported to the app developer three months ago, they remain unpatched at the time of writing.
There are several flaws in the app’s code that give third parties permission to take over legitimate app features, overwrite existing app files or even take over Android storage shared by multiple apps to execute malicious code.
Moreover, third-parties also can gain temporary read/write access to the content provider’s data through a flaw in its FileProvider. In this way, malicious apps installed on a device running SHAREit can take over the app to run custom code or install third-party apps without the user knowing.
SHAREit is also susceptible to an Man in The Door (MiTD) attack. This type of attack allows someone to intercept and potentially alter data as it moves between Android external storage and an installed app.
These flaws aren’t the first to be found in SHAREit. Two years ago, two high-severity flaws were discovered in the app that allowed an attacker to bypass the file transfer application’s device authentication mechanism and ultimately download content and arbitrary files from the victim’s device.
It is recommended that people regularly update and patch mobile operating systems and the apps themselves to maintain security on their devices.