Welcome to the next episode of the Xopero Security Center! GravityRAT is no longer just a Windows malware. New samples had revealed that the last variation targets also Android and iOS devices. What does it mean for cybersecurity professionals? Before we answer that… There is a new Chrome 0-day under active attacks. Check the news below.
New Chrome 0-day Under Active Attacks – Update Your Browser Now
Attention please! If you are using Google Chrome browser on your Windows, Mac, or Linux computers, you need to update your web browsing software immediately.
Google released Chrome version 86.0.4240.111 to patch several security high-severity issues, including a zero-day vulnerability that has been exploited in the wild by attackers to hijack targeted computers.
Tracked as CVE-2020-15999 is a type of memory-corruption bug in FreeType, a popular open source software development library for rendering fonts that comes packaged with Chrome.
Researcher from Project Zero, one of Google’s internal security teams, urged other app vendors who use the same FreeType library to update their software as well, in case the threat actor decides to shift attacks against other apps. A patch for this bug has been included in FreeType 2.10.4, released last week.
Chrome users should update to v86.0.4240.111 via the browser’s built-in update function (see Chrome menu, Help option, and About Google Chrome section).
The biggest DDoS attack ever stopped
It’s not over – the biggest attack ever stopped. Google has revealed a nation-state DDoS campaign against it originating from China, which may have been the biggest attack of its kind ever recorded. The 2.5Tbps DDoS struck in September 2017 but was made public for the first time on Friday, 16th of Oct. “Despite simultaneously targeting thousands of our IPs the attack had no impact. The attacker used several networks to spoof 167 Mpps (millions of packets per second) to 180,000 exposed CLDAP, DNS, and SMTP servers, which would then send large responses to us” explained specialists from Google security team.
GravityRAT malware now also targets Android and macOS devices
GravityRAT is a malware strain known for checking the CPU temperature of Windows computers to avoid being executed in sandboxes and virtual machines. Cybercriminals are no longer focused on the Windows environment. The newest variant can also infect Android and macOS devices.
The malware was distributed via applications that clone legitimate apps that act as downloader for the GravityRAT payloads. The tainted app is able to steal contacts, emails, and documents from the infected device, then send them back to the command-and-control server. Crooks also started using digital signatures to make the apps look more legitimate.
The spyware is able to get information about the system and support multiple features. GravityRAT:
- searchs for files on the computer and removable disks with the extensions .doc, .docx, .ppt, .pptx, .xls, .xlsx, .pdf, .odt, .odp, and .ods, and uploads them to the server,
- gets a list of running processes,
- intercepts keystrokes,
- takes screenshots,
- executes arbitrary shell commands,
- records audio (not implemented in this version),
- scans ports.
Vizom – this new malware disguises itself as popular videoconferencing software to hijack your bank account
Vizom disguises itself as popular videoconferencing and uses remote overlay attacks to hijack bank accounts via online financial services.
Researchers from IBM discovered that malware uses interesting tactics to stay hidden and to compromise user devices in real-time – namely, remote overlay techniques and DLL hijacking.
Once the malware has landed on a vulnerable Windows PC, Vizom will first strike the AppData directory to begin the infection chain. By harnessing DLL hijacking, the malware will attempt to force the loading of malicious DLLs by naming its own Delphi-based variants with names expected by the legitimate software in their directories. The operating system is tricked into loading Vizom malware as a child process of a legitimate videoconferencing file. The DLL is named Cmmlib.dll, a file associated with Zoom.
To make sure that the malicious code is executed from “Cmmlib.dll,” the malware’s author copied the real export list of that legitimate DLL but made sure to modify it and have all the functions direct to the same address.
A dropper will then launch zTscoder.exe via command prompt and a second payload, a Remote Access Trojan (RAT), is extracted from a remote server. To establish persistence, browser shortcuts are tampered with and no matter what browser a user attempts to run, the malicious code will run in the background.
The malware will then quietly wait for any indication that an online banking service is being accessed. If a webpage’s title name matches Vizom’s target list, operators are alerted and can connect remotely to the compromised PC.
The first active campaign has been spotted across Brazil.
Ransomware group makes splashy $20K donation to charities in tricky Robin Hood style
Cybercriminal gang Darkside sent $20K in donations to charities in a ‘Robin Hood’ effort that’s likely intended to draw attention to future data dumps, according to experts.
The Darkside group has distinguished itself not by technical innovation, but by slapping a shiny corporate veneer on its attacks. The latest evolution in Darkside’s ransomware-as-a-corporation gimmick is a hefty $20,000 donation that the group made with stolen Bitcoin to two charitable organizations, The Water Project and Children International, which they then mysteriously announced by a press release.
Steal from the rich, give to the poor tactic
Darkside has devoted much of its time to trying to carve out a position as an altruistic, digital Robin Hood.
“As we said in the first press release — we are targeting only large, profitable corporations” the group wrote – “We think it’s fair that some of the money they’ve paid will go to charity. No matter how bad you think our work is, we are pleased to know that we helped change someone’s life.”
Digital Shadows has been tracking Darkside since it popped up last August, and a recent report pointed out that their tactics follow typical ransomware patterns. The exception is their chosen targets. The group tries to differentiate itself by vowing not to attack organizations like schools, hospitals or governments, instead focusing on companies based on revenue. It uses customized ransomware for each attack.
The ransomware executes a PowerShell command that deletes shadow volume copies on the system. DarkSide then proceeds to terminate various databases, applications, and mail clients to prepare for encryption. Personalized ransom notes are then issued to the breached company with details on the type of data stolen and a link to their leak site, where the data will be published if ransom demands aren’t met.
This latest ‘donation’ effort by DarkSide is just an attempt to improve their image publicly. If ransomware operators truly cared about making the world a better place, they would stop ransoming victims (especially hospitals and labs), not make donations that charity orgs won’t even accept.
Do you have thirst for knowledge? There is ten more cybersecurity stories below
1. BazarLoader phishing lures: plan a Halloween party, get a bonus and be fired in the same afternoon (InfoSec Handlers Diary Blog)
2. Botnet Infects Hundreds of Thousands of Websites (Dark Reading)
3. Microsoft Teams Phishing Attack Targets Office 365 Users (Threat Post)
4. New Windows RAT can be controlled via a Telegram channel (ZDNet)
5. Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns (Dark Reading)
6. Emotet Returns: Here’s a Quick Look into new ‘Windows Update’ attachment (E-Hacking News)
7. Microsoft says it took down 94% of TrickBot’s command and control servers (ZDNet)
8. QNAP warns of Windows Zerologon flaw affecting some NAS devices (Bleeping Computer)
9. Microsoft issues two emergency Windows patches (WeLiveSecurity)
10. Game Titles Watch Dogs: Legion, Albion Both Targeted by Hackers (Threat Post)