FlixOnline – if you too have this app installed, delete it now

A promise of two months Premium Netflix subscription free of charge and there will always be someone willing to save some money. But in this case, some people got surprised with hijacked WhatsApp and stolen credit card data. While most of our readers were probably smart enough to avoid the FlixOnline app, we can see that this scam is totally working on many people. Everything in this campaign was designed to confuse and get them to believe they are getting free Netflix for real. Word of advice: there is no easy way to get Netflix for free.. Or HBO Max, Disney Plus or anything else.

FlixOnline – this fake Netflix app is hijacking your WhatsApp sessions and stealing credit card data

FlixOnline app lured users by promising free Netflix Premium subscriptions. However, users instead of two months lasting freedom got mobile malware which was hijacking WhatsApp sessions to spread itself. 

The Check Point Research team revealed that the malware can capture WhatsApp notifications and take several predefined actions, such as Dismiss or Reply through the Notification Manager.

Image credit: Checkpoint

After FlixOnline gets installed on a device, it asks for overlay permissions, which is a common trick to steal service credentials. It also asks for Battery Optimization Ignore, which prevents a device from auto shut off software to save power. Additionally, the app asks for notification permissions to access WhatsApp-related communications.

Attackers next step? Stealing Netflix credentials and payment data such as credit card number. The information is then transmitted to a Command and Control server. 

The real problem: safe and sound… and undetected 

The app was available in Google Play Store for about  2 months and was downloaded nearly 500 times. Which is not a bad statistic. There were launched more successful and deadly campaigns within the last 12 months for sure. However, the real problem lies elsewhere. It is a fact that the malware was able to bypass Google Play Store’s app authentication system. In this case, Google Play Store’s built-in protection measures failed entirely.


Looking for a job? Watch out for well-targeted job offers on Linkedin – it’s a malware!

A new spear-phishing campaign is targeting professionals on LinkedIn with weaponized job offers in an attempt to infect targets with a sophisticated backdoor trojan called “more_eggs.”

To increase the odds of success and open rate, the malicious ZIP archive files have the same name as victims’ job titles taken from their LinkedIn profiles. For example if Linkedin’s member position is Account Manager, the malicious zip file would be titled Account Manager position (note the ‘position’ added to the end). Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the fileless backdoor, more_eggs. Once loaded, the sophisticated backdoor can download additional malicious plugins and provide hands-on access to the victim’s computer – said cybersecurity firm eSentire’s Threat Response Unit in analysis. Furthermore, it can act as a conduit to retrieve additional payloads from an attacker-controlled server, such as banking trojans, ransomware, credential stealers, and even use the backdoor as a foothold in the victim’s network so as to exfiltrate data.

The Trojan also abuses legitimate Windows processes such as WMI to evade detection by traditional AV tools.

Campaigns delivering more_eggs using the same modus operandi have been spotted at least since 2018, with the backdoor attributed to a malware-as-a-service (MaaS) provider called Golden Chickens. The adversaries behind this new wave of attacks remain unknown, although more_eggs has been put to use by various cybercrime groups such as FIN6, Cobalt, and EvilNum in the past.

The group is thought to be taking advantage of the high number of COVID-19 redundancies to spread this email campaign. 

Sources: 1 | 2

Discord and Slack full of malware – just one network search turned up 20,000 virus results!

Abuse of collaboration applications is not a new phenomenon. Recent changes to employee workflows caused by the COVID-19 pandemic have led to an increased reliance upon communications platforms like Discord and Slack for conducting business. As predicted now they have been infiltrated by threat actors, who are abusing their legitimate functions to evade security and deliver info-stealers, remote-access trojans (RATs) and other malware.

Various RATs and stealers, including Agent Tesla, AsyncRAT, Formbook and others.

Why did cybercriminals move to collaboration applications?

One of the key challenges associated with malware delivery is making sure that the files, domains or systems don’t get taken down or blocked. Moving to collaborations apps attackers greatly have increased the likelihood that the malicious attachment reaches the end-user. Slack, Discord and other collaboration app platforms use content delivery networks (CDNs) to store the files shared back and forth within channels. Let’s use Slack as an example. Files can be uploaded to Slack, and users can create external links that allow the files to be accessed, regardless of whether the recipient even has Slack installed. And once it has evaded detection by security, it’s just a matter of getting the employee to think it’s genuine business communication, a task made easier within the confines of a collaboration app channel.

This also means attackers can deliver their malicious payload to the CDN over encrypted HTTPS, and that the files will be compressed, further disguising the content. Over the past year Tallos Intelligence Team – which conducted extensive research – observed many common compression algorithms being used, including .ACE, .GZ, .TAR and .ZIP, and several less common types, like .LZH.

CDNs are also handy tools for cybercriminals to deliver additional bugs with multi-stage infection tactics. The researchers saw this behaviour across malware, adding that one Discord CDN search turned up almost 20,000 results in VirusTotal. This technique was frequently used in campaigns associated with RATs, stealers and other types of malware typically used to retrieve sensitive information from infected systems.

Attackers turned the Discord API into an effective tool to exfiltrate data from the network. The C2 communications are enabled through webhooks, which were developed to send automated messages to a specific Discord server.

How to mitigate the risk?

Most organizations use a large number of communication tools. The most frequently used are email, collaboration and messaging platforms, web conferencing chats, and text messages on phones and tablets. In some cases, users communicate with different or sometimes the same people across multiple platforms. It is tiring and leads to lesser awareness of possible risk factors and vector attacks. 

What do specialists recommend? Mark Kedgley, CTO at New Net Technologies proposes to focus on the least privileges, as it’s still too common for users to run with local admin rights. Many business solutions provide hardened settings to combat malware and phishing. But not enough organizations make use of them. That is why we should also put in place security controls – change control and vulnerability management.


EtterSilent maldoc builder mimics DocuSign and is used by top cybercriminal gangs

Hackers are using a malicious document builder named ‘EtterSilent’ to run their criminal schemes. As its popularity on underground forums increased, the developer kept improving it to avoid detection from security solutions.

Ads promoting EtterSilent maldoc builder have been published on underground forums, boasting features like bypassing Windows Defender, Windows AMSI (Antimalware Scan Interface), and popular email services, Gmail included. 

It comes in two versions, according to the Intel 471 research. One exploits a vulnerability in Microsoft Office, CVE-2017-8570, and one uses a malicious macro. 

One version of EtterSilent imitates the digital signature product DocuSign or DigiCert, though when targets click through to electronically sign documents, they are prompted to enable macros. This allows the attackers to target victims with malware.

Because it uses Excel 4.0 XML macros, EtterSilent does not depend on the Visual Basic for Applications (VBA) programming language, which is commonly seen with malicious macros.

Last month EtterSilent was used in a campaign that leveraged another tool, called Bazar loader. In a previous campaign that used EtterSilent, attackers dropped an updated version of Trickbot, a banking trojan. Others, using banking trojans BokBot, Gozi ISFB and QBot have also used EtterSilent, Intel 471 notes.

Sources: 12

Do you have thirst for knowledge? There are ten more cybersecurity stories below

1. PHP Site’s User Database Was Hacked In Recent Source Code Backdoor Attack (The Hacker News)
2. Voice-Changing Software Found on APT Attackers’ Server (Dark Reading)
3. Cisco fixes bug allowing remote code execution with root privileges (Bleeping Computer)
4. SAP warns of malicious activity targeting unpatched systems (MalwarebytesLAB)
5. Data of 553m Facebook users dumped online: how to see if you are impacted (ZDNet)
6. Microsoft Teams, Exchange Server, Windows 10 Hacked in Pwn2Own 2021 (Dark Reading)
7. Digging Into the Third Zero-Day Chrome Flaw of 2021 (TripWire)
8. HTML Lego: Hidden Phishing at Free JavaScript Site (TrustWave)
9. Google Chrome blocks port 10080 to stop NAT Slipstreaming attacks (Bleeping Computer)
10. Facebook data leak now under EU data regulator investigation (Bleeping Computer)