Many SMS scams are mostly focused on phishing and trying to trick the user into filling in a form with valuable credentials, FluBot differs from these threats and goes one step ahead. This new banking malware – described in today’s Security Center issue – tries to install malicious software on the phone itself and then uses the device to spread into the user’s contact network. And even if the success rate of this campaign will be low, with the number of SMS being sent out, it will be very profitable for threat actors. Who is behind this most ‘successful’ smishing campaign? How dangerous the FluBot really is? Check the blog post below – and don’t click on any suspicious link or download applications from unreliable sources.
FluBot a new android banking malware spreads across Europe – the USA will be likely its next target!
FluBot is a banking malware primarily distributed via SMS phishing (aka smishing), the messages masquerade as a delivery service such as FedEx, DHL, and Correos, seemingly notifying users of their package or shipment delivery status along with a link to track the order, which, when clicked, downloads malicious apps that have the encrypted FluBot module embedded within them.
Upon installation, FluBot not only tracks the applications launched on the device but also overlays login pages of financial apps with specially-crafted malicious variants from an attacker-controlled server, designed with the goal of hijacking credentials, in addition to retrieving contact lists, messages, calls, and notifications by abusing the Android Accessibility Service.
FluBot began its operations late last year, with campaigns leveraging the malware infecting more than 60,000 users in Spain. It’s said to have amassed more than 11 million phone numbers from the devices, representing 25% of the total population in Spain. Next, it has branched out beyond Spain to target the U.K., Germany, Hungary, Italy, and Poland… With the U.S. likely to be the next target.
Some German and English-language SMS messages were found being sent to U.S. users from Europe, which specialists suspect could be the result of malware propagating via contact lists stored on compromised phones.
Cause and effect
Although Spanish authorities arrested four criminals suspected to be behind the FluBot campaign last month, infections have since picked up. And it will soon go far beyond Europe. Let’s not delude ourselves. as long as there are users willing to trust an unexpected SMS, download, and install an untrusted application there will always be consequences such as this. Always.
RotaJakiro – stealthy malware spotted after three years of minding your business
RotaJakiro – stealthy malware spotted after three years of minding your business
A previously undocumented and stealthy Linux malware with backdoor capabilities has managed to stay under the radar for about three years. It allowed the threat actor to harvest and exfiltrate sensitive information from infected systems.
Dubbed “RotaJakiro” by researchers from Qihoo 360 NETLAB, the backdoor targets Linux X64 machines, and is so named after the fact that “the family uses rotate encryption and behaves differently for root/non-root accounts when executing.”
So far four samples have been identified, all using the same C2s and all remain undetected by most anti-malware engines. The earliest was discovered in 2018. As of writing, only seven security vendors flag the latest version of the malware as malicious.
Researchers explained that RotaJakiro first determines whether the user is root or non-root at run time, with different execution policies for different accounts. Then the malware decrypts the relevant sensitive resources using AES& ROTATE for subsequent persistence, process guarding, and single-instance use, and finally establishes communication with C2 and waits for the execution of commands issued by C2.
RotaJakiro is designed with stealth in mind, relying on a mix of cryptographic algorithms to encrypt its communications with a command-and-control server. In addition, it has support for 12 functions that take care of gathering device metadata, stealing sensitive information, carrying out file-related operations, and downloading and executing plug-ins pulled from the C2 server.
There is no clear evidence now, but researchers noticed that RotaJakiro shares a similar style with the Torii botnet, however, the connection is not confirmed yet.
Google Chrome with bugs allowing Remote Code Execution
Google’s Chrome browser has several security vulnerabilities that could pave the way to multiple types of attacks. Among them is a V8 bug that could allow remote code execution (RCE) within a user’s browser.
The search giant does not say much about this high-severity V8 issue (CVE-2021-21227) describing it as “insufficient data validation in V8”.
The bug is somewhat mitigated by the fact that it doesn’t allow attackers to escape the sandbox where Chrome runs, meaning attackers can’t reach any of the other programs, data, and applications on the computer. Probably the vulnerability needs to be chained with another bug to successfully wreak havoc on a machine beyond the browser itself.
Gengming Liu, the researcher who discovered the bug, noted that his discovery is related to prior, now-patched V8 vulnerabilities (CVE-2020-16040 and CVE-2020-15965). One allows a remote attacker to exploit heap corruption if a user visits a specially crafted web page. The other is a type-confusion bug that allows to potentially perform out-of-bounds memory access, also exploitable with a crafted HTML page.
According to another report, the implications of attack using this bug depend on the privileges associated with the application. Worst scenario? An attacker could view, change or delete data.
All nine Google Chrome vulnerabilities are numbered from CVE-2021-21227 to CVE-2021-21233. They affect Chrome and possibly other browsers, like Microsoft Edge, that use the Chromium framework:
Google has addressed the flaws in its latest stable channel release (90.0.4430.93) for Windows, Mac, and Linux. The Chrome 90 updates will roll out over the next days and weeks, the search giant said.
Linux kernel vulnerability exposes stack memory and causes data leaks
An information disclosure security vulnerability has been discovered in the Linux kernel, which can be exploited to expose information in the kernel stack memory of vulnerable devices.
The bug tracked as CVE-2020-28588 exists in the /proc/pid/syscall functionality of 32-bit ARM devices running Linux. It arises from an improper conversion of numeric values when reading the file – and this way could allow an attacker to view Kernel stack memory.
According to the Cisco security team, the issue was first found in a device running on Azure Sphere. Attackers seeking to exploit the security flaw could read the /syscall OS file via Proc, a system used for interfacing between kernel data structures.
The /syscall procfs entry could be abused if attackers launch commands to output 24 bytes in uninitialized stack memory, leading to a bypass of Kernel Address Space Layout Randomization (KASLR).
What is KASLR? KASLR is an anti-exploit technique that places various objects at random to prevent predictable patterns that are guessable by adversaries.
There are three shell commands that trigger the vulnerability:
# echo 0 > /proc/sys/kernel/randomize_va_space
$ while true; do cat /proc/self/syscall; done | uniq
$ while true; do free &>/dev/null; done
According to the researchers, the attack is impossible to detect on a network remotely as it is a legitimate Linux operating system file being read.
Security patch updates available
Linux kernel versions 5.10-rc4, 5.4.66, and 5.9.8 are impacted and a patch was merged on December 3 to tackle the bug. Users are urged to update their builds to later versions.
Do you have thirst for knowledge? There are ten more cybersecurity stories below
1. Nvidia Warns: Severe Security Bugs in GPU Driver, vGPU Software (Threat Post)
2. Emotet Malware Uninstalled From Infected Devices (Dark Reading)
3. Apple Patches Serious MacOS Security Flaw (Dark Reading)
4. NTLM Relay Attack Abuses Windows RPC Protocol Vulnerability (Security Week)
5. Microsoft Teams worldwide outage impacts user logins, chats (Bleeping Computer)
6. Vulnerabilities in Eaton Product Can Allow Hackers to Disrupt Power Supply (Security Week)
7. Password manager hijacked to deliver malware in supply chain attack (Malwarebytes Labs)
8. GitHub blocks Google FLoC tracking (ZDNet)
9. ‘BadAlloc’ Flaws Could Threaten IoT and OT Devices: Microsoft (Dark Reading)
10. QNAP warns of AgeLocker ransomware attacks on NAS devices (Bleeping Computer)