Joker malware / The end of REvil / New Windows Print Spooler vulnerability

There are a few disturbing “returns” in this Security Center release. Let’s start with Joker malware that has appeared again in Google Play. So far, 1,800 malicious applications have been removed from the marketplace. The new variant much more effectively avoids various types of security mechanisms – built into the device and Play Protect scanners as well. So be careful when installing new applications. Another interesting news … Media all over the world are wondering if this is the end of REvil. In recent days, the world’s largest ransomware gang has mysteriously disappeared from the web. The next weeks will show if it’s for good. As it turns out, the Windows Print Spooler problem is still up to date – this time with even worse repercussions. A new vulnerability – which Microsoft is warning about – could be exploited to perform unauthorized actions on the system. You can find the details below.

The updated Joker malware is back on Google Play – consumers and enterprises alike at risk

Joker has been around since 2017, disguising itself within common, legitimate apps like camera apps, games, messengers, photo editors, translators, and wallpapers. More than 1,800 Android applications infected with Joker have been removed from the Google Play store in the last four years. 

Once installed, Joker apps silently simulate clicks and intercept SMS messages to subscribe victims to unwanted, paid premium services controlled by the attackers. The apps also steal SMS messages, contact lists, and device information.

The developers of the latest versions of Joker are taking advantage of legitimate developer techniques to evade both device-based security and app store protections.

They use Flutter, which is an open-source app development kit designed by Google that allows developers to craft native apps for mobile, web, and desktop from a single codebase. Due to the commonality of Flutter, even malicious application code will look legitimate and clean.

Another anti-detection technique lately adopted by Joker enthusiasts is the practice of embedding the payload as a .DEX file that can be obfuscated in different ways, such as being encrypted with a number or hidden inside an image using steganography. Sometimes in the latter case, the image is hosted in legitimate cloud repositories or on a remote command-and-control (C2) server.

Other new behavior includes using URL shorteners to hide the C2 addresses and using a combination of native libraries to decrypt an offline payload.

Malware also takes extra precautions to remain hidden after a trojanized app is installed.


Police seized an illegal cryptomining farm using thousands of PS4s and GPUs

The Security Service of Ukraine (SBU) has shut down an illegal cryptomining farm operating at an extensive scale. According to the official report, the miners were performing their malicious activities from a utility room at a local electricity provider.

Image: SBU

When the authorities raided the illegal cryptomining farm, the officials seized nearly 5,000 hardware units, including 500 GPUs, 3,800 PlayStation 4 gaming consoles, 50 CPUs, mobile phones, flash drives, notepads, and documents.

Perpetual had illegally plugged into the power grid, which could have caused a complete blackout in entire blocks of the city. Stolen electricity amounted to roughly $259,300 monthly

Another notable cryptocurrency farm plot

Back in 2019, Chinese law enforcement uncovered cables hidden in fish ponds that were used to connect to an oil rig’s electrical grid. Active Bitcoin (BTC) rigs were found hidden in a shed after drones were deployed to track down the perpetrator.


The end of REvil? The world’s biggest ransomware gang mysteriously disappears from the internet

One of the most prolific ransomware gangs in the world suddenly disappeared from the internet on Tuesday morning. REvil servers mysteriously went dark just days after President Biden demanded that Russian President Putin shut down ransomware groups attacking American targets and day before senior officials from the White House and Russia are scheduled to meet to discuss the global ransomware crisis. 

This situation suggests that REvil (a.k.a Sodin or Sodinokibi) was indeed a Russian-linked group. There were other signs of this: REvil is a Russian-speaking group, the malware they write avoids Russian computers, and they are linked to other groups believed to be inside Russia.

There are rumors that REvil server infrastructure received a government legal request forcing REvil to completely erase server infrastructure and disappear. But it’s not confirmed.

Long story short – REvil portfolio. The ransomware crew known as REvil has existed for years in the booming cybercrime underground. A whopping 42% of all recent ransomware attacks trace back to this gang. For years they have been utilizing different techniques – malvertising, double extortion, auctioning other malware, etc., and business models. One of the most profitable was Ransomware-as-a-Service where they quickly became a market leader breaking the bank. 

The famous victims of REvil start from Madonna, Drake, and Lady Gaga, through Donald Trump to the biggest corporations – Acer, Quanta Computer, JBS, and more. Xopero Security Center has alerted you of some of them – read some stories below. 

Recently REvil ransomware gang encrypted 60 MSP providers and over 1,5K individual businesses using a zero-day vulnerability in the Kaseya VSA software. They demanded 70$ million ransom and dropped the price to $50 million. And that probably was the flashpoint of their shut down.

Time to pop the champagne? Well, we wouldn’t celebrate so fast. Usually, when ransomware groups shut down, the operators and affiliates commonly rebrand as a new operation to continue performing ransomware attacks. This was seen in the past when GandCrab shut down and many of its members relaunching as REvil. And we must remember that the group shot down doesn’t eliminate ransomware itself. So it’s definitely a developing story.

Xopero Security Center warns against REvil

  1. Ongoing REvil attack on Kaseya crisis: fake security update drops Cobalt Strike
  2. US nuclear weapons contractor hit by REvil ransomware
  3. REvil ransomware’s new Linux encryptor targets ESXi virtual machines
  4. REvil ransomware gang ‘acquires’ KPOT malware
  5. eBay for cybercriminals – REvil ransomware operators started auctioning victims data
  6. Madonna, Drake, Lady Gaga and other celebrities’ data taken in the REvil ransomware attack

Sources 1 | 2

Microsoft warns of new Windows Print Spooler vulnerability. Disable now!

Microsoft shared fresh guidance on yet another vulnerability affecting the Windows Print Spooler service, stating that it’s working to address it in an upcoming security update.

Tracked as CVE-2021-34481 (CVSS score: 7.8), the issue concerns a local privilege escalation flaw that could be abused to perform unauthorized actions on the system. The company credited security researcher Jacob Baines for discovering and reporting the bug.

“An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges […] An attacker could then install programs; view, change or delete data; or create new accounts with full user rights.” – says Microsoft in its advisory.

However, successful exploitation of the vulnerability requires the attacker to have the ability to execute code on a victim system so it needs local access. Thus, it’s not related to the latest PrintNightmare that could be executed remotely. 

Not much is known at this time about the vulnerability, including what versions of Windows are vulnerable and that it is printer driver-related.

While Microsoft has not released security updates to address this flaw, they have provided mitigation measures that admins can use to block attackers from exploiting the vulnerability.

At this time, the available option is to disable the Print Spooler service on a vulnerable device with PowerShell commands: 

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Please note that once you disable the print spooler on a device, the device will no longer print to a local or remote printer.

Sources 1 | 2

Do you have thirst for knowledge? There is ten more cybersecurity stories below

1. Microsoft discovers threat actor targeting SolarWinds Serv-U software with 0-day exploit (Microsoft Blog)
2. Update Your Windows PCs to Patch 117 New Flaws, Including 9 Zero-Days (The Hacker News)
3. Adobe Patches 11 Critical Bugs in Popular Acrobat PDF Reader (Threat Post)
4. LuminousMoth APT: Sweeping attacks for the chosen few (Secure List)
5. Linux-Focused Cryptojacking Gang Tracked to Romania (Threat Post)
6. SonicWall releases urgent notice about ‘imminent’ ransomware targeting firmware (ZDNet)
7. Google: four zero-day flaws have been exploited in the wild (Security Affairs)
8. BazarBackdoor sneaks in through nested RAR and ZIP archives (Bleeping Computer)
9. Trickbot Malware Rebounds with Virtual-Desktop Espionage Module (Threat Post)
10. HelloKitty ransomware now targets VMware ESXi servers (Security Affairs)