By Habiba Rashid
The Stealth Soldier malware is capable of stealing browser data, recording audio and video, and much more.
This is a post from HackRead.com Read the original post: Advanced Espionage Malware “Stealth Soldier” Hits Libyan Firms

The Stealth Soldier campaign marks the possible reappearance of a threat actor known as “The Eye on the Nile” since its last operation in 2019.

Check Point Research has recently uncovered a series of highly-targeted espionage attacks in Libya, shedding light on a previously undisclosed backdoor called Stealth Soldier. This sophisticated malware operates as a custom modular backdoor with surveillance functionalities, including file exfiltration, screen and microphone recording, keystroke logging, and stealing browser information.

The campaign, which appears to be targeting Libyan organizations, marks the possible re-appearance of a threat actor known as “The Eye on the Nile” since its last operation in 2019.

Stealth Soldier, an implant used in limited and targeted attacks, has shown active maintenance with the latest version, Version 9, compiled in February 2023. Check Point Research’s investigation began with the discovery of multiple files submitted to VirusTotal between November 2022 and January 2023 from Libya.

These files, named in Arabic, such as “هام وعاجل.exe” (Important and Urgent.exe) and “برقية 401.exe” (Telegram 401.exe), turned out to be downloaders for different versions of the Stealth Soldier malware.

The execution flow of Stealth Soldier starts with the downloader, which triggers the infection chain. Although the delivery mechanism of the downloader remains unknown, social engineering is suspected.

The malware’s infection process involves downloading multiple files from the Command and Control (C&C) server, including the loader, watchdog, and payload. These components work together to establish persistence and execute the surveillance functionalities.

First, the loader downloads an internal module called PowerPlus to enable PowerShell commands and create persistence. Then, the watchdog periodically checks for updated versions of the loader and runs it accordingly. Finally, the payload collects data, receives commands from the C&C server, and executes various modules based on the attacker’s instructions.

The victim’s information collected by the Stealth Soldier’s payload includes the hostname, username, drive list, and files within specific directories. The malware supports various commands, including directory listing, file upload, screenshot capture, microphone recording, keylogging, browser credential extraction, and PowerShell command execution. 

Check Point Research identified three different versions of Stealth Soldier (Versions 6, 8, and 9), each with slight variations in functionality, filenames, and persistence mechanisms.

Additionally, the investigation uncovered a set of phishing domains linked to the campaign, with some masquerading as websites belonging to the Libyan Ministry of Foreign Affairs.  The phishing domains, hosted on IP addresses associated with previous malicious activities, indicated a likely intention to conduct phishing campaigns.

Check Point Research also discovered similarities between this recent operation and the “Eye on the Nile” campaign, previously linked to government-backed bodies by Amnesty International and Check Point Research. The overlapping infrastructure suggests a possible connection between the two campaigns, indicating the persistence and adaptability of the threat actor behind them.

The Stealth Soldier malware campaign targeting Libyan organizations highlights the increasing sophistication of cyber espionage operations. The use of custom backdoors and advanced surveillance capabilities poses significant threats to targeted entities’ data security and privacy.

Detecting and mitigating advanced threats like Stealth Soldier requires a combination of proactive threat intelligence, user awareness, and effective security solutions to ensure a resilient defence against evolving cyber threats.

**RELATED ARTICLES**

1.  Facebook removes accounts over iOS, Android malware
2.  Worok Hackers Hit Orgs, Govts in Asia, Middle East, Africa
3.  Russia used Triton malware to sabotage Saudi petro plant

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Advanced Espionage Malware “Stealth Soldier” Hits Libyan Firms

RenderDoc versions 1.26 and below suffer from integer underflow, integer overflow, and symlink vulnerabilities.

RenderDoc 1.26 Local Privilege Escalation / Remote Code Execution

Categories: Exploits and vulnerabilities
Categories: News
Tags: Google

Tags:  Chrome

Tags:  V8

Tags:  heap corruption

Tags:  type confusion

Tags:  CVE-2023-3079

Google has released a Chrome update for a zero-day for which an exploit is actively being used in the wild.



(Read more...)




The post Update Chrome now! Google patches actively exploited zero-day appeared first on Malwarebytes Labs.

Google has released an update which includes two security fixes. One of these security fixes is for a zero-day about which Google says it’s aware that an exploit for this vulnerability exists in the wild.

**How to protect yourself**

If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible. Android users will also find an update waiting.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page _chrome://settings/help_ which you can also find by clicking **Settings > About Chrome**.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

_Chrome is up to date_

After the update the version should be **114.0.5735.106** for Mac and Linux, and **114.0.5735.110** for Windows, or later.

**Zero day**

Google never gives out a lot of information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix. However, from the update page we can learn a few things.

The vulnerability was reported by Clément Lecigne of Google's Threat Analysis Group. This could indicate that Google found this vulnerability while researching an active attack, which matches the fact that an exploit for the vulnerability exists in the wild.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE for the zero-day is:

CVE-2023-3079: a type confusion in V8 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In some cases, this can lead to code execution.

In other cases, type confusion vulnerability leads to an arbitrary heap write, or heap spray. Heap spraying is a method typically used in exploits that places large amounts of code in a memory location that the attacker expects to be read. Usually, these bits of code point to the start of the actual code that the exploit wants to run in order to compromise the system that is under attack.

At the heart of every modern web browser sits a JavaScript interpreter, a component that does much of the heavy lifting for interactive web apps. In Chrome, that interpreter is V8.

An attacker can exploit this vulnerability by using a specially crafted piece of HyperText Markup Language (HTML). It needs user interaction, which could be easier than it sounds. HTML is the standard markup language for documents designed to be displayed in a web browser and these documents (webpages) can contain JavaScript. Potentially this means that by opening the wrong website, which contains such a specially crafted JavaScript, the browser could be compromised.

Users of other Chromium based browsers, like Edge, should be on the lookout for updates as well, as this one is likely to affect all Chromium based browsers.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Update Chrome now! Google patches actively exploited zero-day

RenderDoc through 1.26 allows an Integer Overflow with a resultant Buffer Overflow (issue 1 of 2).

CVE-2023-33863

By Habiba Rashid
The massive and sophisticated mobile malware campaign has been operating undetected on Android devices across the globe for more than six months. 
This is a post from HackRead.com Read the original post: Global Malware Attack Imitates VPN and Security Apps on Android Phones

The malware-infected apps include a variety of industries, including gaming, anti-virus, VPN, tutorials, gaming, social media and many more.

Bitdefender, a leading cybersecurity company, has recently revealed the existence of a massive and sophisticated **mobile malware campaign** that has been operating undetected on Android devices across the globe for more than six months. 

The campaign, which poses a significant threat on a global scale, primarily aims to aggressively distribute adware to Android devices with the intention of generating revenue for the malicious actors involved.

However, the researchers warn that these threat actors have the capability to switch tactics, potentially redirecting users to more dangerous forms of malware such as **banking Trojans or ransomware**. So far, Bitdefender has identified over 60,000 unique apps carrying the adware, suggesting that there may be many more variants still lurking in the wild.

Here are the countries most impacted by the new malware campaign:

*   United States 55.27%
*   South Korea 9.8%
*   Brazil 5.96%
*   Germany 2.93%
*   United Kingdom 2.71%
*   France 2.56%
*   Kazakhstan 2.5%
*   Romania 2.41%
*   Italy 1.93%
*   Other 12.19%

One of the remarkable aspects of this malware campaign is its longevity, as it has remained active since at least October 2022. The absence of behaviour-based detection capabilities on Android has enabled the malware to **evade detection** for such an extended period. Moreover, the sheer number of unique samples discovered strongly indicates that the operation is largely automated.

What sets this malware campaign apart is its distribution strategy. The malicious apps are not present in official app stores, requiring the perpetrators to convince users to download and install third-party applications. To accomplish this, the threat actors have disguised their malicious software as highly sought-after apps that are typically not found in official stores or have mimicked legitimate applications available on the **Play Store**. 

The apps imitate various popular categories, including game cracks, unlocked game features, **free VPNs**, fake videos, Netflix, fake tutorials, ad-free versions of YouTube/TikTok, cracked utility programs, and fake security programs. Here is the full list shared by the researchers:  

*   Netflix
*   Free VPN
*   Fake videos
*   Fake tutorials
*   Game cracks
*   Fake security programs
*   YouTube/TikTok without ads
*   Games with unlocked features
*   Cracked utility programs: weather, pdf viewers, etc

The distribution of this malware occurs organically when users search for these specific types of apps, cracks, or mods. Websites dedicated to offering modded apps have become popular platforms for such distribution. When a user visits a website through a Google search for a “modded” app, they may be redirected to a deceptive page hosting the malware disguised as a legitimate download for the desired mod.

Bitdefender’s researchers have discovered the malware’s sophisticated techniques to remain hidden and ensure its persistence on infected devices. By not registering any launchers during installation, the malware avoids displaying an app icon on the device’s launcher.

The malware also employs a special packer that utilizes the SQLCipher package to encrypt its malicious content. Bitdefender’s technical **blog post** includes further details about the infection process.

To protect Android devices from this widespread malware campaign and similar threats, it is crucial to employ a robust security solution capable of detecting and preventing such attacks.

Users are strongly advised against downloading apps from third-party app stores or websites, as these platforms pose a **higher risk of malware infection**. It is always safest to stick to official app stores for app downloads.

**RELATED ARTICLES**

1.  Hackers Leak i2VPN Admin Credentials on Telegram
2.  MaliBot Android Malware Stealing Personal, Banking Data
3.  Play Store Apps Caught Spreading Android Malware to Millions
4.  Evolving Toll Fraud Android Malware Draining Wallets, Microsoft
5.  Goldoson Malware Seen in 60 Android Apps with 100M Downloads

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Global Malware Attack Imitates VPN and Security Apps on Android Phones

An issue was discovered in Anyka Microelectronics AK3918EV300 MCU v18. A command injection vulnerability in the network configuration script within the MCU's operating system allows attackers to perform arbitrary command execution via a crafted wifi SSID or password.

Download PDF

> Abstract: Hidden cameras, also called spy cameras, are surveillance tools commonly used to spy on people without their knowledge. Whilst previous studies largely focused on investigating the detection of such a camera and the privacy implications, the security of the camera itself has received limited attention. Compared with ordinary IP cameras, spy cameras are normally sold in bulk at cheap prices and are ubiquitously deployed in hidden places within homes and workplaces. A security compromise of these cameras can have severe consequences. In this paper, we analyse a generic IP camera module, which has been packaged and re-branded for sale by several spy camera vendors. The module is controlled by mobile phone apps. By analysing the Android app and the traffic data, we reverse-engineered the security design of the whole system, including the module's Linux OS environment, the file structure, the authentication mechanism, the session management, and the communication with a remote server. Serious vulnerabilities have been identified in every component. Combined together, they allow an adversary to take complete control of a spy camera from anywhere over the Internet, enabling arbitrary code execution. This is possible even if the camera is behind a firewall. All that an adversary needs to launch an attack is the camera's serial number, which users sometimes unknowingly share in online reviews. We responsibly disclosed our findings to the manufacturer. Whilst the manufacturer acknowledged our work, they showed no intention to fix the problems. Patching or recalling the affected cameras is infeasible due to complexities in the supply chain. However, it is prudent to assume that bad actors have already been exploiting these flaws. We provide details of the identified vulnerabilities in order to raise public awareness, especially on the grave danger of disclosing a spy camera's serial number.

**Submission history**

From: Samuel Herodotou \[view email\]  
**\[v1\]** Thu, 1 Jun 2023 12:26:52 UTC (6,461 KB)

CVE-2023-30400: Spying on the Spy: Security Analysis of Hidden Cameras

Thousands of adware apps for Android have been found to masquerade as cracks or modded versions of popular apps to redirect users to serve unwanted ads to users as part of a campaign ongoing since October 2022.
"The campaign is designed to aggressively push adware to Android devices with the purpose to drive revenue," Bitdefender said in a technical report shared with The Hacker News. "However,

Mobile Security / Malvertising

Thousands of adware apps for Android have been found to masquerade as cracks or modded versions of popular apps to redirect users to serve unwanted ads to users as part of a campaign ongoing since October 2022.

"The campaign is designed to aggressively push adware to Android devices with the purpose to drive revenue," Bitdefender said in a technical report shared with The Hacker News. "However, the threat actors involved can easily switch tactics to

redirect users to other types of malware such as banking Trojans to steal credentials and financial information or ransomware."

The Romanian cybersecurity company said it has discovered 60,000 unique apps carrying the adware, with a majority of the detections located in the U.S., South Korea, Brazil, Germany, the U.K., France, Kazakhstan, Romania, and Italy.

It's worth pointing out that none of the apps are distributed through the official Google Play Store. Instead, users searching for apps like Netflix, PDF viewers, security software, and cracked versions of YouTube on a search engine are redirected to an ad page hosting the malware.

The apps, once installed, have no icons or names in a bid to evade detection. What's more, users launching an app for the first time after installation are displayed the message "Application is unavailable in your region from where the app serves. Tap OK to uninstall," while stealthily activating the malicious activity in the background.

The modus operandi is another area of note wherein the adware behavior remains dormant for the first few days, after which it's awakened when the victim unlocks the phone in order to serve a full-screen ad using Android WebView.

The findings come as cybersecurity firm CloudSEK disclosed it had identified the rogue SpinOK SDK – which was revealed by Doctor Web last month – in 193 apps on the Google Play Store that have been downloaded 30 million times.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

On the surface, the SpinOk module is designed to maintain users' interest in apps with the help of mini-games and tasks to win alleged rewards. But peer inside, the trojan harbors functionalities to steal files and replace clipboard contents.

In a related development, the SonicWall Capture Labs Threat research team also unearthed another strain of Android malware that impersonates legitimate apps to harvest a wide range of information from compromised handsets by abusing the operating system's accessibility services.

"These features allow the attacker to access and steal valuable information from the victim's device, which can lead to various types of fraud, including financial fraud, and identity theft," SonicWall said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Over 60K Adware Apps Posing as Cracked Versions of Popular Apps Target Android Devices

In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588531; Issue ID: ALPS07588531.

CVE-2023-20727: June 2023

Reportlab up to v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file.

CVE-2023-33733: Cure53 – Fine penetration tests for fine websites

Categories: News
Tags: week in security

A list of topics we covered in the week of May 29 - June 4 of 2023



(Read more...)




The post A week in security (May 29 - June 4) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows Antivirus

Mac Antivirus

iPhone Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

Tag

#android