The threat actor known as SideWinder has added a new custom tool to its arsenal of malware that's being used in phishing attacks against Pakistani public and private sector entities.
"Phishing links in emails or posts that mimic legitimate notifications and services of government agencies and organizations in Pakistan are primary attack vectors of the gang," Singapore-headquartered cybersecurity

The threat actor known as SideWinder has added a new custom tool to its arsenal of malware that's being used in phishing attacks against Pakistani public and private sector entities.

"Phishing links in emails or posts that mimic legitimate notifications and services of government agencies and organizations in Pakistan are primary attack vectors of the gang," Singapore-headquartered cybersecurity company Group-IB said in a Wednesday report.

SideWinder, also tracked under the monikers Hardcore Nationalist, Rattlesnake, Razor Tiger, and T-APT-04, has been active since at least 2012 with a primary focus on Pakistan and other Central Asian countries like Afghanistan, Bangladesh, Nepal, Singapore, and Sri Lanka.

Last month, Kaspersky attributed to this group over 1,000 cyber attacks that took place in the past two years, while calling out its persistence and sophisticated obfuscation techniques.

The threat actor's modus operandi involves the use of spear-phishing emails to distribute malicious ZIP archives containing RTF or LNK files, which download an HTML Application (HTA) payload from a remote server.

This is achieved by embedding fraudulent links that are designed to mimic legitimate notifications and services of government agencies and organizations in Pakistan, with the group also setting up lookalike websites posing as government websites to harvest user credentials.

The custom tool identified by Group-IB, dubbed SideWinder.AntiBot.Script, acts as a traffic direction system diverting Pakistani users clicking on the phishing links to rogue domains.

Should a user whose client's IP address differs from Pakistan's tap on the link, the AntiBot script redirects to an authentic document located on a legitimate server, indicating an attempt to geofence its targets.

"The script checks the client browser environment and, based on several parameters, decides whether to issue a malicious file or redirect to a legitimate resource," the researchers said.

Of special mention is a phishing link that downloads a VPN application called Secure VPN ("com.securedata.vpn") from the official Google Play store in an attempt to impersonate the legitimate Secure VPN app ("com.securevpn.securevpn").

While the exact purpose of the fake VPN app remains unclear, this is not the first time SideWinder has sneaked past Google Play Store protections to publish rogue apps under the pretext of utility software.

In January 2020, Trend Micro detailed three malicious apps that were disguised as photography and file manager tools that leveraged a security flaw in Android (CVE-2019-2215) to gain root privileges as well as abuse accessibility service permissions to harvest sensitive information.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

SideWinder Hackers Use Fake Android VPN Apps to Target Pakistani Entities

By Deeba Ahmed
In this PoC, the ransomware attack dubbed R4IoT uses vulnerable IoT devices (in this case, vulnerable security cameras)…
This is a post from HackRead.com Read the original post: New PoC Shows IoT Devices Can Be Hacked to Install Ransomware on OT Networks

In this PoC, the ransomware attack dubbed R4IoT uses vulnerable IoT devices (in this case, vulnerable security cameras) to gain access, IT for traversal, and OT, particularly PLCs for detonation.

Ransomware has become a significant threat in the industrial sector, causing widespread operational disruption. A new proof-of-concept ransomware attack devised by Forescout Technologies has concerned the infosec community even more because of the dire consequences for OT security.

**Proof-of-Concept Research Reveals Next Generation of Ransomware**

Operational Technology (OT) and Industrial Control System (ICS) networks have become the targets of interest among ransomware operators. Vedere Labs of Forescout Technologies claim that their new proof-of-concept attack can have challenging OT and IoT security implications.

In this PoC, the ransomware attack dubbed R4IoT uses vulnerable IoT devices (in this case, vulnerable security cameras) to gain access, IT for traversal, and OT, particularly PLCs for detonation.

The attack involves exploiting a flawed IP camera to compromise the IT infrastructure to gain access and shut down the OT hardware of the organization. It is worth noting that no new exploits were used in the attack, and just pre-existing flaws were enough to compromise such critical systems.

According to Vedere Labs, the only attack scenario that combines the IT, IoT, and OT ransomware in a single PoC. Researchers also released a video demonstration of the attack.

**Attack Details**

In the demonstration video, the researchers can be seen compromising mainstream network-connected security cameras, mainly from Hikvision and Axis, as these vendors provide 77% of the IP cameras currently used in enterprise networks. In fact, Forescout revealed in its report that over half a million devices are under threat because of using the default VLAN1 configuration.

Therefore, any vulnerability can be used against these devices to access an inadequately protected enterprise network. The video shows that threat actors first exploit the camera’s flaws and then execute a command to access a Windows device and later execute more commands to locate other devices/machines attached to the same camera.

**PoC Video**

As it can be seen in the video above, a simulated ransomware attack is used against a fictional hospital, and the Forescout team accessed an IP camera to access the hospital’s network and camera and searched for a programmable logic controller that controlled the facility’s heating, ventilation, and air conditioning (HVAC) system, escalated privileges to install ransomware and shut the system down.

The attacker will look for devices having weak credentials to establish an SSH tunnel by opening remote desktop protocol ports. They can now open a remote desktop session, disable network firewalls/antivirus solutions, and install malware. They can also gain privilege escalation, install ransomware and cryptocurrency miners, or launch malicious executables at OT systems.

Nevertheless, the head of security research at Forescout Vedere Lab Daniel dos Santos stated that the primary objective behind the demonstration of this PoC was to indicate how vulnerable organizational security was regarding OT networks and to highlight the evolving dangers and scope of ransomware attacks.

**More IoT Vulnerability News**

*   DNS rebinding attack puts half a billion IoT devices at risk
*   BotenaGo botnet malware targeting millions of IoT devices
*   New malware found targeting IoT devices, Android TV globally
*   Millions of IoT devices, baby monitors open to audio, video snooping
*   IoT botnet of heaters & ovens can cause massive widespread power outages

New PoC Shows IoT Devices Can Be Hacked to Install Ransomware on OT Networks

Security researchers have described the malware as among the fastest-spreading mobile threats in recent years.

An international team of law-enforcement officials has successfully disrupted infrastructure associated with FluBot, an especially pernicious malware tool that threat actors have been using since at least December 2020 to steal passwords, bank account details, and other sensitive data from Android users.

Europol announced the takedown Wednesday, noting that FluBot's infrastructure was now under the control of law enforcement.

"An international law enforcement operation involving 11 countries has resulted in the takedown of one of the fastest-spreading mobile malware to date," Europol noted. "The investigation is ongoing to identify the individuals behind this global malware campaign."

Researchers first spotted FluBot (at that time referred to as Cabassous) targeting Android users in Spain in December 2020. Over the course of the next year, the malware spread like wildfire to what Europol described as a "huge number" of Android devices in multiple countries, including Germany, the UK, France, Finland, Australia, and New Zealand.

**A Fast-Spreading Viral Threat**

FluBot spreads via SMS phishing messages (smishing) that use various pretexts to try and get recipients to click on a link for downloading the malware to their smartphones. In the early days of the malware, the SMS messages purported to be from delivery companies such as FedEx and DHL attempting to drop off a package. Users who were tricked into clicking on the link — ostensibly to reschedule delivery — ended up with the malware, disguised as a mobile app from the delivery company, downloaded to their Android devices.

Once installed, the malware seeks specific access privileges on the device that, if granted, it would use to steal payment-card data, bank account information, and other sensitive data. The malware was also designed to intercept and read text messages, open pages, disable Google Play Protect, and uninstall various apps from an infected device.

In addition, FluBot copies the infected device owner's contact list and sent SMS messages with infected links to all the numbers — a factor that likely contributed to its rapid spread, according to security vendor Bitdefender. The authors of the malware likely sold it as a service to different threat actors, too, contributing to its viral spread.

Over the course of 2021, threat actors used different SMS messages to try and trick users to click on the malicious link, including one that purported to be from a friend wanting to share a photo and another that tried to get users to listen to a fake voicemail message. Researchers from Bitdefender even observed attackers sending SMS phishing messages that ironically enough warned recipients about their devices being infected with FluBot and to take remedial action by clicking on the message link. In a report this January, Bitdefender identified Australia as the country most hit by FluBot, followed by Germany, Poland, Spain, and Austria.

Researchers from Proofpoint who tracked FluBot last year reported observing FluBot SMS messages in both English and German. The vendor said it had identified more than 700 unique domains that FluBot actors used for the English-language campaign alone.

**Android Threats Continue to Surge**

The FluBot takedown eliminates — temporarily — one of the biggest threats to Android device users in recent years. However, numerous other similar malware tools in the wild continue to present a serious threat. A recent report from ThreatFabric identified a continued increase in Android malware families such as Joker that enable fraudulent transactions being initiated from an infected device. Other examples include Alien, Cerberus, Hydra, and Octo.

The increase in Android malware families has also been accompanied by an increase in the number of malware droppers disguised as legitimate apps on Google's official Play mobile app store, ThreatFabric said. Among them is an app called NanoCleaner, which has been downloaded more than 10,000 times. In actuality, NanoCleaner is a dropper for Hydra.

Similarly, another app called Pocket Screencaster, with more than 10,000 installs, is a dropper for Octo, and another called Fast Cleaner, with more than 50,000 installs, is really a dropper for Alien and Octo.

"Threat actors continue to consider droppers on Google Play as one of the most effective ways to deliver malware to victims," ThreatFabric said.

FluBot Android Malware Operation Disrupted, Infrastructure Seized

EnemyBot DDoS botnet is rapidly weaponizing security bugs disclosed in CMS systems like WordPress plug-ins, Android devices, commercial Web servers, and other enterprise applications.

An Internet of Things (IoT) botnet dubbed “EnemyBot" is expanding its front lines to target security vulnerabilities in enterprise services — potentially leading to it being a much more virulent threat than it has been, researchers say.

EnemyBot, which is controlled by a threat actor known as Keksec, is a Linux botnet that emerged on the malware scene in late March. It shares source code with two other well-known botnets, Gafgyt (aka Bashlite) and the mighty Mirai, according to a prior analysis from Fortinet. Like those threats, EnemyBot is used to carry out distributed denial-of-service (DDoS) attacks. Other aspects of the code include smaller elements from Qbot and other malware, and some custom development.

While it began life focusing on adding IoT devices and routers to its botnet footprint, EnemyBot has now evolved to add remote code execution (RCE) exploits for a host of popular business applications, including VMware Workspace ONE, Adobe ColdFusion, WordPress sites (via vulnerable plug-ins like Video Synchro PDF), PHP Scriptcase, and others, according to researchers at AT&T Labs. 

Researchers discovered that the group is using a mix of recent, so-called "one-day" bugs, as well as older known issues, looking to take advantage in lags in patching.

Keksec is "now targeting IoT devices, web servers, Android devices and content management system (CMS) servers," according to the firm's recent report, which notes that the latest version of EnemyBot adds a webscan function containing a total of 24 exploits to attack vulnerabilities of different devices and Web servers and self-propagate. 

The enterprise-focused exploits that were recently added include:

*   Log4Shell vulns: CVE-2021-44228, CVE-2021-45046
*   F5 BIG IP devices: CVE-2022-1388
*   Spring Cloud Gateway: CVE-2022-22947
*   TOTOLink A3000RU wireless router: CVE-2022-25075
*   Kramer VIAWare: CVE-2021-35064
*   PHP Scriptcase: No CVE yet assigned
*   Adobe ColdFusion 11: No CVE yet assigned

"The nature of devices and systems targeted through EnemyBot is different than vulnerabilities aimed at corporate datacenters," Bud Broomhead, CEO at Viakoo, tells Dark Reading. "WordPress installations, Android devices, IoT devices and other targets for EnemyBot are all widely deployed (therefore might be hard to find), are operated by organizations of all sizes, and are often managed by lines of business that lack cybersecurity skills."

**EnemyBot: A Super Soldier?**

In addition to the DDoS capabilities, EnemyBot can also receive commands to download and execute new code that could add to its functions or update its vulnerability list, according to the analysis. This means that, worryingly, the malware can adopt new vulnerabilities within days of those issues being discovered, researchers warned, as seen when it added a bug tracked as CVE-2022-22954 affecting VMware Workspace ONE, almost immediately after disclosure.

Sean Malone, CISO at Demandbase, says that given its rapid development, EnemyBot and others like it present a new urgency for enterprise defenders.

"The rapid weaponization of newly released vulnerabilities highlights the need to be able to patch almost instantaneously when new vulnerabilities are identified," he tells Dark Reading. "We should assume that every piece of software, every application development framework, and every IoT device will have a critical vulnerability identified at some point. Our architectures should be designed to limit the available attack surface, and mitigate the blast radius of a compromised system through defense-in-depth measures."

That should include adding the ability to profile systems and network traffic to know what normal looks like, and alert when the system activity and network traffic deviates from that baseline, he adds.

"This botnet emphasizes the need for rapid patching of internet facing devices and the risks of running apps in the cloud," says John Bambenek, principal threat hunter at Netenrich. "This traffic is easily spotted on the wire, but in typical cloud deployments, organizations aren’t able to run network intrusion detection. If organizations aren’t running NIDS or rapidly patching, they are both blind and vulnerable."

**Keksec & EnemyBot's Future**

For its part, Keksec is a well-resourced group that has been around since 2016, making a name for itself by creating various botnets-for-hire. It's known for exploiting vulnerabilities to invade multiple architectures with polymorphic tools (these can include Linux and Windows payloads, as well as custom Python malware), in order to accomplish everything from DDoS to cryptomining to espionage.

For instance, last year the operators made headlines with the "Simps" botnet, which was built for DDoS attacks on gaming targets. Another of its creations is the HybridMQ-keksec botnet, a Frankenstein-like effort created by combining and modifying the source code of Mirai and Gafgyt, just like EnemyBot.

Keksec is constantly adding to its arsenal, and "has the ability to update and add new capabilities to its arsenal of malware on a daily basis," the AT&T Labs researchers note. And indeed, with the new ability to compromise enterprise services and devices, EnemyBot could be poised to ramp up the volume of its attacks.

"In addition, the malware base source code can now be found online on GitHub, making it widely accessible," according to AT&T Labs, whose researchers also note that this won't be the only new EnemyBot variant to bubble up from Keksec's laboratory. "The developer of the GitHub page on EnemyBot self-describes as a 'full time malware dev,' that is also available for contract work."

That spells swelling attack volumes, researchers warn.

"Being available through GitHub means that many types of threat actors, from professional cybercriminals to amateurs, will be able to adapt EnemyBot into new and multiple variants," says Broomhead. "Without question, this is a red-lights-flashing warning sign for organizations to improve their discovery, threat assessment, and remediation capabilities."

EnemyBot Puts Enterprises in the Crosshairs With Raft of '1-Day' Bugs

An international law enforcement operation involving 11 countries has culminated in the takedown of a notorious mobile malware threat called FluBot.
"This Android malware has been spreading aggressively through SMS, stealing passwords, online banking details and other sensitive information from infected smartphones across the world," Europol said in a statement.

The "complex

An international law enforcement operation involving 11 countries has culminated in the takedown of a notorious mobile malware threat called FluBot.

"This Android malware has been spreading aggressively through SMS, stealing passwords, online banking details and other sensitive information from infected smartphones across the world," Europol said in a statement.

The "complex investigation" included authorities from Australia, Belgium, Finland, Hungary, Ireland, Romania, Spain, Sweden, Switzerland, the Netherlands, and the U.S.

FluBot, also called Cabassous, emerged in the wild in December 2020, masking its insidious intent behind the veneer of seemingly innocuous package tracking applications such as FedEx, DHL, and Correos.

It primarily spreads via smishing (aka SMS-based phishing) messages that trick unsuspecting recipients into clicking on a link to download the malware-laced apps.

Once launched, the app would proceed to request access to Android's Accessibility Service to stealthily siphon bank account credentials and other sensitive information stored in cryptocurrency apps.

To make matters worse, the malware leveraged its access to contacts stored in the infected device to propagate the infection further by sending messages containing links to the FluBot malware.

"This FluBot infrastructure is now under the control of law enforcement, putting a stop to the destructive spiral," the agency noted, adding that the Dutch Police orchestrated the seizure last month.

According to ThreatFabric's mobile threat landscape report for H1 2022, FluBot was the second most active banking trojan behind Hydra, accounting for 20.9% of the samples observed between January and May.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

FluBot Android Spyware Taken Down by Global Law Enforcement Operation

SAN DIEGO, May 31, 2022 /PRNewswire/ -- ESET, a global leader in cybersecurity, has announced a new suite of products for the Telecommunications and Internet Service Provider (Telco and ISP) industry, with the aim of offering extensive protection to consumers. Cybercrime is a borderless problem and ESET telemetry shows that the volume of cyberattacks is increasing, with a trend toward attacks against smartphones. ESET's newly launched NetProtect suite ensures that service providers and their end users have the tools they need to combat these advanced and evolving mobile threats.

**About the new ESET NetProtect products  
**The new offering includes ESET NetProtect for Mobile and ESET NetProtect for Mobile Advanced, which offer security via mobile networks, and ESET NetProtect for Home Advanced, which helps secure fixed network connections. These solutions protect customer devices connected to Telco and ISP networks (fixed or mobile) against malicious web domains or domain categories such as malware, phishing and potentially unwanted content. With ESET NetProtect Advanced (fixed or mobile), parents also have full control of their children's filters through Web Content Filter. The management portal for end users allows them to manage the ESET NetProtect settings of their connected devices, manage their domain whitelists and blacklists, and generate security reports, giving users an insight into how ESET protects their devices as well as summary information about detected threats, blocked webpages and more.

Thanks to easy integration into Telco and ISP network services and existing activation processes, network-level solutions do not require any software installation on end user devices, and are compatible with both Android and iOS. The solutions are provided as a one-click service activation from the users' trusted internet provider and automatically provide protection to any connected device. Security tailored to customers' needs is ensured by offering robust local customer and partner support coverage along with comprehensive protection that is a step ahead of online threats via ESET's first access to a unique set of malware detected and pooled at a worldwide network of research and development centers.

"We are thrilled to launch this new suite of advanced cybersecurity products designed for service providers and their customers, which represents a critical threat vector for bad actors," said Brent McCarty, President of ESET North America. "At ESET, we always develop products with our customers in mind, and with our ESET NetProtect offering we have created an easy-to-use and elegant solution not only for the industry leaders in the Telco and ISP sector, but for the consumers who are the actual end users of our products."

For more than 30 years, ESET has invested heavily in multiple layers of proprietary technology that prevent breaches of its customers' endpoints and systems, by both known and never-before-seen threats. These products are informed by world-class threat analysis and expertise from the company's global research team. With a presence in over 200 countries worldwide and 13 research and development centers around the world, ESET offers its over 400,000 business customers peace of mind that their interests are protected at all times. ESET also helps protect the Google Play store and is trusted by millions of consumers around the world. To read more about the new offering for Telcos and ISPs or to contact the ESET team for more information, please click here.

**About ESET  
**For more than 30 years, ESET® has been providing enterprises across the globe with industry-leading IT security software and services, including endpoint detection and response, encryption and authentication, and comprehensive security services packages. With high-performing, easy-to-use solutions that cater to businesses of all sizes, ESET protects customers from increasingly sophisticated digital threats in an ever-evolving landscape. ESET delivers to the enterprise market the people, expertise, and cutting-edge technology required to keep businesses safe and running without interruption. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and Twitter.

SOURCE ESET

ESET Launches NetProtect Suite of Advanced Cybersecurity Offerings for Telcos and ISPs

New web targets for the discerning hacker

New web targets for the discerning hacker

The US Department of Justice (DoJ) has said it won’t prosecute security researchers acting “in good faith”, as part of changes to the Computer Fraud and Abuse Act (CFAA). While the DoJ says this was always the case in practice, the changes provide more certainty for researchers, pen testers, and bug bounty hunters.

Meanwhile, the UK government remains half-hearted about bug bounty programs, with Dr Ian Levy, technical director of the UK’s National Cyber Security Centre (NCSC), saying there are no plans for a broad rollout any time soon. Speaking at the CyberUK conference, he commented: “The reason for that is that we just don’t seem to need to – people are more than happy to come and tell government we’ve screwed up.”

LinkedIn, meanwhile, has launched a public bug bounty program with rewards of up to $18,000 that replaces its invite-only program. Hosted by HackerOne, LinkedIn invites hackers to probe its main web domain, LinkedIn.com, for security flaws, as well as the LinkedIn API and Android and iOS mobile apps.

Blockchain bridge Wormhole has handed over a record $10 million reward to a bug hunter with the online pseudonym ‘satya0x’. Had it been exploited successfully, the critical vulnerability that attracted the reward could have seen all the funds residing in in the Wormhole core bridge contract on Ethereum lost forever.

In other payout news, Youssef Sammouda netted $44,625 for discovering a series of bugs that could have allowed a malicious actor to take over Facebook accounts. They included a cross-site request forgery (CSRF) bug allowing an attacker to force a victim to log out from their Facebook account in their browser, and a flaw forcing a login to the attacker’s Facebook account inside the victim’s browser.

Pwn2Own Vancouver, the flagship hacking contest, took place last month, handing out more than $1 million for bugs in products from Microsoft, Mozilla, Apple, and others. Participants unearthed 27 qualifying vulnerabilities in total, with a team from Star Labs in Singapore being crowned this year’s Masters of Pwn.

And finally, Vidoc Security Lab has published a security advisory warning of more than 60 instances of a web security flaw in the Swagger-UI library, potentially leading to account takeover. Bug bounty programs operated by PayPal, Shopify, Atlassian, Microsoft, GitLab, and Yahoo were alerted, among others.

**The latest bug bounty programs for June 2022**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**Aztec Network**

Program provider:  
Immunefi

Program type:  
Public

Max reward:  
$1 million

Outline:  
A privacy-first recursive, zero-knowledge rollup built on Ethereum that purports to being the “only zkRollup built from the ground up to be privacy-preserving”.

Notes:  
Bounties on offer potentially range up to $1 million, with $25,000 for high severity issues, and $5,000 for medium severity bugs.

Check out the Aztec Network bug bounty page at Immunefi for more details

**Balancer**

Program provider:  
Immunefi

Program type:  
Public

Max reward:  
$2.4 million

Outline:  
“Community-driven protocol, liquidity provider, and price sensor that empowers decentralized exchange and the automated portfolio management of tokens on the Ethereum blockchain and other EVM compatible systems.”

Notes:  
Payouts in Ethereum could reach $2.4 million, while high severity vulnerabilities can command rewards of up to $600,000.

Check out the Balancer bug bounty page at Immunefi for more details

**Chain**

Program provider:  
Immunefi

Program type:  
Public

Max reward:  
$5 million

Outline:  
Eye-watering payouts in the millions on offer by Chain, which builds “cryptographic ledgers that underpin breakthrough financial products and services”.

Notes:  
Payouts are issued in USDC, XCN, USDT and ETH, with the ratio at Chain’s discretion.

Check out the Chain bug bounty page at Immunefi for more details

**Cudos Network**

Program provider:  
Bugcrowd

Program type:  
Public

Max reward:  
$4,500

Outline:  
A decentralised platform that runs over multiple p2p nodes and enables developers to build complex smart contract functionality.

Notes:  
Top-tier rewards given for cryptographic exploits allowing for the manipulation of BFT consensus, while certain DDoS exploits qualify as tier two.

Check out the Cudos Network bug bounty page at Bugcrowd for more details

**Doctolib**

Program provider:  
YesWeHack

Program type:  
Public

Max reward:  
€20,000

Outline:  
Doctolib develops appointment booking software used by more than 300,000 healthcare personnel and 60 million patients across Europe.

Notes:  
High severity issues command rewards of up to €4,000 and critical bugs will net hackers up to €20,000, with two web domains and iOS and Android apps in play.

Check out the Doctolib bug bounty page at YesWeHack for more details

**Gojek**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$5,000

Outline:  
Gojek is an Indonesian, on-demand, multi-service platform and digital payment technology group.

Notes:  
Maximum bounty of $5,000 on offer for tier-one assets, and $2,000 for tier-two assets.

Check out the Gojek bug bounty page at HackerOne for more details

**LinkedIn**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$15,000

Outline:  
LinkedIn has launched a public bug bounty program to replace the invite-only program running since 2014, as previously reported by The Daily Swig.

Notes:  
Critical security vulnerabilities discovered on the business-oriented social media platform will net researchers bounties ranging from $5,000 up to $15,000.

Read our previous coverage to find out more

**Razorpay**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$3,000

Outline:  
Razorpay claims to be the only payments solution in India that allows businesses to accept, process, and disburse payments.

Notes:  
Critical flaws will command bounties of between $1,000 and $3,000, with four in-scope targets comprising the dashboard, API, checkout, and invoice domains.

Check out the Razorpay bug bounty page at HackerOne for more details

**Quebec Ministry of Cybersecurity and Digital**

Program provider:  
YesWeHack

Program type:  
Public

Max reward:  
C$1,500

Outline:  
Le ministère de la Cybersécurité et du Numérique has launched its program, with details written in French, on Paris-base bug bounty platform YesWeHack.

Notes:  
The ministry has 12 web assets in scope and is offering a maximum payout of C$1,500.

Check out Le ministère de la Cybersécurité et du Numérique bug bounty page at YesWeHack for more details

**Wealthsimple**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$20,000

Outline:  
The Canadian investment management service has financial tools for stock trading, ETFs, managed investing, and crypto.

Notes:  
Critical bugs can attract $20,000 rewards, while high and medium severity vulnerabilities could net bug hunters $5,000 or $1,000 respectively.

Check out the Wealthsimple bug bounty page at HackerOne for more details

**Other bug bounty and VDP news this month**

*   Another nine new programs in a bumper May for Immunefi included programs from the Bancor Protocol (max reward $900,000) plus Orca and Wombat Exchange (both with a maximum payout of $500,000)
*   Cloudflare and security researchers from Assetnote have documented the discovery and remediation of vulnerabilities in Cloudflare Pages
*   YesWeHack is launching an ethical hacking virtual reality game and holding a live bug bounty challenge at the upcoming International Cybersecurity Forum in June
*   The US Cyber Games, a NICE-NIST collaboration, enters its second season in July, starting with Capture the Flag (CTF) competitions and culminating in the top cybersecurity athletes representing the US internationally
*   Some 401 security flaws were remediated during the 12-month pilot of the US Defense Industrial Base\-Vulnerability Disclosure Program (DIB-VDP), which concluded in April

Additional reporting by Emma Woollacott.

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for May 2022

Bug Bounty Radar // The latest bug bounty programs for June 2022

An analysis of the mobile threat landscape in 2022 shows that Spain and Turkey are the most targeted countries for malware campaigns, even as a mix of new and existing banking trojans are increasingly targeting Android devices to conduct on-device fraud (ODF).
Other frequently targeted countries include Poland, Australia, the U.S., Germany, the U.K., Italy, France, and Portugal.
"The most

An analysis of the mobile threat landscape in 2022 shows that Spain and Turkey are the most targeted countries for malware campaigns, even as a mix of new and existing banking trojans are increasingly targeting Android devices to conduct on-device fraud (ODF).

Other frequently targeted countries include Poland, Australia, the U.S., Germany, the U.K., Italy, France, and Portugal.

"The most worrying leitmotif is the increasing attention to On-Device Fraud (ODF)," Dutch cybersecurity company ThreatFabric said in a report shared with The Hacker News.

"Just in the first five months of 2022 there has been an increase of more than 40% in malware families that abuse Android OS to perform fraud using the device itself, making it almost impossible to detect them using traditional fraud scoring engines."

Hydra, FluBot (aka Cabassous), Cerberus, Octo, and ERMAC accounted for the most active banking trojans based on the number of samples observed during the same period.

Accompanying this trend is the continued discovery of new dropper apps on Google Play Store that come under the guise of seemingly innocuous productivity and utility applications to distribute the malware -

*   Nano Cleaner (com.casualplay.leadbro)
*   QuickScan (com.zynksoftware.docuscanapp)
*   Chrome (com.talkleadihr)
*   Play Store (com.girltold85)
*   Pocket Screencaster (com.cutthousandjs)
*   Chrome (com.biyitunixiko.populolo)
*   Chrome (Mobile com.xifoforezuma.kebo)
*   BAWAG PSK Security (com.qjlpfydjb.bpycogkzm)

What's more, on-device fraud — which refers to a stealthy method of initiating rogue transactions from victim's devices — has made it feasible to use previously stolen credentials to login to banking applications and carry out financial transactions.

To make matters worse, the banking trojans have also been observed constantly updating their capabilities, with Octo devising an improved method to steal credentials from overlay screens even before they are submitted.

"This is done in order to be able to get the credentials even if \[the\] victim suspected something and closed the overlay without actually pressing the fake 'login' present in the overlay page," the researchers explained.

ERMAC, which emerged last September, has received noticeable upgrades of its own that allow it to siphon seed phrases from different cryptocurrency wallet apps in an automated fashion by taking advantage of Android's Accessibility Service.

Accessibility Service has been Android's Achilles' heel in recent years, allowing threat actors to leverage the legitimate API to serve unsuspecting users with fake overlay screens and capture sensitive information.

Last year, Google attempted to tackle the problem by ensuring that "only services that are designed to help people with disabilities access their device or otherwise overcome challenges stemming from their disabilities are eligible to declare that they are accessibility tools."

But the tech giant is going a step further in Android 13, which is currently in beta, by restricting API access for apps that the user has sideloaded from outside of an app store, effectively making it harder for potentially harmful apps to misuse the service.

That said, ThreatFabric noted it was able to bypass these restrictions trivially by means of a tweaked installation process, suggesting the need for a more stricter approach to counteract such threats.

It's recommended that users stick to downloading apps from the Google Play Store, avoid granting unusual permissions to apps that have no purpose asking for them (e.g., a calculator app asking to access contact lists), and watch out for any phishing attempts aimed at installing rogue apps.

"The openness of Android OS serves both good and bad as malware continues to abuse the legitimate features, whilst upcoming restrictions seem to hardly interfere with the malicious intentions of such apps," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Latest Mobile Malware Report Suggests On-Device Fraud is on the Rise

Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot.

Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot.

A rapidly evolving IoT malware dubbed “EnemyBot” is targeting content management systems (CMS), web servers and Android devices. Threat actor group “Keksec” is believed behind the distribution of the malware, according to researchers.

“Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices,” reported AT&T Alien labs in a recent post. “The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities,” they added.

 According to AT&T’s analysis of the malware‘s code base, EnemyBot borrows generously from code used by other botnets such as Mirai, Qbot and Zbot. The Keksec group distributes the malware by targeting Linux machines and IoT devices, this threat group was formed back in 2016 and includes several botnet actors.

****EnemyBot Working****

The Alien lab research team study found four main sections of the malware.

The first section is a python script ‘cc7.py’, used to download all dependencies and compile the malware into different OS architectures (x86, ARM, macOS, OpenBSD, PowerPC, MIPS). After compilation, a batch file “update.sh” is created and used to spread the malware to vulnerable targets.

The second section is the main botnet source code, which includes all the other functionality of the malware excluding the main part and incorporates source codes of the various botnets that can combine to perform an attack.

The third module is obfuscation segment “hide.c” and is compiled and executed manually to encode /decode the malware strings. A simple swap table is used to hide strings and “each char is replaced with a corresponding char in the table” according to researchers.

The last segment includes a command-and-control (CC) component to receive vital actions and payloads from attackers.

AT&T researcher’s further analysis revealed a new scanner function to hunt vulnerable IP addresses and an “adb\_infect” function that is used to attack Android devices.

ADB or Android Debug Bridge is a command-line tool that allows you to communicate with a device.

“In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing shell command,” said the researcher.

“Keksec’s EnemyBot appears to be just starting to spread, however due to the authors’ rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers,” the researchers added.

This Linux-based botnet EnemyBot was first discovered by Securonix in March 2022, and later in-depth analysis was done by Fortinet.

****Vulnerabilities Currently Exploited by EnemyBot****

The AT&T researchers release a list of vulnerabilities that are currently exploited by the Enemybot, some of them are not assigned a CVE yet.

The list includes Log4shell vulnerability (CVE-2021-44228, CVE-2021-45046), F5 BIG IP devices (CVE-2022-1388), and others. Some of the vulnerabilities were not assigned a CVE yet such as PHP Scriptcase and Adobe ColdFusion 11.

*   Log4shell vulnerability – CVE-2021-44228, CVE-2021-45046
*   F5 BIG IP devices – CVE-2022-1388
*   Spring Cloud Gateway – CVE-2022-22947
*   TOTOLink A3000RU wireless router – CVE-2022-25075
*   Kramer VIAWare – CVE-2021-35064

“This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread,” the researcher explained.

****Recommended Actions** **

The Alien lab researcher suggests methods to protect from the exploitation. Users are advised to use a properly configured firewall and focus on reducing Linux server and IOT devices’ exposure to the internet.

Another action recommended is to monitor the network traffic, scan the outbound ports and look for the suspicious bandwidth usage. Software should be updated automatically and patched with the latest security update.

EnemyBot Malware Targets Web Servers, CMS Tools and Android OS

The malvertiser’s use of PowerShell could push it beyond its basic capabilities to spread ransomware, spyware or steal data from browser sessions, researchers warn.

The malvertiser’s use of PowerShell could push it beyond its basic capabilities to spread ransomware, spyware or steal data from browser sessions, researchers warn.

ChromeLoader may seem on the surface like a run-of-the-mill browser hijacker that merely redirects victims to advertisement websites. However, its use of PowerShell could pose a greater risk by leading to further and advanced malicious activity, such as the propagation of ransomware or spyware or theft of browser-session data.

Researchers are warning of the potential for ChromeLoader—which has seen a resurgence in activity recently—to pose a more sophisticated threat than typical malvertisers do, according to two separate blog posts by Malwarebytes Labs and Red Canary.

ChromeLoader is a pervasive and persistent browser hijacker that eventually manifests as a browser extension, modifying victims’ Chrome settings and redirecting user traffic to advertisement websites. On Windows machines, victims become infected with the malware through ISO files that poses as a cracked video game or pirated films or TV programs, researchers said.

 However, ChromeLoader is platform agnostic, which means users of macOS also are at risk from infection, according to a blog post from Malwarebytes Lead Malware Intelligence Analyst Christopher Boyd. However, instead of lurking in ISO files, attackers use DMG (Apple Disk Image) files, a more common macOS format, to hide ChromeLoader, he said.

While its core functionality is fairly benign, ChromeLoader has a unique feature in that it uses PowerShell to inject itself into the browser and add a malicious extension to it—”a technique we don’t see very often (and one that often goes undetected by other security tools),” warned Aedan Russell from Red Canary’s Detection Engineering team in a blog post.

“If applied to a higher-impact threat—such as a credential harvester or spyware—this PowerShell behavior could help malware gain an initial foothold and go undetected before performing more overtly malicious activity, like exfiltrating data from a user’s browser sessions,” he wrote.

****The Infection Process****

ChromeLoader lurks in bogus files that are promoted on Twitter and through other services, or found on rogue and torrent sites offering pirated video games and other media for free download, researchers said.

“Some social media posts promote supposedly cracked Android games via QR codes which direct would-be gamers to rogue websites,” Boyd explained.

Double clicking the ISO file mounts it as a virtual CD-ROM, with the ISO’s executable claiming to be the content that the victim originally was looking for, he wrote.

“Within this ISO is an executable used to install ChromeLoader, along with what appears to be a .NET wrapper for the Windows Task Scheduler,” according to Red Canary’s Russell. “This is how ChromeLoader maintains its persistence on the victim’s machine later in the intrusion chain.”

Once installed, ChromeLoader uses a PowerShell command to load in a Chrome extension from a remote resource. PowerShell then removes the scheduled task so the victim has no idea that their browser has been compromised, Boyd said.

“At this point, search results cannot be trusted and bogus entries will be displayed to the user,” he wrote.

ChromeLoader uses the same bait—pirated videos or cracked games—to lure macOS users, but the infection process is a bit different, Russell explained. On macOS machines, ChromeLoader uses aDMG file that contains an installer script that can drop payloads for either Chrome or Safari instead of a portable executable file.

“When executed by the end user, the installer script then initiates cURL to retrieve a ZIP file containing the malicious browser extension and unzips it within the private/var/tmp directory, finally executing Chrome with command-line options to load the malicious extension,” he wrote.

****Mitigation and Detection****

Researchers offered mitigation advice as well as both user- and administrator-level ways to detect if a system has been infected with ChromeLoader.

One obvious tip is to avoid downloading pirated software or videos, which Boyd warned “is a very risky business,” not to mention illegal.

“If you’re downloading a torrent, you may well be rolling dice with regard to the digital health of your devices,” he wrote.

Users also can click on the “More” icon, then “More Tools -> Extensions” from the drop-down list in Chrome to see everything that’s installed, active or disabled, along with additional information about all extensions present. From there is anything looks dodgy, Google offers steps to reset browser settings or clean things up, he said.

Red Canary offered more advanced detection tactics based on ChromeLoader’s use of PowerShell to find out if a browser has been infected.

One is to search for PowerShell containing a shortened version of the encodedCommand flag in its command line, which can find the execution of encoded PowerShell commands. Another is to looks for instances of the Chrome browser executable spawning from PowerShell with a corresponding command line that includes appdata\\local as a parameter.

In macOS, security administrators can search forsh or bash scripts running in macOS environments with command lines associated with the macOS variant of ChromeLoader, as well as the execution of encoded sh, bash, or zsh commands on macOS endpoints to know if a browser has been infected.

Tag

#android