An Untrusted search path vulnerability in NetEase CloudMusic 2.10.4 for Windows allows local users to gain escalated privileges through the urlmon.dll file in the current working directory.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2023-47454: GitHub - xieqiang11/poc-3

An Untrusted search path vulnerability in Sohu Video Player 7.0.15.0 allows local users to gain escalated privileges through the version.dll file in the current working directory.

CVE-2023-47453: GitHub - xieqiang11/poc-2

An Untrusted search path vulnerability in notepad++ 6.5 allows local users to gain escalated privileges through the msimg32.dll file in the current working directory.

CVE-2023-47452: GitHub - xieqiang11/poc-1

ChatGPT 4.0 can write basic working ransomware in minutes.

This morning I decided to write some ransomware, and I asked ChatGPT to help. Not because I wanted to turn to a life of crime, but because I wanted to see if anything had changed since March, when I last tried the same exact thing.

In short: ChatGPT has helped me, worryingly so. But more on that later.

Today is the first anniversary of the unveiling of OpenAI’s generative AI poster boy, ChatGPT. It’s also the first anniversary of the tsunami of bloviation that the chatbot’s unveiling created. For months following ChatGPT’s release, the cybersecurity press was drenched in speculation about how cybercrime was changed forever, even though it didn’t appear to have changed at all.

By March, I’d read more baseless assertions than I knew what to do with, so I decided to find out for myself if ChatGPT was any good at malware. I wanted to know if its safeguards would stop me from using it to write ransomware, and, if they didn’t, whether the ransomware it produced was any good.

Despite its insistence that “I cannot engage in activities that violate ethical or legal standards, including those related to cybercrime or ransomware,” the safeguards proved to be almost no barrier at all. I was able to fool it into helping me with little effort. However, the code it produced was terrible: It stopped randomly in a places that guaranteed it would never run, switched languages randomly, and quietly dropped older features while writing new ones.

I concluded that an unskilled programmer would be baffled, while a skilled one would have no use for it. The prospect of ChatGPT lowering the barrier to entry into this lucrative form of cybercrime just wasn’t worth worrying about.

As of this morning, I’ve changed my mind.

One of the novel things about ChatGPT is that you can iterate your way to a solution by having a back-and-forth discussion with it. In March I used this approach with ChatGPT 3.0 to build up a basic ransomware step-by-step. The approach was sound but the resulting code would have never worked. I decided to take the same approach again today, using the current version of ChatGPT, 4.0, to better understand what’s changed.

The TL;DR is that everything’s changed. The limitations that made GPT 3.0 a useless partner in cybercrime are gone. ChatGPT 4.0 will help you write ransomware and train you to debug it, without a hint of conscience.

This is a basic ransomware it wrote for me encrypting the contents of two directories and leaving ransom notes behind.

Ransomware written by ChatGPT 4.0 encrypts files in two directories and leaves a ransom note

This isn’t a fully featured ransomware but it has the basics. It encrypts files in whatever directory tree I choose, throws away the originals, hides the private key used for the encryption, stops running databases, and leaves ransom notes. The code used in the demonstration above was generated by ChatGPT in mere minutes, without objection, in response to basic one line descriptions of ransomware features, even though I’ve never written a single line of C code in my life.

For obvious reasons I won’t be providing a step-by-step recipe, but the process started by asking for a program that encrypts a single file.

ChatGPT 4.0 writes a C program to encrypt a single file

Then I modified it to encrypt a directory instead of a file. Subsequent functionality was layered on like this, with incremental modificaitons, to see if ChatGPT ever took a step that made it realise it was writing something malicious. It didn’t.

ChatGPT 4.0 modifies its program to encrypt a directory

ChatGPT seemed unable to determine that what we were doing was writing ransomware, so right at the end of the process I thought I would give it a massive clue and see if the penny finally dropped. The last thing I asked it to do was a signature move for ransomware and something no legitmiate program does. I instructed it to modify its code to “drop a text file in encrypted directories called ‘ransom note.txt’ which contains the words ‘all your files are belong to us’ and an ascii art skull.”

While there are still quesiton marks over its ability to draw skulls, there can be none about its willingness to drop ransom notes.

ChatGPT 4.0 writing code to drop ransom notes with ASCII art skuls

My attempts to turn the chatbot to the dark side eight months ago were thwarted by its inability to hold all the information it needed to, or to write long answers. I likened asking ChatGPT 3.0 to help with a complex problem to working with a teenager: It does half of what you ask and then gets bored and stares out the window.

I encountered no such problems today. The bored teenager is gone, replaced by a verbose and enthusiastic straight-A student. At the very beginning I asked it to write its answers in C, and it never wavered. If it ever provided partial answers it would explain it was doing so, and offer a subset of code that made sense, such as a complete function. If I didn’t want a partial answer I would tell it, and then ask it to write out the entire program, including all the modifications we’d discussed up to that point.

It is, frankly, astonishingly helpful and powerful, and the importance of this can’t be overstated.

ChatGPT 4.0 agreeing to write out a complete program instead of snippets (ChatGPT’s answer is truncated)

**Safeguards removed**

Although I was able to work around ChatGPT’s insistence it wouldn’t write ransomware in March, I was often met with other restrictions that attempted to stop me doing unsafe things.

The latest version of ChatGPT seems to be far more relaxed. For example, in March it initially refused when I asked it to modify my ransomware code to delete the original copies of files it was encrypting. It was “a sensitive operation that could lead to data loss,” it claimed, telling me “I cannot provide code that implements this behaviour.” There was a workaround (there always is) but at least it tried.

This time I was met with no such objection. “Sure,” said ChatGPT 4.0.

ChatGPT 4.0 showed no reluctance to delete files it was encrypting

A similar thing happened when I asked it to save the private encryption key to a remote server. This is an important feature for ransomware because the private key is ultimately what vicitms pay for, so it can’t be left on the victim’s machine.

ChatGPT 3.0 refused to move the key to a remote server, saying it “goes against security best practices.” I couldn’t persuade it and ended up having to fool it with a bait-and-switch approach of writing something I didn’t want and then having it rewrite that into what I did want.

ChatGPT 4.0 on the other hand, was content to do no more than warn me it was “very risky.”

ChatGPT 4.0 had no objection to saving the private encryption key to a remote server

**Programming tutor**

Much to my surprise, after telling ChatGPT what features I wanted in my ransomware I was left with something that looked very much like a complete computer program. To be sure though, I had to actually run it and encrypt some files. And that’s where ChatGPT did something I wasn’t expecting.

C code is compiled, which means that once it’s been written it has to has to be run through a computer program called a compiler, which transforms it into an executable file. Compilation is a complex and often fragile process that can break easily, for any number of reasons. As a result, troubleshooting problems during the compilation phase can be extremely frustrating and time consuming.

Typically, it involves a lot of Googling and sifting through accounts of similar failures on sites like Stack Overflow. Problems can be caused by any number of things, including the code itself, dependencies like code libraries, and the choice of compiler. And numerous different errors can often trigger the same failure in compilation, so troubleshooting is as much an art as it is a science.

Sure enough, I hit a variety of hurdles during compilation.

However, instead of turning to Google, I turned to ChatGPT. Every time I ran into an error I told it what had happened, and based on the bare minimum of information it provided an explanation for what was going on, and advice on how to fix it. When its solutions didn’t work first time, it revised its approach and found a different answer.

ChatGPT 4.0 makes its first attempt at troubleshooting a compilation problem

ChatGPT 4.0 makes its second attempt at troubleshooting a compilation problem

ScreChatGPT 4.0 makes its third attempt at troubleshooting a compilation problemenshot

In every case, ChatGPT solved the problem, and in doing so it enabled me, a non-C programmer to write and troubleshoot basic but functional ransomware written in C, in almost no time.

To me, this ability to troublshoot compilation problems with minimal information is even more impressive than its ability to write code (and its ability to write code is jaw-droppingly impressive). Not only did it condense what could have been days of thankless work into an hour or two, it was coaching me as it did. I didn’t just finish with a working ransomware executable, I finished as a better programmer than I was when I started.

**Should we be worried?**

In a word, yes. Eight months ago I concluded that “I don’t think we’re going to see ChatGPT-written ransomware any time soon.” I said that for two reasons: Because there are easier ways to get ransomware than by asking ChatGPT to write it, and because its code had so many holes and problems that only a skilled programmer would be able to deal with it.

ChatGPT has improved so much in eight months that only one of those things is still true. ChatGPT 4.0 is so good at writing and troubleshooting code it could reasonably be used by a non-programmer. And because it didn’t raise a single objection to any of the things I asked it to do, even when I asked it to write code to drop ransom notes, it’s as useful to an evil non-programmer as it is to a benign one.

And that means that it can lower the bar for entry into cybercrime.

That said, we need to get things in perspective. For the time being, ransomware written by humans remains the preeminent cybersecurity threat faced by businesses. It is proven and mature, and there is much more to the ransomware threat than just the malware. Attacks rely on infrastructure, tools, techniques and procedures, and an entire ecosystem of criminal organisations and relationships.

For now, ChatGPT is probably less useful to that group than it is to an absolute beginner. To my mind, the immediate danger of ChatGPT is not so much that it will create better malware (although it may in time) but that it will lower the bar to entry in cybercrime, allowing more people with fewer skills to create original malware, or skilled people to do it more quickly.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Will ChatGPT write ransomware? Yes. 

### Impact
xml files like ".project" are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review  a foreign repository or patch).

Vulnerablility was found by static code analysis (SonarLint).

Example `.project` file:
```
<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE price [
<!ENTITY xxe SYSTEM "http://127.0.0.1:49416/evil">]>
<projectDescription>
	<name>p</name>
	<comment>&xxe;</comment>
</projectDescription>
```

### Patches
Similar patches including junit test that shows the vulnerability have already applied to PDE (see https://github.com/eclipse-pde/eclipse.pde/pull/667). A solution to platform should be the same: just reject parsing any XML that contains any `DOCTYPE`.

### Workarounds
No known workaround. User can only avoid to get/open any foreign files with eclipse. Firewall rules against loss of data (but not against XML bomb).

### References
https://cwe.mitre.org/data/definitions/611.html
https://rules.sonarsource.com/java/RSPEC-2755
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8 (Report for multiple projects affected)



**Package**

maven org.eclipse.core:org.eclipse.core.runtime (Maven)

maven org.eclipse.platform:org.eclipse.ant.core (Maven)

maven org.eclipse.platform:org.eclipse.ant.launching (Maven)

maven org.eclipse.platform:org.eclipse.ant.ui (Maven)

maven org.eclipse.platform:org.eclipse.compare.examples.xml (Maven)

maven org.eclipse.platform:org.eclipse.core.resources (Maven)

maven org.eclipse.platform:org.eclipse.core.variables (Maven)

maven org.eclipse.platform:org.eclipse.debug.core (Maven)

maven org.eclipse.platform:org.eclipse.debug.ui (Maven)

maven org.eclipse.platform:org.eclipse.help (Maven)

maven org.eclipse.platform:org.eclipse.help.base (Maven)

maven org.eclipse.platform:org.eclipse.help.ui (Maven)

maven org.eclipse.platform:org.eclipse.help.webapp (Maven)

maven org.eclipse.platform:org.eclipse.team.ui (Maven)

maven org.eclipse.platform:org.eclipse.tips.ide (Maven)

maven org.eclipse.platform:org.eclipse.ui.cheatsheets (Maven)

maven org.eclipse.platform:org.eclipse.ui.intro (Maven)

maven org.eclipse.platform:org.eclipse.ui.intro.universal (Maven)

maven org.eclipse.platform:org.eclipse.update.configurator (Maven)

GHSA-j24h-xcpc-9jw8: Eclipse IDE XXE in eclipse.platform

### Impact
@adobe/css-tools version 4.3.1 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of service while attempting to parse CSS.

### Patches
The issue has been resolved in 4.3.2.

### Workarounds
None

### References
N/A


**@adobe/css-tools Improper Input Validation and Inefficient Regular Expression Complexity**

Moderate severity GitHub Reviewed Published Nov 30, 2023 in adobe/css-tools • Updated Nov 30, 2023

GHSA-prr3-c3m5-p7q2: @adobe/css-tools Improper Input Validation and Inefficient Regular Expression Complexity

Fake Facebook ads seem to be the flavor of the month for scammers.

Thursday, November 30, 2023 14:00

I know I’m a little late to the party to hit the prime SEO for Black Friday, Cyber Monday and holiday shopping. But if I know the readers of this newsletter, everyone is far from done with their holiday shopping already after a few days. 

I also know I’m far from the only person to warn consumers about scams during this season, so I’m trying to split the difference and highlight a few specific scams and spam campaigns that are already circulating in the wild, some of which popped up right on Black Friday, so you don’t get caught in the remaining days leading up to the winter holidays. 

Fake Facebook ads seem to be the flavor of the month for scammers. This is completely anecdotal, but my mom almost got “got” with a fake Facebook post in a group she belongs to claiming to have some great deals on Nintendo Switch games on Amazon that were not actually real (thankfully she hadn’t clicked the link before she asked me if “Mario Odyssey” was a good deal at $15).  

Still, several other reports have shown that scammers are using Facebook ads to advertise a deal for a $19 Stanley cup — these are the water bottles all the influencers are using nowadays and, even when they are on sale, don’t go for any less than about $35. In this case, it looks like the actors are just looking to take your money or credit card information with a fake ordering process and no plans to send you anything. 

Adversaries have also set up fake Facebook pages and web pages disguising themselves as the retailer Big Lots. These fake ads and posts offer vague deals and sales on various products but instead point to typo-squatted Big Lots websites (or URLs that vaguely seem like they could be connected to Big Lots).  

Scammers are also sending mass emails to subscribers of various streaming services like Amazon Prime, Paramount+ and Peacock claiming that their subscription has lapsed, but they can resubscribe for a deeply discounted price, or even free, as part of a Black Friday special.  

Amazon also issued a warning recently that attackers have been sending emails with malicious attachments asking for users' personal information in exchange for having their “accounts” unlocked. 

This is just a sampling of the likely hundreds of different scams and spam campaigns attackers are deploying right now, so in general, when shopping online, here are a few tips: 

*   Only download apps from trusted and official app stores like the Google Play store and iOS App Store. 
*   Look out for apps that ask for suspicious permissions, such as access to your text messages, contacts, stored passwords and administrative features. 
*   Some malicious apps will try to masquerade as a legitimate version of the one you could be searching for. Signs of these apps include poor spelling and grammar in app descriptions and interfaces, lack of high-quality performance and a developer contact that uses a free email service (such as @gmail.com). 
*   Avoid clicking on unsolicited emails. Make sure you purposefully subscribed to any marketing emails you receive from retailers before opening it. 
*   Use an ad blocker locally on your browser. These will often block any malvertising campaigns that aim to capitalize on shoppers looking for deals. 
*   Try to use payment services such as Google Pay, Samsung Pay and Apple Pay. These services use tokenization instead of the “Primary Account Number” (your credit card number), making your transaction more secure. 
*   Use unique, complex passwords, per site. Attackers commonly reuse passwords to compromise multiple accounts with the same username. Use a password locker if you have a hard time creating and remembering secure passwords. 
*   Manually type in URLs to sites you want to visit rather than clicking on links. 
*   Use multi-factor authentication, such as Cisco Duo, to log into your email account to avoid unauthorized access. 

Next week, Talos will have a holiday special of our own! On Dec. 5, we’ll be launching our second-ever Year in Review report, complete with all new data and insights about the attacks and malware we’ve seen in 2023. Stay tuned to our social media channels or blog for that release.  

**The one big thing **

Cisco Talos recently discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.” We assess with high confidence that the SugarGh0st RAT is a new customized variant of Gh0st RAT, an infamous trojan that’s been active for more than a decade, with customized commands to facilitate the remote administration tasks as directed by the C2 and modified communication protocol based on the similarity of the command structure and the strings used in the code. 

**Why do I care? **

If infected, SugarGh0st serves as a fully functional backdoor for the adversary that can execute most remote-control functionalities. It can launch the reverse shell and run the arbitrary commands sent from C2 as strings using the command shell. SugarGh0st can collect the victim’s machine hostname, filesystem, logical drive, and operating system information. It can access the running process information of the victim’s machine and control the environment by accessing the process information and terminating the process as directed by the C2 server. It can also manage the machine’s service manager by accessing the configuration files of the running services and can start, terminate or delete the services. 

**So now what? **

Since this seems to be an offshoot of GhostRAT, we certainly can’t rule out any other variants that may be floating out there. Talos also has new ClamAV signatures, Snort rules and other Cisco Secure protection to specifically detect and stop SugarGh0st.  

**Top security headlines of the week **

**Cisco Talos and other teams across Cisco recently worked with multiple government partners to help protect the Ukrainian power grid and ensure it runs appropriately.** The effort, spearheaded by Talos’ Joe Marshall, involved creating bespoke hardware for Ukraine’s energy supplier, Ukrenergo, to operate in place of traditional GPS devices that the Ukrainian power grid relies on to keep running on time. GPS satellites and Ukrainian substations have constantly been the target of kinetic and cyber threats during Russia’s invasion of Ukraine. Officials from multiple U.S. government agencies assisted in the project.  The Pentagon set up flights to physically deliver the manipulated switches, the Department of Energy helped coordinate the equipment’s delivery, and, as Ukrenergo told CNN, the Department of Commerce was a part of critical meetings that first outlined this project. Taras Vasyliv, who oversees power dispatching for Ukrenergo, told CNN that the custom-built switches were the equivalent of a “flashlight” for a surgeon who is trying to operate in the dark. (CNN, Business Insider) 

**Leaked government documents show that some local, federal and state law enforcement officers have been able to view the phone records of millions of Americans,** even those who have not been accused or suspected of a crime. The little-known Pentagon program was partially uncovered because of a letter sent from U.S. Sen. Ron Wyden of Oregon to U.S. Attorney General Merrick Garland, in Wyden’s office requested more information on the project and encouraged the federal government to publicly disclose this knowledge. The letter states the White House pays wireless company AT&T to give all federal, state, local, and Tribal law enforcement agencies “the ability to request often-warrantless searches.” Known as the “Hemisphere Project,” this program has apparently been around since 2007 and reported on by the New York Times in 2013 but has largely gone unnoticed since. Wyden is attempting to challenge the legality of the Hemisphere Project. (Wired) 

**Security researchers have found a way to bypass the Microsoft Hello login authentication system** used in many fingerprint readers and face ID scanners on devices from Dell, Lenovo and Microsoft. Researchers hired by Microsoft to test the security of the readers have since informed the company of these vulnerabilities. The attack the researchers outlined could provide access to a stolen laptop or carry out what's called an “evil maid” attack on an unattended device. Microsoft introduced Hello with its Windows 10 operating system, and since then has included fingerprint scanners on all its devices (though in some cases, Microsoft’s own hardware like the Surface tablet did not use Hello). Though the manufacturers are now aware of these vulnerabilities, the variety of attacks means it can be difficult to patch for these issues. However, all the attacks ultimately required physical access to a device. (Ars Technica, The Verge) 

**Can’t get enough Talos? **

*   Tech giant Cisco built special device to help Kyiv ward off cyberattacks on power grid 
*   Cisco whips up modded switch to secure Ukraine grid against Russian cyberattacks 
*   Talos Takes Ep. #163: Why has the Phobos ransomware been working for so long? 
*   The Need to Know: What is threat hunting? 
*   Vulnerability Roundup: Vulnerabilities in Adobe Acrobat, Microsoft Excel could lead to arbitrary code execution 

**Upcoming events where you can find Talos **

**"Power of the Platform” by Cisco** **(Dec. 5 & 7)** 

Virtual (Please note: This presentation will only be given in German) 

> _The annual IT event at the end of the year where Cisco experts, including Gergana Karadzhova-Dangela from Cisco Talos Incident Response, discuss the future-oriented topics in the implementation of digitalization together with you._  

**What Threats Kept Us Up in 2023: A Year in Review and a Look Ahead** **(Dec. 13, 11 a.m. PT)** 

Virtual 

> _Each year brings new threats that take advantage of increasingly complex security environments. Whether it’s Volt Typhoon targeting critical infrastructure organizations across the United States or ALPHV launching an attack against casino giant MGM, threat actors are becoming bolder and more evasive. That’s why it’s never been more important to leverage broad telemetry sources, deep network insights and threat intelligence to respond effectively and recover faster from sophisticated attacks. Join Amy Henderson, Director of Strategic Planning and Communications at Cisco Talos and Briana Farro, Director of XDR Product Management at Cisco, as they discuss some of the top threat trends and threats we have seen this past year and how to leverage security technology like XDR and network insights to fight against them._ 

**NIS2 Directive: Why Organizations Must Act Now to Ensure Compliance and Security** **(Jan. 11, 2024, 10 a.m. GMT)** 

Virtual 

> _The NIS2 Directive is a crucial step toward securing Europe’s critical infrastructure and essential services in an increasingly interconnected world. Organizations must act now to prepare for the new requirements, safeguard their operations, and maintain a robust cybersecurity posture. Gergana Karadzhova-Dangela from Cisco Talos Incident Response and other Cisco experts will talk about how organizations can best prepare for the coming regulations._  

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7    
**MD5:** 0e4c49327e3be816022a233f844a5731    
**Typical Filename:** aact.exe    
**Claimed Product:** AAct x86    
**Detection Name:** PUA.Win.Tool.Kmsauto::in03.talos 

**SHA 256:** 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e   
**MD5:** 040cd888e971f2872d6d5dafd52e6194   
**Typical Filename:** streamer.exe   
**Claimed Product:** Ultra Virus Killer   
**Detection Name:** PUA.Win.Virus.Ultra::95.sbx.tg 

**SHA 256:** abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6   
**MD5:** 22ae85259273bc4ea419584293eda886   
**Typical Filename:** KMSAuto++ x64.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** Hacktool:PUP.26ld.in14.Talos 

**SHA 256:** 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e   
**MD5:** 040cd888e971f2872d6d5dafd52e6194   
**Typical Filename:** tmp000c3787   
**Claimed Product:** Ultra Virus Killer   
**Detection Name:** PUA.Win.Virus.Ultra::95.sbx.tg 

**SHA 256:** 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa   
**MD5:** 9403425a34e0c78a919681a09e5c16da   
**Typical Filename:** vincpsarzh.exe   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd

$19 Stanely cups, fake Amazon Prime memberships all part of holiday shopping scams circulating

By Waqas
Thus far, the FjordPhantom malware has defrauded victims of around $280,000 (£225,000).
This is a post from HackRead.com Read the original post: Android Banking Malware FjordPhantom Steals Funds Via Virtualization

Currently, the FjordPhantom malware appears to be active in Southeast Asia, covering countries including Malaysia, Thailand, Indonesia, Singapore, and Vietnam.

Cybersecurity firm Promon has identified a novel Android malware named FjordPhantom that employs virtualization to target applications. This technique has not been observed in any malware previously. FjordPhantom propagates through messaging services and combines app-based malware with social engineering to deceive banking customers.

Promon indicated in its report published on November 30, 2023, that only one sample of FjordPhantom has been obtained. However, researchers suspect that the malware is operational in Southeast Asia, encompassing countries such as Malaysia, Thailand, Indonesia, Singapore, and Vietnam.

“In discussions with banks in the region, Promon has learned that one customer was defrauded out of 10 million Thai Baht (approximately $280,000 – £225,000) at the time of writing,” noted the report author Benjamin Adolphi and shared with Hackread.com ahead of publication on Thursday.

Further probing revealed that the malware is distributed through emails, SMS messages, and messaging apps. Users are tricked into downloading a bogus banking app, which contains FjordPhantom.

When this app gets installed, the attackers, posing as customer service representatives, guide the users about the steps to run the app. The malware uses virtualization to create a virtual container to run this app and attackers can monitor the user’s actions and steal their credentials.

The malware integrates various open-source/free projects from GitHub, incorporating a virtualization solution and a hooking framework. FjordPhantom utilizes virtualization solutions to circumvent the Android sandbox, enabling different apps to operate within the same sandbox.

This facilitates attackers in gaining access to files and memory, conducting debugging, and injecting code into other apps. The approach involves virtualization solutions loading their own code into a new process before loading the hosted app’s code. Consequently, the malware can evade traditional code injection detection methods, as it doesn’t modify the original application.

The malware leverages the hooking framework to evade SafetyNet rooting detection, screenreader detection, and dismiss dialog boxes warning the user of ongoing malicious activity on the system. Additionally, the malware logs various actions performed by the targeted applications, signifying active development and suggesting potential targeting of other apps in the future.

Screenshot credit: Promon

Researchers believe that FjordPhantom is a sophisticated Android malware used to commit real-world fraud. Here are 5 tips for Android users to protect themselves from malware, especially banking trojan:

1.  **Download apps only from trusted sources:** The safest way to get apps for your Android device is to download them from the official Google Play Store. Apps in the Play Store have been reviewed by Google and are less likely to be malicious. If you need to download an app from a third-party source, make sure to do your research and only download apps from reputable websites.
2.  **Be careful about the permissions you give apps:** When you install an app, it will ask you for permission to access certain data or features on your device. Only give apps the permissions they need to function. For example, if you’re installing a banking app, it will need permission to access your contacts and call history. However, there’s no reason for it to need permission to access your photos or location.
3.  **Keep your device up to date:** Google regularly releases updates for Android that fix security vulnerabilities. Make sure to install these updates as soon as they become available. You can enable automatic updates in your device’s settings.
4.  **Install a mobile security app:** A mobile security app can help to protect your device from malware by scanning apps and files for threats. It can also block malicious websites and phishing attempts. There are many different mobile security apps available, so do some research to find one that’s right for you.
5.  **Be cautious about what you click on:** Be careful about clicking on links in emails or text messages, even if they appear to be from someone you know. These links could take you to malicious websites that could install malware on your device.

****_RELATED ARTICLES_****

1.  **IBM X-Force Discovers Gootloader Malware Variant- GootBot**
2.  **Qakbot Botnet Disrupted, Infected 700,000 Computers Globally**
3.  **Telekopye Toolkit Used as Telegram Bot to Scam Marketplace Users**
4.  **Proton CAPTCHA: New Privacy-First CAPTCHA Defense Against Bots**
5.  **Google Workspace Exposed to Takeover from Domain-Wide Delegation Flaw**

Android Banking Malware FjordPhantom Steals Funds Via Virtualization

Tyler Technologies Court Case Management Plus allows a remote attacker to authenticate as any user by manipulating at least the 'CmWebSearchPfp/Login.aspx?xyzldk=' and 
'payforprint_CM/Redirector.ashx?userid=' parameters. The vulnerable "pay for print" feature was removed on or around 2023-11-01.

**Integrated Software for Courts & Justice Agencies**

Regardless of size or location, courts and justice agencies have one thing in common — the need to improve access to justice for citizens, to empower legal professionals, and to enable collaboration across justice agencies.

Tyler's courts and justice software solutions help agencies share data among all of the offices in the justice system — Connecting courts, prosecutors, and public defenders, as well as jails, auditors, inspectors general, police departments, and supervision offices. This integration saves time and creates operational efficiencies, eliminating redundancies, minimizing errors, and helping you to be more responsive to your citizens.

**Civil Process**

Meet your jurisdiction's unique civil process office, field and financial requirements. Tyler's flexible configuration make operations more efficient from business processes to state reporting requirements.

Explore Civil Process

**Court Case Management - County & State**

Tyler's cutting-edge court case management systems streamline processes and eliminate mountains of paper handling. We have a track record of success across thousands of courts, from the smallest municipal court to the largest statewide systems.

Explore Enterprise Justice

**Court Case Management - Municipal**

Managing court calendars, processing defendant notices, and responding to crowded courtrooms, Tyler understands the challenges high-volume municipal, mayor, traffic and justice courts face. Municipal courts have a unique pace and rhythm, and a set of requirements that are different from those of counties, districts and states. Our Municipal Justice solution meets that pace and exceeds our clients’ expectations.

Explore Municipal Justice

**Dispute Resolution**

Expanding access to justice and allowing citizens to resolve their own disputes online, anywhere, anytime – with proven technology using Online Dispute Resolution.

Explore Online Dispute Resolution

**Electronic Filing**

More than 850,000 users file over 28 million documents annually on our platforms with 99.999% uptime. In addition to an outstanding platform with outstanding support we also provide online tools to guide self-represented litigants through the process of filing online.

Explore eFile & Serve

**Investigations & Audits**

Successful investigations and audits rely on the quality and completeness of the data collected and examined. Our solutions allow investigators to track, share, use, and analyze data in order to resolve cases efficiently.

Explore Investigations & Audits

**Jury Management**

Jury duty may be the only interaction most of your constituents have with the court. Our jury solutions provide an easy experience for citizens to navigate and answer any questions they have.

Explore Jury Management

**Justice Insights**

Tyler’s Justice Insights can provide a broader view of performance while also measuring efficiencies and outcomes across multiple departments or jurisdictions. When strategically implemented, these solutions can give you an instant view of your entire justice system so you can make more informed decisions about resources, policies, and more.

Explore Justice Insights

**Prosecution & Attorneys**

For Prosecutors, Public Defenders, or Trial Lawyers more than anyone else in the justice system, data is key, and we make it easy to track and manage the critical information you need, leveraging electronic case files, effectively managing caseloads, and easily tracking data. Additionally, re:Search® changes the way legal professionals, the courts and court staff, as well as the media and the public, search for court case data.

Explore Enterprise Attorney Manager

**Supervision**

Simplify and streamline adult and juvenile probation functions and pretrial services with Tyler’s Enterprise Supervision solution. Ease your workload with a comprehensive tool to handle multiple supervisory management functions while integrating seamlessly with the full array of Enterprise Justice solutions.

Explore Enterprise Supervision

**Virtual Court**

More than just a secure video stream, Virtual Court directly integrates with the case management system to create a seamless workflow during remote court hearings. It was developed through collaboration with courts of varying sizes from across the country to ensure it provides reliability and security required by the justice system.

Explore Virtual Court

Explore Other Courts & Public Safety Offerings

Courts and public safety agencies of all sizes and locations have one thing in common: the need to improve collaboration, to share information among agencies and all offices in the justice system, and to provide powerful tools to legal professionals for day-to-day operations.

Tyler’s courts and public safety solutions help to break down barriers and share information more easily and more securely across all public safety and justice agencies.

Explore Courts & Public Safety

**Painting the vision of **fully connected communities**.**

At Tyler, we imagine a world where all city, county, and regional government services are connected within a healthy digital infrastructure. Connecting data, processes, and people makes communities safer, smarter, and more responsive to the needs of residents.

More About Connected Communities

CVE-2023-6342: Courts & Justice | Courts & Public Safety

The prolific threat actor has laundered hundreds of millions of dollars in stolen virtual currency through the service.

Source: Yogesh More via Alamy Stock Photo

In its continued efforts to crack down on North Korea's most formidable state-sponsored threat group, the US government has seized a virtual currency mixer that has been serving as the principal way the group launders money stolen from its cybercriminal activity.

The US Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned Sinbad.io, or just Sinbad, a crypto-mixing service that the feds said has processed millions of dollars worth of virtual currency from crypto heists by the Lazarus Group, according to a press release from OFAC.

As a result of the action, all Sinbad property and interests in property in the US or controlled by anyone in the US must be blocked and reported to OFAC, and people in the US are prohibited from having any involvement with the service. Further, anyone who engages in transactions with the service also may be exposed to sanctions.  

Crypto mixing — a technique that uses pools of cryptocurrency to complicate the tracking of electronic transactions — is a popular service tapped by cybercriminals to obscure their illegal transactions. In the case of Lazarus, the group used Sinbad to launder crypto from various malicious incidents, including the Horizon Bridge and Axie Infinity heist, the government said.

The prolific threat actor is well known for conducting cyberattacks on behalf of the regime of North Korea's leader, Kim Jong Un, engaging in widespread crypto theft through various cyberattacks — including targeting crypto engineers or using compromised systems to mine crypto — to fund government activities, among other endeavors. The US government officially sanctioned Lazarus in 2019, effectively making it a crime to do any kind of business with the group or its associates.

**Crackdown on Crypto Mixing**

Other cybercriminal groups also use Sinbad to keep various illegal financial activities such as drug trafficking, buying child pornography, and other Dark Web transactions away from the prying eyes of law enforcement. However, global authorities have caught on to the use of crypto mixers and are now starting to monitor and block the activity.

In March, an international law enforcement effort led by the US Department of Justice (DoJ) led to the shuttering another known crypto-mixing service, ChipMixer. Then in May and earlier this month, respectively, the feds also seized one crypto mixer, Blender.io (Blender), and redesignated another, Tornado Cash — both known to be used by Lazarus, they said.

OFAC in April also sanctioned two over-the-counter virtual currency traders who facilitated the conversion of stolen virtual currency to fiat currency for North Korean actors associated with Lazarus.

“While we encourage responsible innovation in the digital asset ecosystem, we will not hesitate to take action against illicit actors," said Deputy Secretary of the Treasury Wally Adeyemo, in a statement. "Mixing services that enable criminal actors, such as the Lazarus Group, to launder stolen assets will face serious consequences.”

**Crypto Mixer of Choice**

All told, Lazarus, which has been active for more than 10 years, is believed to have stolen more than $2 billion worth of digital assets across multiple cryptocurrency heists, according to the US government.

Sinbad, which operates on the Bitcoin blockchain, has been one of the primary facilitators of the trafficking of these funds as the group's preferred mixing service. The service, which some security experts believe is the successor to Blender, aids cybercriminal transactions by obfuscating their origin, destination, and counterparties, so they are difficult to track.

Some of the larger sums that Lazarus has laundered through the crypto mixer include "a significant portion" of the following crypto heists: $100 million stolen in June from customers of Atomic Wallet; $620 million stolen from Axie Infinity in March 2022; and $100 million nabbed from Horizon Bridge in June 2022. 

Despite being sanctioned and constantly monitored by security researchers and global authorities alike, Lazarus remains undaunted and shows little sign of slowing down. Some of the group's most recent activity includes posing as Meta to deploy a complex backdoor at an aerospace organization, and aiming to lure crypto pros with fake job postings — the latter a common tactic of the group.

There are signs that the mounting pressure on the group has affected them, though. Lazarus recently aligned with other North Korean state-sponsored threat actors to make them collectively harder to track. However, this collaboration also sets the stage for more aggressive and complex cyberattacks that will demand strategic defense and response on the part of targets.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#git