ArcTitan

European & US Banks Under Attack from SharkBot Android Banking Trojan

SharkBot, a new Android banking Trojan, has been discovered in campaigns created to steal money from bank accounts and cryptocurrency services in locations including the United States, United Kingdom, and Italy, and targets 27 financial institutions – 22 banks and 5 cryptocurrency apps.

This new Android malware is different from other mobile banking Trojans due to its use of an Automatic Transfer System (ATS) tactic that enables the bypassing of multi-factor authentication measures and automates the stealing of money from victims’ accounts. This does not require any human input as SharkBot auto-completes fields required for completing financial transactions.

SharkBot can capture text messages, such as those sending financial institution multi-factor authentication codes, and can mask those SMS messages to make it seem as if they were never received. SharkBot can also conduct overlay attacks, where a benign pop-up is shown over an application to fool a user into performing tasks, such as alocatting access authorizations. SharkBot is also a keylogger and can capture and exfiltrate sensitive information such as details to the hacker’s command and control server and bypasses the Android doze component to ensure it stays logged on to its C2 servers.

During the configuration process, the user is bombarded with popups to allocate the malicious app the permissions it requires, with those popups only ending when the user shares the required authorizations, such as enabling Accessibility Services. When the malicious app is downloaded, the app’s icon is not shown on the home screen. Users are stopped from removing the malware via settings by abusing Accessibility Services.

The ATS technique deployed by the malware allows it to redirect payments. When a user tries to complete a financial transaction, information is auto-filled to direct payments to an hacker-managed account, with the recipient being aware of it.

The malware was examined by experts at Cleafy, who identified no similarities with any other malware strains. Since the malware has been created from scratch, it currently has a low detection rate. The experts believe the malware is still in the initial stages of development, and new capabilities could well be added to make it even more dangerous.

One of the main issues for developers of malware attacking Android devices is how to get the malware downloaded on a device. Google carries out checks of all apps available before including them in the Google Play Store, so getting a malicious app on the Play Store is tricky. On occasions when they do make it to the store, Google is quick to identify and delete malicious apps.

SharkBot has been witnessed pretending to be a range of apps such as an HD media player, data recovery app, and live TV streaming app, which is delivered via sideloading on rooted devices and by using social engineering tactics on compromised or hacker-owned websites to trick victims to install the fake app.

SharkBot is able to avoid detection and analysis, such as obfuscation to hide malicious commands, by virtue of downloading malicious modules once it has been installed, and by encrypting all communications between the malware and the C2 servers.

 

 

 

Scampage Tools & Brand Phishing Attacks Alert Warning Released

An official warning has been issued by the Federal Bureau of Investigation (FBI) in relation to a spike well known brand being used in spear phishing attacks, focused on tricking people to hand over sensitive data or download malware.

The campaigns work by leveraging the trust that is placed in well-known brands in order to make them complete an action. Typically they include the actual logo of the targeted brand in the same format as real messages from the company. However, they will include links that take those who click on them to a malicious web portal. These web portals will attempt to steal sensitive data. 

Hackers sell scampage tools on the dark web that will allow other hackers to operate successful phishing campaigns. The FBI has confirmed that the scampage tools in question have the ability to spot if a person is their email address as their login ID for a web platform. If this is detected the user is sent to a scam page with the same email domain. The user is then asked to share their login credentials that the hacker can use to access the victim’s email. This in turn allows hackers to receive 2-factor authentication codes, thus rendering this security method useless. With 2FA codes, the cybercriminal can obtain access to accounts and make changes, including updating passwords to lock users out of their accounts or altering security rules before the owner of the account can be alerted.

The FBI release said: “Much like the threat with ransomware-as-a-service, this type of product-as-a-service distribution of scampage and credential harvesting tools presents an increased nationwide risk to private sector businesses and their consumers. Brand-phishing email campaigns and scampage tools that help bypass 2FA security measures represent another aspect to this emerging cyber threat.”

In order to prepare for an attack like this, companies must configure an advanced spam filtering solution to prevent phishing emails and stop them from landing in employee inboxes. Password policies should be set up that make strong passwords mandatory, and reviews carried out to police this and root out commonly used or weak passwords cannot be created on accounts. Employees should be warned to never use passwords on multiple accounts and to see to it that all company accounts have 100% unique passwords. Security awareness training should be conducted for all staff members to make them aware of email security best practices and how to spot  phishing emails and other scams.

Due to the spike in the use of scampage campaigns, all staff members should create a unique username for an account that is not connected to their main email address. 2-factor authentication should be enabled if it is available, and where possible, a software-based authenticator program or a USB security key should be in place as the second factor. 

 

900% in Ransomware Attacks During First Six Months of 2021

2021 has borne witness to a massive spike in the number of ransomware campaigns being initiated.

According to research data produced by CybSafe‘s, there has been a 900% growth in this type of attack during the first half of 2021 when compared with the same time period from 2020. In tandem with this there has also been significant increases in cost of the cybersecurity required to keep organization safe from this type of attack and the cybercriminals have also been demanding larger ransoms be paid in order to release the locked data.

So far in 2021 there have been major ransomware attacks on many healthcare service providers, including the Health Service Executive, resulting in concerns related to the impact this might have on the provision of patient care. The attack in Ireland took place after one person replied to an email from the Conti ransomware group, allowing them to encrypt files. Recovery of the files took up to nine months, however it is not believed that the $20m ransom demand was met.

There has been a measure of success in relation to holding ransomware groups to account for their crimes. The U.S. government has elevated this type of crime to the same status as that of terrorist attacks and dedicated more manpower to dealing with them. Some Of The success encountered so far include:

  • Taking down the REvil ransomware infrastructure
  • Dismantling the Darkside operation and BlackMatter
  • Arresting suspected members of the Clop ransomware group

Additional in Europe authorities apprehended twelve people believed to be working on the LockerGoga, MegaCortex, and Dharma ransomware campaigns. These successes will have an impact in the short term but it will not be long before some group, or new strain of ransomware, fills the vacuum that has been created. This is why steps are required in order to address the potential for organizations being infiltrated by the cybercriminals responsible. 

Companies face a daunting challenge to protect themselves from attacks like this due to the wide variety of tactics that hackers can use. The starting point should be ensuring that phishing emails are being tackled head on as they are the point of origin for the vast majority of ransomware attacks. This email will be used to deploy malware or steal the credentials needed to access corporate networks and databases.

A cybersecurity solution like SpamTitan will route out malicious messages and stop them from landing in the inboxes of unsuspecting staff members. While staff training can help it will always need to be backed up with a technical solution like this. SpamTitan, for instance, completes an in-depth analysis of all email content and can spot malicious links and email attachments which will be placed in a quarantine folder where they can be reviewed. This means security teams can see how these types of threats are aiming to take advantage of the organization. Additionally, it means that false positives to be identified so filtering rules can be amended appropriately. This solution uses dual antivirus engines, sandboxing that allows suspicious attachments to be analyzed to identify new malware strains, and machine learning technology to ensure that spam filtering learns more the longer that it is used.

In the background, a huge variety of reviews and controls see to it that malicious messages are removed. Managers can control this via a clean, easy-to-use interface that requires no technical skills to navigate and use. All information and controls are simple to learn and control.

Contact the TitanHQ team now to find out more about using this solution.TitanHQ solutions can be trialled for free.

 

Chromium-Based Web Browsers Vulnerable to Updated Magnitude Exploit Kit

After they were first created during 2006, exploit kits have evolved into the main weapon of choice for automated malware delivery.

These kits are composed of programs that can be installed on web portals in order to identify and take advantage of recognised vulnerabilities. This takes place when a browser comes onto the portal and triggers a scan by the exploit kit to identify specific software vulnerabilities that have yet to be addressed with an update or patch. Once this is found the exploit kit will be able to install a malware payload without any further interaction from the browser. 

This method of attack was widely witnessed from 2010-2017, after which the use of this method dropped somewhat. However they are still very much an active threat when it comes to cybersecurity. Some of the best-known exploit kits are constantly refreshed to add new exploits for known vulnerabilities. In recent times these kits have been mainly deployed in order to install malware that can activate ransomware. One of these is the Fallout exploit kit that was used to share Maze Locker ransomware, and the Magnitude EK which was deployed to spread ransomware in the Asia Pacific region from 2013 onwards. 

Typically, exploit kits are placed on authentic web portals that have been hacked, in addition to malicious hacker-owned websites laced with malware. Due to this it can be the case that someone visits these web portals without realizing it.

One of the most popular kits currently is the Magnitude EK. Previously it was only deployed on Internet Explorer. Recently it has been discovered that the exploit kit has now been updated to be installed using Chromium-based web browsers on Windows PCs.

Anti-virus expert group Avast has revealed that the Magnitude EK has recently added two new exploits. One aimed to take advantage of a vulnerability in Google Chrome – CVE-2021-21224 – and the other focused on the Windows kernel memory corruption vulnerability labelled CVE-2021-31956. A cybercriminal could obtain system privileges using the remote code execution vulnerability Google Chrome bug or the Windows bug that allows bypassing the Chrome sandbox.

Google and Microsoft have made patches available to mitigate these vulnerabilities. The onus is on users to run these updates. If not it will only be a matter of time before Magnitude EK takes advantage of the weaknesses to install malware. For businesses an additional layer of cybersecurity to prevent this type of attack would be using a web filter. These are similar to spam filters in that they stop malware delivery from malicious websites and are one of the strongest anti-phishing measures you can use.

WebTitan, one of the best web filters available, was created by TitanHQ to keep companies safe in the face of these cyberattacks and manage web access levels for office-based and remote workers – a key feature for tools designed to prevent browsers visiting malicious websites. This web filter solution is DNS-based and is very straightforward to configure, so much so that it is in operation on the databases of more than 12,000 companies and MSPs to complete tasks for content filtering, malware prevention and to provide an extra obstacle for phishers.

In order to enhance your cybersecurity protection measures with WebTitan and block malware contact the TitanHQ experts as soon as you can. There is also a 100% free 30-day trial for you to avail of so you can test the solution in your own environment.

 

Spam Emails Spreading Squirrelwaffle Malware Loader

 

Squirrelwaffle, a new strain of malware that is being distributed using spam email messages, has been discovered in the last six weeks.

The disabling of the Emotet botnet last January 2021 created a vacuum within the malware-as-a-service market, a gap that a number of malware strains have attempted to take advantage of. Squirrelwaffle boasts similar capabilities to the Emotoet banking malware. Squirrelwaffle allows threat actors to gain a foothold in networks, which the operators of the malware can abuse. However, the access is being sold to other cybercriminals.

A review of this campaign has indicated that it is being leveraged to download Qakbot and Cobalt Strike. However, there is nothing to suggest that these are the only two malware strains that are being delivered by this malware. The Squirrelwaffle emails feature a hyperlink to a malicious website which is used to download a .zip file that includes either a .doc or .xls file. The Office files contain a malicious script that will install the Squirrelwaffle payload.

The Word documents implement the DocuSign signing service to trick recipients into enabling macros, stating that the document was set up with an older version of Microsoft Office Word so the user must “enable editing” then click “enable content” to access the contents of the file. Doing so will run code that will install and execute a Visual Basic script, which downloads the Squirrelwaffle payload from one of 5 hardcoded URLs. Squirrelwaffle is sent as a DLL which is then executed when downloaded and then silently places Qakbot or Cobalt Strike on the device/network, which will allow constant access to compromised devices.

As happened with the Emotet Trojan, Squirrelwaffle can take over message threads and insert malware. As replies to authentic messages are sent from a legitimate email account, a reply to the message is more likely. This attack method was very successful for the Emotet Trojan. In most cases, the attacks take place in English; however, security experts have discovered emails in different languages such as French, German, Dutch, and Polish.

Due to the similarities with Emotet, it is likely that those responsible for the deactivated botnet are trying to make a comeback. However, it is possible that this is an attempt by unrelated threat actors to fill the market vacuum that was created when Emotet was taken down. At present, the malware is not being distributed to the same extent that Emotet was but that may change in the near future. 

The best way to protect devices and servers from an attack like this is to configure email security measures to block the malspam at source and see to it that the malicious messages do not land in inboxes. It is important to implement a spam filtering solution that also scans outbound emails to identify compromised devices and stop attacks on other employees and business contacts from corporate email accounts.

Making Hotel Wi-Fi Safe & Easy to Use

 

Hotel guests tend to take Wi-Fi security as a given when they are staying overnight. However, if there is no secure connection in place, anyone using the network could be in danger of leaving themselves exposed to malware infection or another type of cyberattack. A cloud-based web content filtering solution mitigates the risk of a guest inadvertently downloading malware onto their own device and also protects guests from being exposed to inappropriate website content on other guests´ mobile devices.

it should not be taken for granted by guests that Wi-Fi is secure. Research will inform the speed and reliability of the network that each hotel is offering, and any checks should also determine if they offer a filtered Internet service. Every hotel offers some level of Wi-Fi but a lot of these solutions are not completely secured Wi-Fi networks. Hotel Wi-Fi can be very susceptible to cyberattacks and malware installations. It is crucial that hotels put in place enterprise cloud-based web filtering and limit the websites that guests are allowed to access.

There are five steps that hotels should take to see to it that the Wi-Fi they are providing for their guests is fully secure.

  • Step 1: Configure cloud-based content filtering: This should be the foundation that hotel Wi-Fi is built upon. This can be implemented for a reasonable level of investment. and there are many different cloud-based web filtering solutions that will allow you to send all of your traffic through their filtering system.  A solution such as WebTitan can prevent access to malware and credential phishing web portals.  The majority of cloud-based filtering solutions incorporate a malware gateway that checks all web traffic for malicious code threats. Another advantage is that these solutions can be utilized to prevent access to certain website categories. This can be implemented using a simple web GUI interface using your web browser.
  • Step 2: Make Wi-Fi security stronger: The reputational damage that unsecured internet access can inflict is massive and can be tricky for businesses to come back from. A hotel or campsite will not be able to state that they are a family-friendly establishment if they permit pornography or illegal websites to be viewed using their Wi-Fi network. Corporate guests must be happy that they can safely access sensitive data. 
  • Step 3: Configure a cloud-based content filter: This will result in the provision of a secure Wi-Fi service that allows guests to browse safely online by forbidding inappropriate content from being loaded. It requires NO software installation and NO need for technical expertise to set up or manage customer accounts. You set up new accounts easily and manage any number of hotels.
  • Step 4: More Secure Wi-Fi is faster Wi-Fi: Cloud-based web filtering for malware and ads not only makes the hotel network safer, but it also boosts network speed by cutting the amount of data that is being shared.  With WebTitan Cloud for Wi-Fi, web access policy can be configured for each Wi-Fi access point. This can be a competitive advantage for hotels that are marketed to families. Parents can be happy that their children are using the web in a safe environment. Cloud-based web filtering allows hotels the chance to create tiered Wi-Fi services. 
  • Step 5: Guide your guests to use Wi-Fi: Ensure that your guests are aware of the correct name of your Wi-Fi network. Provide a secure login page for entering credentials: The “https://” prefix ensures the login page is encrypted to protect guests’ personal information. Hotels can exercise total control over Internet content by using WebTitan, a cloud-based web content filtering solution.

WebTitan is a cloud-based web filter solution that can be used by every kind of hotel that comes with flexible controls. To discover more about the advantages of WebTitan Cloud based filtering for Wi-Fi call the TitanHQ team now.