CYBERSECURITY / DEFENSE / INTELLIGENCE

  • The database includes indicators of compromise (IOCs) and relationships between different artifacts observed within an analysis session. In October 2022, ANY.RUN launched TI Threat Intelligence Feeds to allow users to utilize this data. 

    Security experts assess threats using ANY.RUN, an interactive malware sandbox, and the data collected from these analyses is used to build a threat intelligence database. 

    TI Lookup’s introduction in February 2023 further improved this capability by enabling users to recognize threats even from lone indicators that other security solutions might not.

    You can learn here about how ANY.RUN built Threat Intelligence Lookup.

    ANY.RUN’s Approach to Indicator Analysis

    An interactive sandbox environment allows for deep analysis of malware behavior. Suspicious files are executed within the sandbox, mimicking real-world scenarios that enable malware observation throughout its stages, including fetching payloads, encrypting files, or stealing data.Β 

    Analysts can even trigger the malware manually by simulating user actions such as entering passwords or solving CAPTCHAs. 

    The comprehensive analysis captures various indicators, including memory dumps, network traffic between the malware and its command-and-control server, and MITRE ATT&CK tactics. 

    Around 30 event-specific details are collected, encompassing file and registry information, command line activity, HTTP response content, and more, which provides a thorough understanding of the malware’s entire attack cycle.Β 

    Document

    Integrate ANY.RUN in Your Company for Effective Malware Analysis

    Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

    • Real-time Detection
    • Interactive Malware Analysis
    • Easy to Learn by New Security Team members
    • Get detailed reports with maximum data
    • Set Up Virtual Machine in Linux & all Windows OS Versions
    • Interact with Malware Safely

    If you want to test all these features now with completely free access to the sandbox:

    Origins of ANY.RUN’s IOCs

    ANY.RUN utilizes a global community of analysts to gather indicators of compromise (IOCs) through public sandbox submissions.Β 

    Daily, around 14,000 samples are uploaded, often stemming from suspicious activity detected by Security Information and Event Management (SIEM) logs or email investigations.

    Analysts configure a sandbox environment mimicking real-world conditions and run the sample; during the 1200-second interactive analysis, the sandbox captures process activity and network events and extracts IOCs like file hashes, domains, IP addresses, and URLs. 

    Comprehensive data collection from global submissions fuels ANY.RUN’s threat intelligence database currently stores a massive 24TB of information on evolving malware threats. 

    Boosting Security with ANY.RUN Threat Intelligence

    The solution offers a threat intelligence (TI) feed and a lookup portal, providing access to a constantly updated database of malware information that leverages data from over 1.5 million investigations by community and in-house analysts, allowing you to

    • Access the latest community-reported and analyst-discovered malware data.
    • Search across various aspects (fields) of 1.5 million investigations conducted in the past 6 months.
    • To identify risks, analyze command lines, registry changes, memory dumps, encrypted and unencrypted network traffic, and more.

    It offers threat intelligence in two formats:

    • Threat Intelligence Lookup – Search our portal for relevant events using 30 criteria. Use wildcards (*) or widely to search substrings. With rapid search, you will get results in 5 seconds. The attached IOCs and event fields include links to recorded sandbox research sessions.
    • Threat Intelligence Feeds – Receive STIX data from our Feeds directly into your TIP and SIEM systems. Set up firewalls for the current threats. New data provides indications and event fields for context every two hours.

    TI Lookup examines a massive database of Indicators of Compromise (IOCs) and related events across numerous parameters. Wildcards allow wide or particular searches, and results, including linked research sessions, are supplied in seconds.

    SIEM systems can use TI Feeds’ continuous threat data in STIX format and every two hours, IOCs and event details are added for threat analysis.

    What is ANY.RUN?

    ANY.RUN is a cloud-based malware lab that does most of the work for security teams. 400,000 professionals use ANY.RUN platform every day to look into events and speed up threat research on Linux and Windows cloud VMs.

    Advantages of ANY.RUN 

    • Real-time Detection: ANY.RUN can find malware and instantly identify many malware families using YARA and Suricata rules within about 40 seconds of posting a file.
    • Interactive Malware Analysis: ANY.RUN differs from many automated options because it lets you connect with the virtual machine from your browser. This live feature helps stop zero-day vulnerabilities and advanced malware that can get past signature-based protection.
    • Value for money: ANY.RUN’s cloud-based nature makes it a cost-effective option for businesses since your DevOps team doesn’t have to do any setup or support work.
    • Best for onboarding new security team members: ANY. RUN’s easy-to-use interface allows even new SOC researchers to quickly learn to examine malware and identify signs of compromise (IOCs).

    Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free

    The post How ANY.RUN Malware Sandbox Process IOCs for Threat Intelligence Lookup? appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • AhnLab security researchers detected a resurgence of CryptoWire, a ransomware strain originally prevalent in 2018, built with the AutoIt scripting language, which primarily spreads through phishing emails. 

    Unlike most ransomware, CryptoWire reportedly includes the decryption key within its code, while recovering encrypted files likely requires a complex process.Β 

    Cryptowire GitHub
    Document

    Free Webinar : Mitigating Vulnerability & 0-day Threats

    Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

    • The problem of vulnerability fatigue today
    • Difference between CVSS-specific vulnerability vs risk-based vulnerability
    • Evaluating vulnerabilities based on the business impact/risk
    • Automation to reduce alert fatigue and enhance security posture significantly

    AcuRisQ, that helps you to quantify risk accurately:

    Main Features:

    The ransomware installs itself in a common location (“C:\Program Files\Common Files”) to ensure persistence, schedules tasks to maintain its presence on the system, and then scans the local network and connected devices to encrypt files, potentially compromising the entire network.Β 

    Registered task schedule

    Encrypted files are renamed with the “.encrypted” extension, and a log file named “domaincheck.txt” is saved on the desktop, possibly containing compromised system information.Β 

    A partial source code related to the expansion of encryption

    According to ASEC, the malware emptied the recycle bin and deleted shadow copies to hinder data recovery. Finally, a ransom message is displayed, demanding payment for decryption.Β 

    Ransomware can include the decryption key within itself or send it along with stolen system information to the attacker’s server.

    This method is uncommon, as most ransomware forces users through a complex decryption process to regain access to their files. 

    Preventing decryption

    To avoid infection, users should exercise caution when opening unknown files and utilize up-to-date anti-malware software to scan suspicious files. 

    The system has been infected with multiple threats as a Trojan downloader (Trojan/Win.Kryptik.C5576563) was detected on January 20th, 2024, which could have downloaded other malware. 

    More recently, on February 20th, 2024, ransomware (Ransomware/Win.bcdedit.C5590639) was also found, which likely encrypts files and demands a ransom for decryption.

    Malware behavior consistent with ransomware execution (MDP.Ransom.M1171) was additionally detected. 

    An analysis of the Indicators of Compromise (IoCs) revealed two MD5 hashes (cd4a0b371cd7dc9dab6b442b0583550c and a410d4535409a379fbda5bb5c32f6c9c) that could be used to identify malicious files.

    A C2 server address (hxxp://194.156.98[.]51/bot/log.php) was found to likely communicate with the malware to receive instructions or send stolen data, as immediate action is required to remove this malware and protect the system.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us onΒ LinkedInΒ &Β Twitter.

    The post CryptoWire Ransomware Attacking Abuses Schedule Task To maintain Persistence appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Tampa, FL – In a significant crackdown on cybercrime, Sandu Boris Diaconu, a 31-year-old Moldovan national, has been sentenced to 42 months in federal prison after pleading guilty to charges related to operating a network of illicit websites. U.S.

    Senior District Judge James Moody, Jr. handed down the sentence following Diaconu’s admission of guilt on December 1, 2023, for his involvement in a sophisticated digital fraud operation.

    The E-Root Marketplace, as the network was known, became infamous for selling compromised computer credentials, allowing buyers to gain unauthorized access to computers and servers worldwide, including systems owned by individuals and companies within the United States.

    The marketplace was designed to be a covert operation, employing a distributed network structure to conceal the identities of its administrators, buyers, and sellers.

    Document

    Free Webinar : Mitigating Vulnerability & 0-day Threats

    Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

    • The problem of vulnerability fatigue today
    • Difference between CVSS-specific vulnerability vs risk-based vulnerability
    • Evaluating vulnerabilities based on the business impact/risk
    • Automation to reduce alert fatigue and enhance security posture significantly

    AcuRisQ, that helps you to quantify risk accurately:

    Diaconu’s role in the criminal enterprise included developing, publishing online, and collaborating with accomplices to manage the E-Root Marketplace.

    The platform facilitated the sale of access to compromised computers, effectively enabling a range of cybercrimes.

    The charges brought against Diaconu included conspiracy to commit access device and computer fraud and possession of 15 or more unauthorized access devices.

    His guilty plea and subsequent sentencing mark a victory for U.S. authorities in their ongoing efforts to combat international cybercrime.

    The case against Diaconu resulted from a concerted effort by law enforcement agencies to dismantle operations that threatened the digital security of individuals and businesses.

    The sentence serves as a reminder of the serious consequences facing those who engage in the illicit trade of stolen digital information and the commitment of the justice system to uphold cybersecurity.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us onΒ LinkedInΒ &Β Twitter.

    The post E-Root Admin Sentenced to 42 Months in Prison for SellingΒ 350,000 Credentials appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • A new variant of the WhiteSnake Stealer, a formidable malware that has been updated to be more elusive and efficient in its malicious endeavors.

    One of the key features of the updated WhiteSnake Stealer is its use of mutexes (mutual exclusions).

    Mutexes are a common programming practice to prevent the same program from being launched multiple times, which can lead to system instability or make the malware more detectable.

    Performing mutex check
    Performing mutex check

    Upon execution, the stealer checks for a specific mutex value predefined in its configuration file.

    If this mutex is already present on the system, indicating that an instance of the stealer is running, the newly executed stealer will terminate itself.

    This ensures that only one instance of the malware operates at a time, reducing the risk of detection and system resource exhaustion.

    Anti-VM Detection to Evade Analysis

    Another layer of stealth is the AntiVM feature.

    Document

    Free Webinar : Mitigating Vulnerability & 0-day Threats

    Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

    • The problem of vulnerability fatigue today
    • Difference between CVSS-specific vulnerability vs risk-based vulnerability
    • Evaluating vulnerabilities based on the business impact/risk
    • Automation to reduce alert fatigue and enhance security posture significantly

    AcuRisQ, that helps you to quantify risk accurately:

    Security researchers often use virtual machines (VMs) to analyze malware behavior in a controlled environment.

    To combat this, WhiteSnake Stealer can be configured to detect the presence of VMs and terminate itself if one is found.

    Performing AntiVM check
    Performing AntiVM check

    The stealer uses a WMI query to retrieve the computer system’s “Model” and “Manufacturer” properties.

    It then searches for strings that are typically associated with virtual environments, such as “VMware,” “virtual,” and “qemu.”

    If any of these strings are detected, the stealer will exit, thwarting any attempt to analyze or reverse-engineer its code.

    According to the latest findings by SonicWall Capture Labs’ threat research team, WhiteSnake Stealer malware has emerged, showcasing less obfuscation and increased danger. 

    Advanced-Data Exfiltration Capabilities

    Following the Anti-VM check, the malware proceeds to its primary function: data theft.

    The Create() function is called, leading to the ProcessCommands() function, designed to siphon sensitive data from various sources.

    The WhiteSnake Stealer targets a wide range of web browsers, including mainstream options like Google Chrome, Mozilla Firefox, and Microsoft Edge, as well as less common ones like Vivaldi and CocCoc Browser.

    It extracts cookies, autofill information, login credentials, browsing history, and more.

    In addition to web browser data, the stealer is programmed to target cryptocurrency wallets to capture the lucrative financial information associated with these assets.

     The table below shows the targeted cryptocurrency wallets and browser extensions.

    Cryptocurrency Wallets

    Cryptocurrency Wallet NameTargeted Directory
    Ledger%AppData%\ledger live
    Atomic%AppData%\atomic\Local Storage\leveldb
    Wasabi%AppData%\WalletWasabi\Client\Wallets
    Binance%AppData%\Binance
    Guarda%AppData%\Guarda\Local Storage\leveldb
    Coinomi%LocalAppData%\Coinomi\Coinomi\wallets
    Bitcoin%AppData%\Bitcoin\wallets
    Electrum%AppData%\Electrum\wallets
    Electrum-LTC%AppData%\Electrum-LTC\wallets
    Zcash%AppData%\Zcash
    Exodus%AppData%\Exodus
    JaxxLiberty%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
    JaxxClassic%AppData%\Jaxx\Local Storage\leveldb
    Monero%UserProfile%\Documents\Monero\wallets

    Targeted Cryptocurrency Wallets

    Beyond its sophisticated evasion techniques, WhiteSnake Stealer boasts a range of functionalities designed to harvest sensitive data from infected systems.

    While keylogging is disabled by default, attackers can activate this feature remotely and capture every keystroke of the victim.

    Moreover, the malware can hijack the victim’s microphone and webcam, turning personal devices into surveillance tools.

    Part of the code responsible for keylogging
    Part of the code responsible for keylogging

    The new variant of WhiteSnake Stealer demonstrates the continuous innovation by cybercriminals to bypass security measures and remain undetected.

    Implementing mutexes and anti-VM techniques, along with its comprehensive data theft capabilities, make it a significant threat to users and organizations.

    As the cyber threat landscape evolves, it is crucial for cybersecurity professionals and end-users to stay informed about the latest malware trends and to implement robust security measures to protect sensitive information.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

    The post WhiteSnake Stealer Checks for Mutex & VM Function Before Execution appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Large language models (LLMs) are vulnerable to attacks, leveraging their inability to recognize prompts conveyed through ASCII art.Β 

    ASCII art is a form of visual art created using characters from the ASCII (American Standard Code for Information Interchange) character set.

    Recently, the following researchers from their respective universities proposed a new jailbreak attack, ArtPrompt, that exploits LLMs‘ poor performance in recognizing ASCII art to bypass safety measures and produce undesired behaviors:-

    • Fengqing Jiang (University of Washington)
    • Zhangchen Xu (University of Washington)
    • Luyao Niu (University of Washington)
    • Zhen Xiang (UIUC)
    • Bhaskar Ramasubramanian (Western Washington University)
    • Bo Li (University of Chicago)
    • Radha Poovendran (University of Washington)

    ArtPrompt, requiring only black-box access, is shown to be effective against five state-of-the-art LLMs (GPT-3.5, GPT-4, Gemini, Claude, and Llama2), highlighting the need for better techniques to align LLMs with safety considerations beyond just relying on semantics.

    Document

    Free Webinar : Mitigating Vulnerability & 0-day Threats

    Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

    • The problem of vulnerability fatigue today
    • Difference between CVSS-specific vulnerability vs risk-based vulnerability
    • Evaluating vulnerabilities based on the business impact/risk
    • Automation to reduce alert fatigue and enhance security posture significantly

    AcuRisQ, that helps you to quantify risk accurately:

    AI Assistants and ASCII Art

    The use of big language models (like Llama2, ChatGPT, and Gemini) is on the rise across several applications, which raises serious security concerns.Β 

    There has been a great deal of work in ensuring safety alignment of LLMs but that effort has been entirely focused on semantics in training/instruction corpora. 

    However, this disregards alternative takes that go beyond semantics, such as ASCII art, where the arrangement of characters communicates meaning rather than their semantics, thus leaving these other interpretations unaccounted for by existing techniques that could be used to misuse LLMs.

    ArtPrompt (Source – Arxiv)

    The concern about the misuse and safety of further integrated large language models (LLMs) into real-world applications has been raised. 

    Multiple jailbreak attacks on LLMs have been created, taking advantage of their weaknesses using methods like gradient-based input search and genetic algorithms, as well as leveraging instruction-following behaviors.Β 

    Modern LLMs cannot recognize adequate prompts encoded in ASCII art that can represent diverse information, including rich-formatting texts.

    ArtPrompt is a novel jailbreak attack that exploits LLMs’ vulnerabilities in recognizing prompts encoded as ASCII art. It has two key insights:-

    • Substituting sensitive words with ASCII art can bypass safety measures.
    • ASCII art prompts make LLMs excessively focus on recognition, overlooking safety considerations. 

    ArtPrompt involves word masking, where sensitive words are identified, and cloaked prompt generation, where those words are replaced with ASCII art representations. 

    The cloaked prompt containing ASCII art is then sent to the victim LLM to provoke unintended behaviors.

    This attack leverages LLMs’ blindspots beyond just natural language semantics to compromise their safety alignments.

    Researchers found semantic interpretation during AI safety creates vulnerabilities.

    They made a benchmark, the Vision-in-Text Challenge (VITC), to test language models’ ability to recognize prompts needing more than just semantics. 

    Top language models struggled with this task, leading to exploitable weaknesses.

    Researchers designed ArtPrompt attacks to expose these flaws, bypassing three defenses on five language models.

    Experiments showed that ArtPrompt can trigger unsafe behaviors in ostensibly safe AI systems.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us onΒ LinkedInΒ &Β Twitter.

    The post Researchers Hack AI Assistants Using ASCII Art appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Microsoft has announced an important update for Windows users worldwide in a continuous effort to bolster security and performance.

    As part of its latest security enhancements, Microsoft is phasing out the support for 1024-bit RSA encryption keys within the Windows operating system.

    This move aims to encourage the adoption of more robust encryption standards and ensure that Windows users benefit from the highest levels of security.

    Understanding the Change

    RSA encryption keys are a fundamental component of digital security, used to secure communications and ensure the integrity of information.

    However, with advancements in computing power and cryptographic research, 1024-bit RSA keys have become increasingly vulnerable to sophisticated cyber-attacks.

    Recognizing this, Microsoft has decided to deprecate these keys in favor of more robust encryption methods.

    Document

    Free Webinar : Mitigating Vulnerability & 0-day Threats

    Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

    • The problem of vulnerability fatigue today
    • Difference between CVSS-specific vulnerability vs risk-based vulnerability
    • Evaluating vulnerabilities based on the business impact/risk
    • Automation to reduce alert fatigue and enhance security posture significantly

    AcuRisQ, that helps you to quantify risk accurately:

    Impact on Windows Users

    The deprecation of 1024-bit RSA keys signifies a shift towards stronger, more secure encryption standards, such as 2048-bit RSA keys or even more advanced encryption technologies.

    Windows users, especially in enterprise environments, are advised to review their current security protocols and upgrade their encryption keys accordingly.

    This transition is crucial for maintaining the confidentiality and integrity of sensitive data.

    “This deprecation focuses on ensuring that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be considered valid by Windows.” Microsoft said.

    Timeline and Next Steps

    Microsoft has outlined a phased approach to this deprecation, allowing users and organizations ample time to adjust their security practices.

    Detailed timelines and guidelines will be provided through official Windows update channels and the Microsoft Security Response Center.

    Users are encouraged to stay informed about the latest updates and to begin planning for the necessary adjustments to their security setups.

    The deprecation of 1024-bit RSA keys in Windows marks a significant step forward in Microsoft’s commitment to cybersecurity.

    By advocating for more robust encryption standards, Microsoft aims to protect users from emerging threats and ensure a secure digital environment.

    Windows users are urged to update their encryption practices proactively, thereby contributing to a safer, more secure computing experience.


    The post Microsoft Deprecate 1024-bit RSA Encryption Keys in Windows appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • A new phishing campaign is targeting U.S. organizations with the intent to deploy a remote access trojan called NetSupport RAT. Israeli cybersecurity company Perception Point is tracking the activity under the moniker Operation PhantomBlu. “The PhantomBlu operation introduces a nuanced exploitation method, diverging from NetSupport RAT’s typical delivery mechanism by leveraging OLE (Object

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • A 31-year-old Moldovan national has been sentenced to 42 months in prison in the U.S. for operating an illicit marketplace called E-Root Marketplace that offered for sale hundreds of thousands of compromised credentials, the Department of Justice (DoJ) announced. Sandu Boris Diaconu was charged with conspiracy to commit access device and computer fraud and possession of 15 or more unauthorized

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • The ongoing “free wedding invite” scam is one of several innovative campaigns aimed at the senior population.

    Through social media chats like WhatsApp, fraudsters use deceptive tactics, most often involving fake wedding invitations.

    It communicates with its victims over WhatsApp and tricking them into installing an APK that finally sends user data to a C2 server that is hosted on Telegram.

    Β β€œA malicious APK pretending to be a fake wedding invite is then shared with the victim. The victims, believing the APK to contain more details about the free wedding, install the malware and end up being exploited by having their SMS data being stolen”, F-Secure, a cyber security firm shared with Cyber Security News.

    Document

    Free Webinar : Mitigating Vulnerability & 0-day Threats

    Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

    • The problem of vulnerability fatigue today
    • Difference between CVSS-specific vulnerability vs risk-based vulnerability
    • Evaluating vulnerabilities based on the business impact/risk
    • Automation to reduce alert fatigue and enhance security posture significantly

    AcuRisQ, that helps you to quantify risk accurately:

    Free-Wedding Invite Scam Via WhatsApp

    The “wedding invite” scam, in which the victim receives a wedding invitation from an unidentified individual urging them to open the attached file to obtain further information about the wedding, was a scam that circulated throughout Malaysia. 

    Particularly, the “attached file” is actually an APK that infects the victim’s phone with malware.

    The malware that exists is designed to steal various types of data from users’ phones, including device, build, and SMS information.

    Original WhatsApp messages received as per a Facebook post

    While researchers analyzed AndroidManifest.xml, there were certain risky permissions in use that enabled text message sending and reading.

    Furthermore, the app does not appear in the App Launcher due to the Missing Launcher activity category. There were two broadcast recipients for the same push notification.

    Observations in AndroidManifest.xml

    β€œOnce the app is installed on the phone, it stays hidden, as deduced from the MainActivity”, researchers said.

    β€œFor spyware, the reason behind hiding is to avoid detection and carry on with its objective of stealing user data as long as possible”.

    As its C2 server, the malware makes use of a Telegram bot. Telegram bots are applications offered by the Telegram chat network.

    It is configured to deliver real-time information and automate user interactions.

    The application transfers stolen data to the Telegram bot, making it simple for a hacker to obtain information gathered on Telegram. 

    Collecting Device Information

    Following the exfiltration of this data to the Telegram bot, the malware opens a seemingly secure website, distracting and calming the victim into a false sense of security. 

    The Safe Website

    Although it seems to be a shopping website, its functionality is unrelated to the malware.

    On the compromised device, the malware intercepts incoming SMS messages.

    This may result inΒ scammers gaining access to severalΒ sensitive data, such as personally identifiable information and one-time passwords, among others.

    Such information can be misused in many ways, such as selling credentials that have been stolen or taking over banking sessions.

    As a result, individuals should use caution when communicating digitally, especially withΒ elders, as the environment of scam threat is always changing.

    Security companies must also be knowledgeable about it toΒ safeguard their clients.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us onΒ LinkedInΒ &Β Twitter.

    The post Beware Of Free wedding Invite WhatsApp Scam That Steal Sensitive Data appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • The White House is pushing the Senate to pass a TikTok ban bill that swept through the House last week.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ