CYBERSECURITY / DEFENSE / INTELLIGENCE

  • The ongoing “free wedding invite” scam is one of several innovative campaigns aimed at the senior population.

    Through social media chats like WhatsApp, fraudsters use deceptive tactics, most often involving fake wedding invitations.

    It communicates with its victims over WhatsApp and tricking them into installing an APK that finally sends user data to a C2 server that is hosted on Telegram.

    Β β€œA malicious APK pretending to be a fake wedding invite is then shared with the victim. The victims, believing the APK to contain more details about the free wedding, install the malware and end up being exploited by having their SMS data being stolen”, F-Secure, a cyber security firm shared with Cyber Security News.

    Document

    Free Webinar : Mitigating Vulnerability & 0-day Threats

    Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

    • The problem of vulnerability fatigue today
    • Difference between CVSS-specific vulnerability vs risk-based vulnerability
    • Evaluating vulnerabilities based on the business impact/risk
    • Automation to reduce alert fatigue and enhance security posture significantly

    AcuRisQ, that helps you to quantify risk accurately:

    Free-Wedding Invite Scam Via WhatsApp

    The “wedding invite” scam, in which the victim receives a wedding invitation from an unidentified individual urging them to open the attached file to obtain further information about the wedding, was a scam that circulated throughout Malaysia. 

    Particularly, the “attached file” is actually an APK that infects the victim’s phone with malware.

    The malware that exists is designed to steal various types of data from users’ phones, including device, build, and SMS information.

    Original WhatsApp messages received as per a Facebook post

    While researchers analyzed AndroidManifest.xml, there were certain risky permissions in use that enabled text message sending and reading.

    Furthermore, the app does not appear in the App Launcher due to the Missing Launcher activity category. There were two broadcast recipients for the same push notification.

    Observations in AndroidManifest.xml

    β€œOnce the app is installed on the phone, it stays hidden, as deduced from the MainActivity”, researchers said.

    β€œFor spyware, the reason behind hiding is to avoid detection and carry on with its objective of stealing user data as long as possible”.

    As its C2 server, the malware makes use of a Telegram bot. Telegram bots are applications offered by the Telegram chat network.

    It is configured to deliver real-time information and automate user interactions.

    The application transfers stolen data to the Telegram bot, making it simple for a hacker to obtain information gathered on Telegram. 

    Collecting Device Information

    Following the exfiltration of this data to the Telegram bot, the malware opens a seemingly secure website, distracting and calming the victim into a false sense of security. 

    The Safe Website

    Although it seems to be a shopping website, its functionality is unrelated to the malware.

    On the compromised device, the malware intercepts incoming SMS messages.

    This may result inΒ scammers gaining access to severalΒ sensitive data, such as personally identifiable information and one-time passwords, among others.

    Such information can be misused in many ways, such as selling credentials that have been stolen or taking over banking sessions.

    As a result, individuals should use caution when communicating digitally, especially withΒ elders, as the environment of scam threat is always changing.

    Security companies must also be knowledgeable about it toΒ safeguard their clients.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us onΒ LinkedInΒ &Β Twitter.

    The post Beware Of Free wedding Invite WhatsApp Scam That Steal Sensitive Data appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • The White House is pushing the Senate to pass a TikTok ban bill that swept through the House last week.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • New orbits could open β€œpotential attack vectors” on US satellites, general says.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • New orbits could open β€œpotential attack vectors” on US satellites, general says.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Thanks to AI, β€œThey can have one person cranking out a lot of material.”

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Thanks to AI, β€œThey can have one person cranking out a lot of material.”

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • The amount the service requested may still be too low, based on observations of Ukraine, one expert said.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • A new elaborate attack campaign has been observed employing PowerShell and VBScript malware to infect Windows systems and harvest sensitive information. Cybersecurity company Securonix, which dubbed the campaign DEEP#GOSU, said it’s likely associated with the North Korean state-sponsored group tracked as Kimsuky. “The malware payloads used in the DEEP#GOSU represent a

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Cybercriminals have repurposed Scalable Vector Graphics (SVG) files to deliver malware, a technique that has evolved significantly with the advent of the AutoSmuggle tool.

    Introduced in May 2022, AutoSmuggle facilitates embedding malicious files within HTML or SVG content, making it easier for attackers to bypass security measures.

    Early and Notable Malware Deliveries via SVG

    The misuse of SVG files for malware distribution dates back to 2015, with ransomware being one of the first to be delivered through this vector.

    In January 2017, SVG files were used to download the Ursnif malware via URLs. A significant leap occurred in 2022 when SVGs delivered malware like QakBot through embedded .zip archives, showcasing a shift from external downloads to HTML smuggling techniques.

    Credits: CoFense

    AutoSmuggle’s Role in Malware Campaigns

    AutoSmuggle’s release on GitHub in 2022 marked a turning point. The tool embeds executable files or archives into SVG/HTML files, which are then decrypted and executed upon opening by the victim.

    This method cleverly evades Secure Email Gateways (SEGs) that would typically detect and quarantine direct email attachments.

    Two notable AutoSmuggle campaigns began in December 2023 and January 2024, delivering XWorm RAT and Agent Tesla Keylogger, respectively.

    Methods of Malware Delivery via SVG

    According to CoFense report, SVG files can deliver malware in two primary ways:

    1. JavaScript Direct Download: The original SVG files contained embedded URLs that, when opened, triggered the download of a malicious payload. Later versions displayed an image to distract the victim while the download occurred.
    2. HTML Style Embedded Object: More recent SVG files contain the malicious payload within, eliminating the need for external resources. These files often rely on the victim’s curiosity to interact with the delivered file.

    Campaign Analysis: Agent Tesla and XWorm RAT

    The Agent Tesla Keylogger campaign was characterized by emails with attached SVG files that led to an embedded .zip archive containing a JavaScript file, which then initiated a series of downloads culminating in the execution of the keylogger.

    AgentTesla , Credits: CoFense

    The XWorm RAT campaign differed in its approach, with three distinct infection chains involving PDFs, embedded links, and direct SVG attachments, ultimately leading to the delivery of XWorm RAT via various scripting files.

    Divergence from AutoSmuggle in Campaigns

    Upon analysis, the SVG files used in these campaigns showed slight modifications from the standard AutoSmuggle-generated files.

    For instance, the Agent Tesla campaign SVGs included redirecting to a legitimate-looking Maersk webpage, enhancing the deception.

    The XWorm RAT campaign SVGs, on the other hand, displayed a blank page instead of an image, a less sophisticated approach compared to the Agent Tesla campaign.

    The use of SVG files in malware delivery, particularly with tools like AutoSmuggle, represents an evolving threat landscape where attackers continuously adapt to circumvent security defenses.

    Understanding these techniques is crucial for developing more effective countermeasures against such sophisticated cyber threats.

    Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN ->Β Start Now for Free.

    The post Hackers Using Weaponized SVG Files in Cyber Attacks appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ