More than 300,000 users across 71 countries have been victimized by a new Android threat campaign called the Schoolyard Bully Trojan.
Mainly designed to steal Facebook credentials, the malware is camouflaged as legitimate education-themed applications to lure unsuspecting users into downloading them.
The apps, which were available for download from the official Google Play Store, have now been

More than 300,000 users across 71 countries have been victimized by a new Android threat campaign called the **Schoolyard Bully Trojan**.

Mainly designed to steal Facebook credentials, the malware is camouflaged as legitimate education-themed applications to lure unsuspecting users into downloading them.

The apps, which were available for download from the official Google Play Store, have now been taken down. That said, they still continue to be available on third-party app stores.

"This trojan uses JavaScript injection to steal the Facebook credentials," Zimperium researchers Nipun Gupta and Aazim Bill SE Yaswant said in a report shared with The Hacker News.

It achieves this by launching Facebook's login page in a WebView, which also embeds within it malicious JavasCript code to exfiltrate the user's phone number, email address, and password to a configured command-and-control (C2) server.

The Schoolyard Bully Trojan further makes use of native libraries such as "libabc.so" so as to avoid detection by antivirus solutions.

While the malware singles out Vietnamese language applications, it has also been discovered in several other apps available in over 70 countries, underscoring the scale of the attacks.

The findings come more than a year after Zimperium unearthed similar activity aimed at compromising Facebook accounts through rogue Android apps as part of a campaign codenamed FlyTrap.

"Attackers can cause a lot of havoc by stealing Facebook passwords," Richard Melick, director of mobile threat intelligence at Zimperium, said. "If they can impersonate someone from their legitimate Facebook account, it becomes extremely easy to phish friends and other contacts into sending money or sensitive information."

"It's also very concerning how many people reuse the same passwords. If an attacker steals someone's Facebook password, there's a high probability that same email and password will work with banking or financial apps, corporate accounts and so much more."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Schoolyard Bully Trojan Apps Stole Facebook Credentials from Over 300,000 Android Users

An ongoing analysis into an up-and-coming cryptocurrency mining botnet known as KmsdBot has led to it being accidentally taken down.
KmsdBot, as christened by the Akamai Security Intelligence Response Team (SIRT), came to light mid-November 2022 for its ability to brute-force systems with weak SSH credentials.
The botnet strikes both Windows and Linux devices spanning a wide range of

An ongoing analysis into an up-and-coming cryptocurrency mining botnet known as **KmsdBot** has led to it being accidentally taken down.

KmsdBot, as christened by the Akamai Security Intelligence Response Team (SIRT), came to light mid-November 2022 for its ability to brute-force systems with weak SSH credentials.

The botnet strikes both Windows and Linux devices spanning a wide range of microarchitectures with the primary goal of deploying mining software and corralling the compromised hosts into a DDoS bot.

Some of the major targets included gaming firms, technology companies, and luxury car manufacturers.

Akamai researcher Larry W. Cashdollar, in a new update, explained how commands sent to the bot to understand its functionality in a controlled environment inadvertently neutralized the malware.

"Interestingly, after one single improperly formatted command, the bot stopped sending commands," Cashdollar said. "It's not every day you come across a botnet that the threat actors themselves crash their own handiwork."

This, in turn, was made possible due to the lack of an error-checking mechanism built into the source code to validate the received commands.

Specifically, an instruction issued without a space between the target website and the port caused the entire Go binary running on the infected machine to crash and stop interacting with its command-and-control server, effectively killing the botnet.

The fact that KmsdBot doesn't have a persistence mechanism also means that the malware operator will have to re-infect the machines again and re-build the infrastructure from scratch.

"This botnet has been going after some very large luxury brands and gaming companies, and yet, with one failed command it cannot continue," Cashdollar concluded. "This is a strong example of the fickle nature of technology and how even the exploiter can be exploited by it."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers 'Accidentally’ Crash KmsdBot Cryptocurrency Mining Botnet Network

Popular password management service LastPass said it's investigating a second security incident that involved attackers accessing some of its customer information.
"We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo," LastPass CEO Karim Toubba said.
GoTo, formerly called LogMeIn, acquired LastPass

Popular password management service LastPass said it's investigating a second security incident that involved attackers accessing some of its customer information.

"We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo," LastPass CEO Karim Toubba said.

GoTo, formerly called LogMeIn, acquired LastPass in October 2015. In December 2021, the Boston-based firm announced plans to spin off LastPass as an independent company.

The digital break-in resulted in the unauthorized third-party leveraging information obtained following a previous breach in August 2022 to access "certain elements of our customers' information."

The August 2022 security event targeted its development environment, leading to the theft of some of its source code and technical information. In September, LastPass revealed the threat actor had access for four days.

The scope of the breach remains unknown as yet, and it's not clear if both LastPass and GoTo customers are impacted. The user's passwords, however, weren't compromised.

The company said it has engaged the services of Google-owned Mandiant and alerted law enforcement of the latest development. It also stated it's also working to identify what specific data was accessed.

Additionally, it emphasized that it's continuing to deploy enhanced security measures and monitoring capabilities to help detect and prevent further threat actor activity.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

LastPass Suffers Another Security Breach; Exposed Some Customers Information

Popular password management service LastPass said it's investigating a second security incident that involved attackers accessing some of its customer information.

"We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo," LastPass CEO Karim Toubba said.

GoTo, formerly called LogMeIn, acquired LastPass in October 2015. In December 2021, the Boston-based firm announced plans to spin off LastPass as an independent company.

The digital break-in resulted in the unauthorized third-party leveraging information obtained following a previous breach in August 2022 to access "certain elements of our customers' information."

The August 2022 security event targeted its development environment, leading to the theft of some of its source code and technical information. In September, LastPass revealed the threat actor had access for four days.

The scope of the breach remains unknown as yet, and it's not clear if both LastPass and GoTo customers are impacted. However, users' passwords weren't compromised.

The company said it has engaged the services of Google-owned Mandiant and alerted law enforcement of the latest development. It also stated it's working to identify what specific data was accessed.

Additionally, it emphasized that it's continuing to deploy enhanced security measures and monitoring capabilities to help detect and prevent further threat actor activity.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The North Korea-linked **ScarCruft** group has been attributed to a previously undocumented backdoor called **Dolphin** that the threat actor has used against targets located in its southern counterpart.

"The backdoor \[...\] has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers," ESET researcher Filip Jurčacko said in a new report published today.

Dolphin is said to be selectively deployed, with the malware using cloud services like Google Drive for data exfiltration as well as command-and-control.

The Slovak cybersecurity company said it found the implant deployed as a final-stage payload as part of a watering hole attack in early 2021 directed against a South Korean digital newspaper.

The campaign, first uncovered by Kaspersky and Volexity last year, entailed the weaponization of two Internet Explorer flaws (CVE-2020-1380 and CVE-2021-26411) to drop a backdoor named BLUELIGHT.

ScarCruft, also called APT37, InkySquid, Reaper, and Ricochet Chollima, is a geo-political motivated APT group that has a track record of attacking government entities, diplomats, and news organizations associated with North Korean affairs. It's been known to be active since at least 2012.

Earlier this April, cybersecurity firm Stairwell disclosed details of a spear-phishing attack targeting journalists covering the country with the ultimate goal of deploying a malware dubbed GOLDBACKDOOR that shares tactical overlaps with BLUELIGHT.

The latest findings from ESET shed light on a second, more sophisticated backdoor delivered to a small pool of victims via BLUELIGHT, indicative of a highly-targeted espionage operation.

This, in turn, is achieved by executing an installer shellcode that activates a loader comprising a Python and shellcode component, the latter of which runs another shellcode loader to drop the backdoor.

"While the BLUELIGHT backdoor performs basic reconnaissance and evaluation of the compromised machine after exploitation, Dolphin is more sophisticated and manually deployed only against selected victims," Jurčacko explained.

What makes Dolphin a lot more potent than BLUELIGHT is its ability to search removable devices and connected smartphones, and exfiltrate files of interest, such as media, documents, emails, and certificates.

The backdoor, since its original discovery in April 2021, is said to have undergone three successive iterations that come with its own set of feature improvements and grant it more detection evasion capabilities.

"Dolphin is another addition to ScarCruft's extensive arsenal of backdoors abusing cloud storage services," Jurčacko said. "One unusual capability found in prior versions of the backdoor is the ability to modify the settings of victims' Google and Gmail accounts to lower their security, presumably in order to maintain account access for the threat actors."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korea Hackers Using New "Dolphin" Backdoor to Spy on South Korean Targets

The North Korea-linked ScarCruft group has been attributed to a previously undocumented backdoor called Dolphin that the threat actor has used against targets located in its southern counterpart.
"The backdoor [...] has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing

The North Korea-linked **ScarCruft** group has been attributed to a previously undocumented backdoor called **Dolphin** that the threat actor has used against targets located in its southern counterpart.

"The backdoor \[...\] has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers," ESET researcher Filip Jurčacko said in a new report published today.

Dolphin is said to be selectively deployed, with the malware using cloud services like Google Drive for data exfiltration as well as command-and-control.

The Slovak cybersecurity company said it found the implant deployed as a final-stage payload as part of a watering hole attack in early 2021 directed against a South Korean digital newspaper.

The campaign, first uncovered by Kaspersky and Volexity last year, entailed the weaponization of two Internet Explorer flaws (CVE-2020-1380 and CVE-2021-26411) to drop a backdoor named BLUELIGHT.

ScarCruft, also called APT37, InkySquid, Reaper, and Ricochet Chollima, is a geo-political motivated APT group that has a track record of attacking government entities, diplomats, and news organizations associated with North Korean affairs. It's been known to be active since at least 2012.

Earlier this April, cybersecurity firm Stairwell disclosed details of a spear-phishing attack targeting journalists covering the country with the ultimate goal of deploying a malware dubbed GOLDBACKDOOR that shares overlaps with another ScarCruft backdoor named BLUELIGHT.

The latest findings from ESET shed light on a second, more sophisticated backdoor delivered to a small pool of victims via BLUELIGHT, indicative of a highly-targeted espionage operation.

This, in turn, is achieved by executing an installer shellcode that activates a loader comprising a Python and shellcode component, the latter of which runs another shellcode loader to drop the backdoor.

"While the BLUELIGHT backdoor performs basic reconnaissance and evaluation of the compromised machine after exploitation, Dolphin is more sophisticated and manually deployed only against selected victims," Jurčacko explained.

What makes Dolphin a lot more potent than BLUELIGHT is its ability to search removable devices and exfiltrate files of interest, such as media, documents, emails, and certificates.

The backdoor, since its original discovery in April 2021, is said to have undergone three successive iterations that come with its own set of feature improvements and grant it more detection evasion capabilities.

"Dolphin is another addition to ScarCruft's extensive arsenal of backdoors abusing cloud storage services," Jurčacko said. "One unusual capability found in prior versions of the backdoor is the ability to modify the settings of victims' Google and Gmail accounts to lower their security, presumably in order to maintain account access for the threat actors."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New findings from cybersecurity firm JFrog show that malware targeting the npm ecosystem can evade security checks by taking advantage of an "unexpected behavior" in the npm command line interface (CLI) tool.
npm CLI's install and audit commands have built-in capabilities to check a package and all of its dependencies for known vulnerabilities, effectively acting as a warning mechanism for

New findings from cybersecurity firm JFrog show that malware targeting the npm ecosystem can evade security checks by taking advantage of an "unexpected behavior" in the npm command line interface (CLI) tool.

npm CLI's install and audit commands have built-in capabilities to check a package and all of its dependencies for known vulnerabilities, effectively acting as a warning mechanism for developers by highlighting the flaws.

But as JFrog established, the security advisories are not displayed when the packages follow certain version formats, creating a scenario where critical flaws could be introduced into their systems either directly or via the package's dependencies.

Specifically, the problem arises only when the installed package version contains a hyphen (e.g., 1.2.3-a), which is included to denote a pre-release version of an npm module.

While the project maintainers treat the discrepancy between regular npm package versions and pre-release versions as an intended functionality, this also makes it ripe for abuse by attackers looking to poison the open source ecosystem.

"Threat actors could exploit this behavior by intentionally planting vulnerable or malicious code in their innocent-looking packages which will be included by other developers due to valuable functionality or as a mistake due to infection techniques such as typosquatting or dependency confusion," Or Peles said.

In other words, an adversary could publish a seemingly benign package that's in the pre-release version format, which could then be potentially picked up by other developers and not be alerted to the fact that the package is malicious despite evidence to the contrary.

The development once again reiterates how the software supply chain is built as a chain of trust between various parties, and how a compromise of one link can affect all downstream applications that consume the rogue third-party dependency.

To counter such threats, it's recommended that developers avoid installing npm packages with a pre-release version, unless the source is known to be completely reliable.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Find a Way Malicious NPM Libraries Can Evade Vulnerability Detection

New findings from cybersecurity firm JFrog show that malware targeting the npm ecosystem can evade security checks by taking advantage of an "unexpected behavior" in the npm command line interface (CLI) tool.

npm CLI's install and audit commands have built-in capabilities to check a package and all of its dependencies for known vulnerabilities, effectively acting as a warning mechanism for developers by highlighting the flaws.

But as JFrog established, the security advisories are not displayed when the packages follow certain version formats, creating a scenario where critical flaws could be introduced into their systems either directly or via the package's dependencies.

Specifically, the problem arises only when the installed package version contains a hyphen (e.g., 1.2.3-a), which is included to denote a pre-release version of an npm module.

While the project maintainers treat the discrepancy between regular npm package versions and pre-release versions as an intended functionality, this also makes it ripe for abuse by attackers looking to poison the open source ecosystem.

"Threat actors could exploit this behavior by intentionally planting vulnerable or malicious code in their innocent-looking packages which will be included by other developers due to valuable functionality or as a mistake due to infection techniques such as typosquatting or dependency confusion," Or Peles said.

In other words, an adversary could publish a seemingly benign package that's in the pre-release version format, which could then be potentially picked up by other developers and not be alerted to the fact that the package is malicious despite evidence to the contrary.

The development once again reiterates how the software supply chain is built as a chain of trust relationships between various parties, and how a compromise of one link can affect all downstream applications that consume the rogue third-party dependency.

To counter such threats, it's recommended that developers avoid installing npm packages with a pre-release version, unless the source is known to be completely reliable.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#The Hacker News