A sophisticated malware called Winos4.0 is being disguised as harmless gaming applications to infiltrate Windows-based systems. Learn about…

A sophisticated malware called Winos4.0 is being disguised as harmless gaming applications to infiltrate Windows-based systems. Learn about the multi-stage attack, data theft risks, and how to protect yourself from this emerging threat.

Cybersecurity researchers at Fortinet’s FortiGuard Labs have identified a new malicious campaign leveraging game-related applications to target Microsoft Windows users and deliver Winos4.0, a new and advanced malware framework similar to Cobalt Strike and Sliver.

Once downloaded and executed, these apps act as Trojan horses, downloading and installing the Winos4.0 framework.

The company’s findings shared with Hackread.com ahead of publishing on Wednesday, Nov 6, identified multiple samples of this malware hidden within gaming-related applications, including installation tools, speed boosters, and optimization utilities. By analyzing the decoded DLL file, they learned about the potential targeting of the education sector, as indicated by its file description, “校园政务” (Campus Administration).

Winos4.0 framework offers comprehensive functionality, a stable architecture, and efficient control over numerous online endpoints. It is rebuilt from Gh0stRat, a powerful remote access trojan created by the Chinese hacking group C. Rufus Security Team in 2008. Moreover, it includes several modular components, each handling distinct functions. Given its capabilities, Winos4.0 has already been deployed in multiple attack campaigns like Silver Fox.

This multi-stage attack starts with retrieving a fake BMP file from a remote server, which is then XOR-decoded, extracting a DLL file named “you.dll”. This file is loaded through its export function “you” to proceed to the next stage.

“You.dll” downloads three files from a remote path after creating a folder with a random name, extracts one to reveal clean files (u72kOdQ.exe, MSVCP140.dll, and VCRUNTIME140.dll), and another to reveal the main malicious file, “libcef.dll”. The extracted files then load “libcef.dll” to inject shellcode and decode another file using an XOR key.

The injected shellcode loads APIs and retrieves configuration data to establish a connection using TCP protocol, sending a string to the C2 server, which responds with encrypted data. The data is decrypted using XOR, and a module is executed. The module (上线模块.dll) downloads data from the C2 server and records its address in the registry, setting the stage for the attack’s final phase. 

The last stage launches the 登录模块.dll file, which performs tasks like enabling crash restart, recording clipboard content, checking window title bar for specific applications, collecting system information, checking for crypto wallet extensions, checking for anti-virus appliances, sending login messages, and maintaining connection to its C2server with heartbeats.

Attack flow and some of the malicious gaming apps involved in the campaign (Via FortiGuard Labs)

The capabilities of Winos4.0 show that it is a powerful framework that can be used to easily control compromised systems. Researchers recommend that users should be aware of the source of any new application and only download software from qualified sources.

Therefore, refrain from downloading applications and software from third-party app stores and websites. Before executing them, scan URLs and downloaded files on VirusTotal. Regularly scan your devices, especially after downloading new files. In office environments, block systems from downloading apps on workstations.

1.  Android Malware Poses as WhatsApp and Instagram to Steal Data
2.  TodoSwift Malware Targets macOS, Disguised as Bitcoin PDF App
3.  Octo2 Malware Uses Fake NordVPN Apps to Infect Android Phones
4.  SideWinder hackers hit Android users with malware apps on Play Store
5.  New BingoMod Android Malware Posing as Security Apps, Wipes Data

New Winos4.0 Malware Targeting Windows via Fake Gaming Apps

Google has released patches for two zero-days and a lot of other high level vulnerabilities.

Google has announced patches for several high severity vulnerabilities. In total, 51 vulnerabilities have been patched in November’s updates, two of which are under limited, active exploitation by cybercriminals.

If your Android phone shows patch level 2024-11-05 or later then the issues discussed below have been fixed. The updates have been made available for Android 12, 12L, 13, 14, and 15. Android vendors are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for all devices immediately.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under **About phone** or **About device** you can tap on **Software updates** to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

Keeping your device as up to date as possible protects you from known vulnerabilities that have been fixed, and helps you to stay safe.

**Technical details**

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs that look the most important are:

CVE-2024-43047: a high-severity use-after-free issue in closed-source Qualcomm components within the Android kernel that elevates privileges. Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation. If after freeing a memory location a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Qualcomm disclosed the vulnerability in October as a problem in its Digital Signal Processor (DSP) service. The vulnerability is flagged as under limited, targeted exploitation and could allow an attacker to escalate privileges on targeted devices.

CVE-2024-43093: a high-severity escalation of privilege vulnerability impacting the Android Framework and the Google Play system updates. This is the second vulnerability that is flagged as under limited, targeted exploitation.

CVE-2024-43091: a high severity Remote Code Execution (RCE). By exploiting this vulnerability in the System component an attacker could remotely execute code on a device with no additional execution privileges needed.

CVE-2024-38408: is the only vulnerability listed as critical in this update. The problem is described as a “cryptographic issue when a controller receives an LMP start encryption command under unexpected conditions.” LMP stands for Link Manager Protocol, which is a communication system used in Bluetooth technology to set up and manage connections between devices. The “start encryption command” is a special instruction that tells Bluetooth devices to begin scrambling their communications. The issue was patched by Qualcomm, which published a long list of affected chipsets.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Update your Android: Google patches two zero-day vulnerabilities 

Chinese-speaking adversaries are using a fresh Android banking Trojan to take over devices and initiate fraudulent money transfers from financial institutions across Latin America, Italy, Portugal, and Spain.

Source: Oneinchpunch via Alamy Stock Photo

Researchers have designated a new botnet on the scene — initially suspected to be a part of the Toxic banking Trojan family — as a whole new spinoff strain with its own moniker, ToxicPanda.

The ToxicPanda banking bot has turned up on at least 1,500 individual devices across Italy, Portugal, Spain, and Latin America, actively trying to steal money from at least 16 different financial institutions, according to new findings from Cleafy. The Chinese-speaking threat actors behind ToxicPanda deploy the malware to take over a targeted device and initiate scam money transfers, bypassing the banks' identity and authentication protections, the Cleafy team warned.

"Remote access capabilities allow threat actors to conduct account takeover (ATO) directly from the infected device, thus exploiting the on-device Fraud (ODF) technique," the Cleafy report explained. "This consolidation of this technique has already been seen by other banking Trojans, such as Medusa, Copybara, and, recently, BingoMod."

This stripped-down, manual approach to the Android banking Trojan gives the threat actors the advantage of not having to use highly skilled developers, it opens up the potential to victimize a wider swath of banking customers, and it bypasses many cybersecurity protections used by financial services and banks, the researchers noted.

Importantly, code analysis uncovered that ToxicPanda is in the early stages of development. But that doesn't mean it doesn't already have an impressive set of features, including the ability to exploit Android's accessibility services to escalate permissions, and capturing data from applications, the Cleafy team noted.

Further, ToxicPanda allows the threat actor to gain remote control of the infected device and initiate actions like money transfers without the users' knowledge. The banking Trojan also intercepts one-time passwords sent either by text or authenticator app, completely dismantling multifactor authentication protections. Finally, ToxicPanda is loaded with code-hiding tricks to avoid detection.

The ramp up of ToxicPanda indicates Chinese-speaking threat actors are beefing up their operations to expand into new territory outside its traditional Southeast Asian roots, the report warns.

"This trend underscores the mobile security ecosystem's escalating challenge, as the marketplace is increasingly saturated with malware and new threat actors emerge," Cleafy's report said. "An important question arising from this analysis is not just how to defend against threats like ToxicPanda but why contemporary antivirus solutions have struggled to detect a threat that is, in technical terms, relatively straightforward. Although there is no single answer, the lack of proactive, real-time detection systems is a primary issue."

**Google Patches Two Actively Exploited Android Flaws**

As Chinese-speaking groups look to gain initial access to devices, they often leverage Android vulnerabilities in wide-scale attacks.

Fittingly, on Nov. 4, Google released patches for dozens of Android vulnerabilities as part of November's update, among them, two that already have been exploited, CVE-2024-43047 and CVE-2024-43093. Although Google has not released details, the first was discovered by Amnesty International and Google's Threat Analysis Group, which are well known for tracking commercial spyware activities. The second is a high-severity privilege escalation flaw in Android's framework.

Beyond disclosing the flaws, which "may be under limited, targeted exploitation," Google has not provided additional details.

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!

Android Botnet 'ToxicPanda' Bashes Banks Across Europe, Latin America

Ubuntu Security Notice 7088-2 - Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7088-2November 04, 2024linux-azure, linux-bluefield vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-bluefield: Linux kernel for NVIDIA BlueField platformsDetails:Ziming Zhang discovered that the VMware Virtual GPU DRM driver in theLinux kernel contained an integer overflow vulnerability. A localattacker could use this to cause a denial of service (system crash).(CVE-2022-36402)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM64 architecture;  - PowerPC architecture;  - User-Mode Linux (UML);  - x86 architecture;  - Block layer subsystem;  - Cryptographic API;  - Android drivers;  - Serial ATA and Parallel ATA drivers;  - ATM drivers;  - Drivers core;  - CPU frequency scaling framework;  - Device frequency scaling framework;  - GPU drivers;  - HID subsystem;  - Hardware monitoring drivers;  - InfiniBand drivers;  - Input Device core drivers;  - Input Device (Miscellaneous) drivers;  - IOMMU subsystem;  - IRQ chip drivers;  - ISDN/mISDN subsystem;  - LED subsystem;  - Multiple devices driver;  - Media drivers;  - EEPROM drivers;  - VMware VMCI Driver;  - MMC subsystem;  - Network drivers;  - Near Field Communication (NFC) drivers;  - NVME drivers;  - Device tree and open firmware driver;  - Parport drivers;  - PCI subsystem;  - Pin controllers subsystem;  - Remote Processor subsystem;  - S/390 drivers;  - SCSI drivers;  - QCOM SoC drivers;  - Direct Digital Synthesis drivers;  - TTY drivers;  - Userspace I/O drivers;  - DesignWare USB3 driver;  - USB Gadget drivers;  - USB Serial drivers;  - BTRFS file system;  - File systems infrastructure;  - Ext4 file system;  - F2FS file system;  - JFS file system;  - NILFS2 file system;  - BPF subsystem;  - Core kernel;  - DMA mapping infrastructure;  - Tracing infrastructure;  - Radix Tree data structure library;  - Kernel userspace event delivery library;  - Objagg library;  - Memory management;  - Amateur Radio drivers;  - Bluetooth subsystem;  - CAN network layer;  - Networking core;  - Ethtool driver;  - IPv4 networking;  - IPv6 networking;  - IUCV driver;  - KCM (Kernel Connection Multiplexor) sockets driver;  - MAC80211 subsystem;  - Netfilter;  - Network traffic control;  - SCTP protocol;  - Sun RPC protocol;  - TIPC protocol;  - TLS protocol;  - Wireless networking;  - AppArmor security module;  - Simplified Mandatory Access Control Kernel framework;  - SoC audio core drivers;  - USB sound devices;(CVE-2024-46714, CVE-2024-42288, CVE-2024-42290, CVE-2024-44987,CVE-2024-41090, CVE-2024-42313, CVE-2024-46689, CVE-2024-46737,CVE-2024-44946, CVE-2024-44999, CVE-2024-44935, CVE-2024-38602,CVE-2024-43883, CVE-2024-26607, CVE-2024-41091, CVE-2024-45025,CVE-2024-42305, CVE-2024-26891, CVE-2024-41073, CVE-2024-44969,CVE-2024-26641, CVE-2024-46719, CVE-2024-40929, CVE-2024-46721,CVE-2024-46740, CVE-2024-41012, CVE-2024-42280, CVE-2024-46738,CVE-2024-46722, CVE-2024-42246, CVE-2024-41063, CVE-2024-41072,CVE-2024-41068, CVE-2024-43884, CVE-2024-46758, CVE-2024-43861,CVE-2024-42306, CVE-2024-42285, CVE-2024-41065, CVE-2024-46818,CVE-2024-43894, CVE-2024-44954, CVE-2024-42310, CVE-2024-46829,CVE-2023-52614, CVE-2024-47663, CVE-2024-42281, CVE-2024-42297,CVE-2024-46800, CVE-2024-44960, CVE-2024-44952, CVE-2024-46747,CVE-2024-42286, CVE-2024-41071, CVE-2024-43893, CVE-2023-52531,CVE-2024-43860, CVE-2024-46840, CVE-2024-41011, CVE-2024-43890,CVE-2024-45026, CVE-2024-42292, CVE-2024-27051, CVE-2024-41015,CVE-2024-47668, CVE-2024-46817, CVE-2024-43846, CVE-2024-44988,CVE-2024-44944, CVE-2024-43829, CVE-2024-45021, CVE-2024-43914,CVE-2024-43856, CVE-2024-46673, CVE-2024-46771, CVE-2024-41081,CVE-2024-43830, CVE-2024-43839, CVE-2024-43853, CVE-2024-47669,CVE-2024-42244, CVE-2021-47212, CVE-2024-46844, CVE-2024-44965,CVE-2024-41059, CVE-2024-46783, CVE-2024-42295, CVE-2024-35848,CVE-2024-41017, CVE-2024-47659, CVE-2024-42309, CVE-2024-26800,CVE-2024-41064, CVE-2024-43879, CVE-2024-46679, CVE-2024-43854,CVE-2024-41022, CVE-2024-43858, CVE-2024-46739, CVE-2024-46685,CVE-2024-42289, CVE-2024-44998, CVE-2024-46761, CVE-2024-46677,CVE-2024-42131, CVE-2024-46815, CVE-2024-46777, CVE-2024-43880,CVE-2024-42276, CVE-2024-42265, CVE-2024-46723, CVE-2024-42259,CVE-2024-45028, CVE-2024-42229, CVE-2024-42283, CVE-2024-44948,CVE-2024-44995, CVE-2024-46757, CVE-2024-46822, CVE-2024-45006,CVE-2024-46780, CVE-2024-26668, CVE-2024-42284, CVE-2024-46782,CVE-2024-46781, CVE-2024-43871, CVE-2024-42304, CVE-2024-42311,CVE-2024-45003, CVE-2024-46745, CVE-2024-41098, CVE-2024-46750,CVE-2024-47667, CVE-2024-41020, CVE-2024-26640, CVE-2024-41070,CVE-2024-42301, CVE-2024-43882, CVE-2024-45008, CVE-2024-26885,CVE-2024-42287, CVE-2024-46744, CVE-2024-43908, CVE-2024-46798,CVE-2023-52918, CVE-2024-36484, CVE-2024-43841, CVE-2024-41042,CVE-2024-38611, CVE-2024-43867, CVE-2024-26669, CVE-2024-42271,CVE-2024-46756, CVE-2024-44947, CVE-2024-43835, CVE-2024-46676,CVE-2024-46743, CVE-2024-46759, CVE-2024-46675, CVE-2024-46828,CVE-2024-46755)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS  linux-image-5.4.0-1094-bluefield  5.4.0-1094.101  linux-image-5.4.0-1139-azure    5.4.0-1139.146  linux-image-azure-lts-20.04     5.4.0.1139.133  linux-image-bluefield           5.4.0.1094.90After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7088-2  https://ubuntu.com/security/notices/USN-7088-1  CVE-2021-47212, CVE-2022-36402, CVE-2023-52531, CVE-2023-52614,  CVE-2023-52918, CVE-2024-26607, CVE-2024-26640, CVE-2024-26641,  CVE-2024-26668, CVE-2024-26669, CVE-2024-26800, CVE-2024-26885,  CVE-2024-26891, CVE-2024-27051, CVE-2024-35848, CVE-2024-36484,  CVE-2024-38602, CVE-2024-38611, CVE-2024-40929, CVE-2024-41011,  CVE-2024-41012, CVE-2024-41015, CVE-2024-41017, CVE-2024-41020,  CVE-2024-41022, CVE-2024-41042, CVE-2024-41059, CVE-2024-41063,  CVE-2024-41064, CVE-2024-41065, CVE-2024-41068, CVE-2024-41070,  CVE-2024-41071, CVE-2024-41072, CVE-2024-41073, CVE-2024-41081,  CVE-2024-41090, CVE-2024-41091, CVE-2024-41098, CVE-2024-42131,  CVE-2024-42229, CVE-2024-42244, CVE-2024-42246, CVE-2024-42259,  CVE-2024-42265, CVE-2024-42271, CVE-2024-42276, CVE-2024-42280,  CVE-2024-42281, CVE-2024-42283, CVE-2024-42284, CVE-2024-42285,  CVE-2024-42286, CVE-2024-42287, CVE-2024-42288, CVE-2024-42289,  CVE-2024-42290, CVE-2024-42292, CVE-2024-42295, CVE-2024-42297,  CVE-2024-42301, CVE-2024-42304, CVE-2024-42305, CVE-2024-42306,  CVE-2024-42309, CVE-2024-42310, CVE-2024-42311, CVE-2024-42313,  CVE-2024-43829, CVE-2024-43830, CVE-2024-43835, CVE-2024-43839,  CVE-2024-43841, CVE-2024-43846, CVE-2024-43853, CVE-2024-43854,  CVE-2024-43856, CVE-2024-43858, CVE-2024-43860, CVE-2024-43861,  CVE-2024-43867, CVE-2024-43871, CVE-2024-43879, CVE-2024-43880,  CVE-2024-43882, CVE-2024-43883, CVE-2024-43884, CVE-2024-43890,  CVE-2024-43893, CVE-2024-43894, CVE-2024-43908, CVE-2024-43914,  CVE-2024-44935, CVE-2024-44944, CVE-2024-44946, CVE-2024-44947,  CVE-2024-44948, CVE-2024-44952, CVE-2024-44954, CVE-2024-44960,  CVE-2024-44965, CVE-2024-44969, CVE-2024-44987, CVE-2024-44988,  CVE-2024-44995, CVE-2024-44998, CVE-2024-44999, CVE-2024-45003,  CVE-2024-45006, CVE-2024-45008, CVE-2024-45021, CVE-2024-45025,  CVE-2024-45026, CVE-2024-45028, CVE-2024-46673, CVE-2024-46675,  CVE-2024-46676, CVE-2024-46677, CVE-2024-46679, CVE-2024-46685,  CVE-2024-46689, CVE-2024-46714, CVE-2024-46719, CVE-2024-46721,  CVE-2024-46722, CVE-2024-46723, CVE-2024-46737, CVE-2024-46738,  CVE-2024-46739, CVE-2024-46740, CVE-2024-46743, CVE-2024-46744,  CVE-2024-46745, CVE-2024-46747, CVE-2024-46750, CVE-2024-46755,  CVE-2024-46756, CVE-2024-46757, CVE-2024-46758, CVE-2024-46759,  CVE-2024-46761, CVE-2024-46771, CVE-2024-46777, CVE-2024-46780,  CVE-2024-46781, CVE-2024-46782, CVE-2024-46783, CVE-2024-46798,  CVE-2024-46800, CVE-2024-46815, CVE-2024-46817, CVE-2024-46818,  CVE-2024-46822, CVE-2024-46828, CVE-2024-46829, CVE-2024-46840,  CVE-2024-46844, CVE-2024-47659, CVE-2024-47663, CVE-2024-47667,  CVE-2024-47668, CVE-2024-47669Package Information:  https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1140.147  https://launchpad.net/ubuntu/+source/linux-bluefield/5.4.0-1095.102

Ubuntu Security Notice USN-7088-2

Over 1,500 Android devices have been infected by a new strain of Android banking malware called ToxicPanda that allows threat actors to conduct fraudulent banking transactions.
"ToxicPanda's main goal is to initiate money transfers from compromised devices via account takeover (ATO) using a well-known technique called on-device fraud (ODF)," Cleafy researchers Michele Roviello, Alessandro Strino

Over 1,500 Android devices have been infected by a new strain of Android banking malware called ToxicPanda that allows threat actors to conduct fraudulent banking transactions.

"ToxicPanda's main goal is to initiate money transfers from compromised devices via account takeover (ATO) using a well-known technique called on-device fraud (ODF)," Cleafy researchers Michele Roviello, Alessandro Strino, and Federico Valentini said in a Monday analysis.

"It aims to bypass bank countermeasures used to enforce users' identity verification and authentication, combined with behavioral detection techniques applied by banks to identify suspicious money transfers."

ToxicPanda is believed to be the work of a Chinese-speaking threat actor, with the malware sharing foundational similarities with another Android malware dubbed TgToxic, which can steal credentials and funds from crypto wallets. TgToxic was documented by Trend Micro in early 2023.

A majority of the compromises have been reported in Italy (56.8%), followed by Portugal (18.7%), Hong Kong (4.6%), Spain (3.9%), and Peru (3.4%), marking a rare instance of a Chinese threat actor orchestrating a fraudulent scheme to target retail banking users in Europe and Latin America.

The banking trojan also appears to be in its nascent stages. Analysis shows that it's a stripped-down version of its ancestor, removing Automatic Transfer System (ATS), Easyclick, and obfuscation routines, while also introducing 33 new commands of its own to harvest a wide range of data.

In addition, as many as 61 commands have been found to be common to both TgToxic and ToxicPanda, indicating that the same threat actor or their close affiliates are behind the new malware family.

"While it shares some bot command similarities with the TgToxic family, the code diverges considerably from its original source," the researchers said. "Many capabilities characteristic of TgToxic are notably absent, and some commands appear as placeholders without real implementation."

The malware masquerades as popular apps like Google Chrome, Visa, and 99 Speedmart, and is distributed via counterfeit pages mimicking app store listing pages. It's currently not known how these links are propagated and if they involve malvertising or smishing techniques.

Once installed via sideloading, ToxicPanda abuses Android's accessibility services to gain elevated permissions, manipulate user inputs, and capture data from other apps. It can also intercept one-time passwords (OTPs) sent via SMS or generated using authenticator apps, thus enabling the threat actors to bypass two-factor authentication (2FA) protections and complete fraudulent transactions.

The core functionality of the malware, besides its ability to harvest information, is to permit attackers to remotely control the compromised device and perform what's called ODF, which makes it possible to initiate unauthorized money transfers without the victim's knowledge.

Cleafy said it was able to gain access to ToxicPanda's command-and-control (C2) panel, a graphical interface presented in Chinese that allows the operators to view the list of victim devices, including the model information, and location, and remove them from the bonnet. Furthermore, the panel serves as a conduit to request real-time remote access to any of the devices for conducting ODF.

"ToxicPanda needs to demonstrate more advanced and unique capabilities that would complicate its analysis," the researchers said. "However, artifacts such as logging information, dead code, and debugging files suggest that the malware may either be in its early stages of development or undergoing extensive code refactoring—particularly given its similarities with TGToxic."

The development comes as a group of researchers from the Georgia Institute of Technology, German International University, and Kyung Hee University detailed a backend malware analysis service called DVa – short for Detector of Victim-specific Accessibility – to flag malware exploiting accessibility features on Android devices.

"Using dynamic execution traces, DVa further utilizes an abuse-vector-guided symbolic execution strategy to identify and attribute abuse routines to victims," they said. "Finally, DVa detects \[accessibility\]-empowered persistence mechanisms to understand how malware obstructs legal queries or removal attempts."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Android Banking Malware 'ToxicPanda' Targets Users with Fraudulent Money Transfers

The Iran-linked group Emennet Pasargad aims to undermine public confidence in Israeli and Western nations by using hack-and-leak campaigns and disrupting government services, including elections.

Source: Muhammad Toqueer via Shutterstock

An Iranian cyber-operations group, Emennet Pasargad — also known as Cotton Sandstorm — has broadened its attacks, expanding its targets beyond Israel and the United States and targeting new IT assets, such as IP cameras.

In an advisory published last week, the US Departments of Justice and Treasury — along with the Israel National Cyber Directorate (INCD) — called out the change in tactics and noted that the group had provided resources and infrastructure services to Middle Eastern threat groups by operating as a legitimate company, Aria Sepehr Ayandehsazan (ASA). In addition, since the beginning of the year, Emennet Pasargad has scanned for IP cameras, targeted organizations in France and Sweden, and actively probed a variety of election sites and systems, according to the government advisory.

"Similar to the Emennet campaign that targeted the 2020 U.S. Presidential election, the FBI judges the group's recent campaigns include a mix of computer intrusion activity and exaggerated or fictitious claims of access to victim networks or stolen data to enhance the psychological effects of their operations," the advisory stated.

The latest intelligence highlights Iran's increasing use of cyber operations as a way to target its perceived enemies. In 2020 and 2022, Emennet Pasargad created disinformation campaigns to target the US presidential and midterm elections, posing as Proud Boys volunteers and sending fake videos to Republican lawmakers. The US Department of Justice indicted two Iranian nationals for the crimes, as well as for sending threats through email and attempting to hack election websites.

Related:DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks

Over the past year, Iran has stepped up its attempts to use cyberattacks to disrupt its enemies using bolder tactics, says John Fokker, head of threat intelligence for Trellix, a threat detection and response firm.

"Since October 2023, the beginning of the Israeli-Palestine crisis, Iranian hackers have intensified their activities against the United States and Israel, targeting critical sectors such as government, energy, and finance," he says. "We have observed Iran-linked actors disrupting organizations by stealing sensitive data, conducting denial-of-service attacks, and also deploying destructive malware such as ransomware or wiper strains, like the Handala wiper."

**Iranian Cyberattackers Broaden Their Sights**

Emennet Pasargad often operates by posing as a legitimate IT services company, ASA, as a front for accessing large language model (LLM) services and to scan and harvest data on IP cameras. The group has "used several cover hosting providers for infrastructure management and obfuscation," the Joint Cybersecurity Advisory added.

Related:South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel

The use of a cover organization to hide operations and make them seem legitimate is a common approach for Iranian threat actors, says Tomer Bar, vice president of security research at SafeBreach, a breach and attack simulation platform provider which has offices in Tel Aviv. For instance, Charming Kitten, or APT35, conducted reconnaissance and attacks under the guise of two companies, Najee Technology and Afkar System, which were sanctioned by the US Treasury Department in 2022.

"The usage of a cover company is not new, and it has been used by Iran both for espionage and distractive purposes," Bar says.

It also gives groups the ability to use commercial services as part of their infrastructure and hide their activities — for a time, says Trellix's Fokker.

"Threat actors have to acquire resources, software and hosting for their illicit activities," he says. "Having a 'legitimate' front company will make it easier to acquire these services and can serve as additional backstopping to give a plausible deniability."

**Governments, Businesses Should Take Stock**

The changing tactics underscore that organizations need to continually adjust their defenses to head off threat groups. Companies and government agencies should only buy technology and software from trusted vendors, and should make sure that those vendors have their own supply chain validation and vulnerability-remediation processes.

Related:BlankBot Trojan Targets Turkish Android Users

The Joint Cybersecurity Advisory called for organizations to review any successful authentications to network or cloud services that come from virtual private network services, such as Private Internet Access, ExpressVPN, and NordVPN. In addition to regularly applying updates and creating a resilient backup process, companies should consider deploying a "demilitarized zone" (DMZ) between any internet-facing assets and the corporate network, validating user input, and implementing least-privilege policies across their networks and applications.

SafeBreach has encountered attackers regularly scanning LinkedIn for workers who update their profiles with a new position, sending a spear-phishing text or email as a company administrator requesting that they log into a corporate system. The attackers then capture the victim's credentials through a malicious link.

Trellix's Fokker also stressed that companies should focus on their connected devices, applying patches for cameras and other hardware, using network segmentation to protect them, and regularly scanning their own IP space, before an attacker does.

"More and more governments are exploring the proactive scanning of IP spaces and notification of domestic organizations as an additional layer on top of stronger manufacturer requirements," he says. "First and foremost, it should be the responsibility of the organization itself. However, it will help if the government assists in this process and alerts unknowing organizations of their vulnerable cameras."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel

Google has warned that a security flaw impacting its Android operating system has come under active exploitation in the wild.
The vulnerability, tracked as CVE-2024-43093, has been described as a privilege escalation flaw in the Android Framework component that could result in unauthorized access to "Android/data," "Android/obb," and "Android/sandbox" directories and its sub-directories,

Mobile Security / Vulnerability

Google has warned that a security flaw impacting its Android operating system has come under active exploitation in the wild.

The vulnerability, tracked as CVE-2024-43093, has been described as a privilege escalation flaw in the Android Framework component that could result in unauthorized access to "Android/data," "Android/obb," and "Android/sandbox" directories and its sub-directories, according to a code commit message.

There are currently no details about how the vulnerability is being weaponized in real-world attacks, but Google acknowledged in its monthly bulletin that there are indications it "may be under limited, targeted exploitation."

The tech giant has also flagged CVE-2024-43047, a now-patched security bug in Qualcomm chipsets, as having been actively exploited. A use-after-free vulnerability in the Digital Signal Processor (DSP) Service, successful exploitation could lead to memory corruption.

Last month, the chipmaker credited Google Project Zero researchers Seth Jenkins and Conghui Wang for reporting the flaw, and Amnesty International Security Lab for confirming the in-the-wild activity.

The advisory offers no details on the exploit activity targeting the flaw or when it might have started, although it's possible that it may have been leveraged as part of highly targeted spyware attacks aimed at civil society members.

It's also currently not known if both the security vulnerabilities were fashioned together as an exploit chain to elevate privileges and achieve code execution.

CVE-2024-43093 is the second actively exploited Android Framework flaw after CVE-2024-32896, which was patched by Google back in June and September 2024. While it was originally resolved only for Pixel devices, the company later confirmed that the flaw impacts the broader Android ecosystem.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Warns of Actively Exploited CVE-2024-43093 Vulnerability in Android System

The Pakistan-based advanced persistent threat actor has been carrying on a cyber-espionage campaign targeting organizations on the subcontinent for more than a decade, and it's now using a new and improved "ElizaRAT" malware.

Source: Mehaniq vis Shutterstock

Pakistan's APT36 threat group is using a new and improved version of its core ElizaRAT custom implant, in what appears to be a growing number of successful attacks on Indian government agencies, military entities, and diplomatic missions over the past year.

The latest ElizaRAT variant includes new evasion techniques, enhanced command-and-control (C2) capabilities, and an additional dropper component that makes it harder for defenders to detect the malware, researchers at Check Point Research (CPR) discovered when analyzing the group's activities recently. Heightening the threat is a new stealer payload dubbed ApoloStealer, which APT36 has begun using to collect targeted file types from compromised systems, store their metadata, and transfer the information to the attacker's C2 server.

**A Step-by-Step Cyberattack Capability**

"With the introduction of their new stealer, the group can now implement a 'step-by-step' approach, deploying malware tailored to specific targets," says Sergey Shykevich, threat intelligence group manager at Check Point Software. "This ensures that even if defenders detect their activities, they primarily find only a segment of the overall malware arsenal."

Heightening the challenge is the threat group's using of legitimate software, living off the land binaries (LoLBins), and legitimate services like Telegram, Slack, and Google Drive for C2 communications. The use of these services has significantly complicated the task of tracking malware communications in network traffic, Shykevich says.

APT36, who security vendors variously track as Transparent Tribe, Operation C-Major, Earth Karkaddan, and Mythic Leopard, is a Pakistani threat group that. since around 2013, has primarily targeted Indian government and military entities in numerous intelligence gathering operations. Like many other tightly focused threat groups, APT36s campaigns have occasionally targeted organizations in other countries, including Europe, Australia, and the US.

The threat actor's current malware portfolio includes tools for compromising Windows, Android, and increasingly, Linux devices. Earlier this year, BlackBerry reported an APT36 campaign where 65% of the group's attacks involved ELF binaries (Linkable Executable and Linkable Format) targeting Maya OS, a Unix-like operating system that India's defense ministry has developed as an alternative to Windows. And SentinelOne last year reported observing APT36 using romantic lures to spread malware called CopraRAT on Android devices belonging to Indian diplomatic and military personnel.

ElizaRAT is malware that the threat actor incorporated into its attack kit last September. The group has been distributing the malware via phishing emails containing links to malicious Control Panel files (CPL) stored on Google Storage. When a user opens the CPL file, it runs code that initiates the malware infection on their device, potentially giving the attacker remote access or control over the system.

**Three Campaigns, Three Versions**

Check Point researchers observed APT36 actors using at least three different versions of ElizaRAT in three separate campaigns — all targeting Indian entities — over the past year.

The first was an ElizaRAT variant that used Slack channels as C2 infrastructure. APT36 began using that variant sometime late last year and about a month later began deploying ApoloStealer with it. Starting early this year, the threat group switched to using a dropper component to stealthily drop and unpack a compressed file containing a new and improved version of ElizaRAT. The new variant, like its predecessor first checked to verify if the time zone of the machine it was on was set to Indian Standard Time before executing and further malicious activity.

The latest — third — version uses Google Drive for C2 communications. It lands on victim systems via malicious CPL files that act as a dropper for ElizaRAT. The CPL files execute a variety of tasks including creating a working directory for the malware, establishing persistence and registering the victim with the C2 server. What sets the latest version apart from the two previous ElizaRAT iteration is its continuous use of cloud services like Google Cloud for its C2 communication, Shykevich says. In addition, the latest APT36 campaign features a new USB stealer called ConnectX that the threat actor is using to examine files on USBs and other external drives that might be attached to a compromised device, he says.

"Introducing new payloads such as ApolloStealer marks a significant expansion of APT36’s malware arsenal and suggests the group is adopting a more flexible, modular approach to payload deployment," CPR said in its report. "These methods primarily focus on data collection and exfiltration, underscoring their sustained emphasis on intelligence gathering and espionage."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

APT36 Refines Tools in Attacks on Indian Targets

When you download a piece of pirated software, you might also be getting a piece of infostealer malware, and entering a highly complex hacking ecosystem that’s fueling some of the biggest breaches on the planet.

On October 20, a hacker who calls themselves Dark X said they logged in to a server and stole the personal data of 350 million Hot Topic customers. The following day, Dark X listed the data, including alleged emails, addresses, phone numbers, and partial credit card numbers, for sale on an underground forum. The day after that, Dark X said Hot Topic kicked them out.

Dark X told me that the apparent breach, which is possibly the largest hack of a consumer retailer ever, was partly due to luck. They just happened to get login credentials from a developer who had access to Hot Topic’s crown jewels. To prove it, Dark X sent me the developer’s login credentials for Snowflake, a data warehousing tool that hackers have repeatedly targeted recently. Alon Gal from cybersecurity firm Hudson Rock, which first found the link between infostealers and the Hot Topic breach, said he was sent the same set of credentials by the hacker.

The luck part is true. But the claimed Hot Topic hack is also the latest breach directly connected to a sprawling underground industry that has made hacking some of the most important companies in the world child’s play.

AT&T. Ticketmaster. Santander Bank. Neiman Marcus. Electronic Arts. These were not entirely isolated incidents. Instead, they were all hacked thanks to “infostealers,” a type of malware that is designed to pillage passwords and cookies stored in the victim’s browser. In turn, infostealers have given birth to a complex ecosystem that has been allowed to grow in the shadows and where criminals fulfill different roles. There are Russian malware coders continually updating their code; teams of professionals who use glitzy advertising to hire contractors to spread the malware across YouTube, TikTok, or GitHub; and English-speaking teenagers on the other side of the world who then use the harvested credentials to break into corporations. At the end of October, a collaboration of law enforcement agencies announced an operation against two of the world’s most prevalent stealers. But the market has been able to grow and mature so much that now law enforcement action against even one part of it is unlikely to make any lasting dent in the spread of infostealers.

Based on interviews with malware developers, hackers who use the stolen credentials, and a review of manuals that tell new recruits how to spread the malware, 404 Media has mapped out this industry. Its end result is that a download of an innocent-looking piece of software by a single person can lead to a data breach at a multibillion-dollar company, putting Google and other tech giants in an ever-escalating cat-and-mouse game with the malware developers to keep people and companies safe.

“We are professionals in our field and will continue to work on bypassing future Google updates,” an administrator for LummaC2, one of the most popular pieces of infostealer malware, told me in an online chat. “It takes some time, but we have all the resources and knowledge to continue the fight against Chrome.”

**The Stealers**

The infostealer ecosystem starts with the malware itself. Dozens of these exist, with names like Nexus, Aurora, META, and Raccoon. The most widespread infostealer at the moment is one called RedLine, according to cybersecurity firm Recorded Future. Having a prepackaged piece of malware also dramatically lowers the barrier to entry for a budding new hacker. The administrator of LummaC2, which Recorded Future says is in the top 10 of infostealers, said it welcomes both beginner and experienced hackers.

Initially, many of these developers were interested in stealing credentials or keys related to cryptocurrency wallets. Armed with those, hackers could empty a victim’s digital wallets and make a quick buck. Many today still market their tools as being able to steal bitcoin and have even introduced OCR to detect seed phrases in images. But recently those same developers and their associates figured out that all of the other stuff stored in a browser—passwords to the victim’s place of work, for example—could generate a secondary stream of revenue.

“Malware developers and their clients have realized that personal and corporate credentials, such as login details for online accounts, financial data, and other sensitive information, hold substantial value on the black market,” RussianPanda, an independent security researcher who follows infostealers closely, told 404 Media. Infostealer creators pivoted to capture this information too, she said. In essence, the exhaust from cryptocurrency-focused heists has created an entire new industry in its own right that is causing even more destruction across healthcare, tech, and other industries.

Some stealers then sell these collected credentials and cookies, or logs, themselves via bots on Telegram. Telegram, rather than acting as simply a messaging app, provides critical infrastructure for these teams. The entire process from buying to selling stolen logs is automated through Telegram bots. Telegram did not respond to a request for comment.

Infostealers are not especially hard to write, but the malware developers constantly butt heads with engineers inside tech giants, such as Google, who are trying to stop them from stealing users’ credentials.

In July, for example, Google Chrome rolled out an update that was designed to lock applications other than Chrome—including malware—from accessing cookie data. For a moment, Chrome had the upper hand. LummaC2 gave its users some workarounds, but none were a reliable fix. Some malware developers make their grievances known more explicitly. In one update, a pair of infostealers included the phrase “ChromeFuckNewCookies” in their malware’s code.

“It's a little bit of a cat and mouse, but we think that this is a game that we want to play as much as we can if the outcomes remain positive,” Will Harris, staff software engineer on Google Chrome, said. “We want to protect users, obviously, as much as we can.” That doesn’t just come in securing Chrome itself and protecting more data from infostealers. It also includes “disruption,” such as more researchers writing about infostealers’ particular techniques, which in turn constrains the tools available to the malware developers. Releasing updates one by one on a regular basis, rather than all at once, can also disrupt the malware developers. Instead of the criminal coders knowing what they need to fix all in one go, they can never be quite sure what Google is going to clamp down on next, wasting more of their time.

After one update, a lot of the customers of a stealer were “extremely upset, and they \[the malware makers\] had to work nights on coming up with a bypass,” Harris said. He added that one stealer, called Vidar, increased the cost of its tool too. “We have to stay agile here. I mean the infostealers are moving fast on this as well, and we want to be keeping up with them, and I think we are able to in this case,” he said.

He also pointed specifically to Microsoft Windows. “When you compare Windows with, say, Android, or with ChromeOS, or even macOS, those platforms have this strong application isolation.” Meaning, that malware has a harder time stealing data from other parts of the system. “We noticed on Windows, which was obviously a major platform for us, that these protections didn’t exist.”

In an email, a Microsoft spokesperson said, “In addition to the hardware-backed baseline requirements for all Windows PCs—such as, TPM, Secure Boot, and virtualization-based security, there are many security features now enabled by default in Win11 which makes it more difficult for info-stealers. Our guidance is that users should run as Standard User and not Admin on their Windows device. Running standard user means users (and apps being used by users) can make changes to their computer but do not have full system access by default, so that info stealers will not have the full access required to make it easy to steal the data that they are after.”

Infostealer malware for Mac does exist, but to a much smaller degree, according to Recorded Future.

A malware creator may have an effective piece of software in their hands. But ultimately getting that software onto victims’ computers is the job of someone else.

**The Traffers**

With electronic rap music playing in the background, a man stretches his hands forward and leans back into a chair. The camera pans around their alleged apartment: huge floor-to-ceiling windows in a large dining room, wood-paneled floors, and a funky chandelier. In another shot the man opens a laptop, types away, and then takes a sip of what looks like whiskey. The implication: This could be you if we work together.

This is one of a dizzying number of adverts on an underground forum called Lolz where “traffers” gather to look for new recruits. In this case, the man in the video is looking for people to push a fake casino tool that can steal people’s funds. But much of the rest of the “traffers” section is dedicated to proliferating infostealers. The job of these contractors is to help spread the malware or get them traffic, with teams vying for attention in a crowded marketplace. Each tries to one-up the other with outrageous advertising and branding. They use names such as “Billionaire Boys Club,” “Baphomet,” and “Chemodan.” Their adverts include animated GIFs of computer-generated luxury cars or private jets. Another for “Cryptoland Team” shows a knight in armor looking down at a skeleton in a hood writing on parchment paper. Cryptoland Team say they work with LummaC2 and another stealer called Rhadamanthys.

“Payment by logs or money. We give you a choice: Either you take the logs, or we buy them,” one advert from a team called Baphomet, with satanic branding, says.

Each lists the brand of infostealer they use, what split of the profits a collaborator can expect, and whether they allow an associate to take any extra exfiltrated logs. And most explicitly say that anyone they work with is prohibited from targeting the Commonwealth of Independent States (СНГ), or former members of the Soviet Union, which includes Belarus, Ukraine, and Russia. Collaborators then leave reviews and screenshots proving they’ve made money working with the team.

Many of these teams take new applications via their own Telegram bots. Some are strict in that they only want to work with people who are already experienced, while others seemingly take anyone on board. 404 Media was able to easily pass an application process for two traffer teams by answering some basic questions. After that, the bots sent links to the teams’ respective manuals, which lay out how to spread the malware.

One manual from Baphomet, for example, recommends bundling the stealer into cheating software for Roblox. It then describes how to set up a YouTube video advertising the cheat, and by extension, help propagate the malware.

Another advert from a traffer team says it works with TikTok, Telegram, Instagram, Twitter, Facebook, YouTube, YouTube Shorts, email newsletters, bloggers, and influencers. In the video of the hacker drinking whiskey, at one point his laptop shows a page on TikTok. Many of the manuals reflect this and recommend distributing infostealers via other social media sites or point to GitHub as an effective trafficking method.

Some infostealers are also hidden inside cracked or pirated software. One reason they’re so effective is that users are seeking the software out, not the other way around. People are actively searching for free software, be damned about the consequences.

A Google spokesperson said in an email, “We have policies in place to prevent spam, scams, or other deceptive practices that take advantage of the YouTube community. This includes prohibiting content where the main purpose is to trick others into leaving YouTube for another site.”

Meta did not respond to a request for comment. TikTok acknowledged a request but did not provide a response in time for publication.

And these traffers and others are clearly successful on a massive scale. Recorded Future says it sees 250,000 new infostealer infections every day.

**The Channels and Sites**

The harvested credentials are then fed into Telegram channels, where a tsunami of cookies and logins are available for purchase. The administrator for LummaC2 told me “This brings us good income, but I am not ready to disclose specific amounts,” referring to selling the stolen logs. Testing out the Telegram bot, it’s possible to filter by country, the number of cookies, or passwords available. 404 Media saw many U.S. logs available for sale. Over the past few weeks, some of these Telegram channels have been deleted. Telegram did not respond to a request for comment asking if it had taken action against them.

These, in turn, have their own branding, much like the traffers. Many channels also distribute stolen credentials for free, likely in an attempt to advertise their paid offerings. Even the freely available credentials can be devastating for a targeted organization. Earlier this year, a security researcher used exposed logins to compromise a server belonging to AU10TIX, an identity verification company that works with TikTok, Uber, and X. Those credentials came from a free stream available on Telegram, the researcher showed 404 Media at the time.

Some websites are also dedicated to, or have sections for, selling infostealer logs. Genesis Market is a site where the hackers responsible for the 2021 breach of Electronic Arts sourced a login token for the company’s Slack. In 2023, authorities shut down Genesis Market. But much of the credential selling has moved over to another long-running site, Russian Market, according to Recorded Future.

And this is where the hackers come in. Judische, the hacker linked to breaches at AT&T, Ticketmaster, and other companies that used Snowflake, likely lifted stolen credentials from these sorts of feeds and then used those to log into target servers. In some instances, those companies were not using multifactor authentication. But the power of logs is that they can sometimes bypass that extra layer of protection—a cookie can trick a service into thinking the user is trusted, and not prompt them for an extra login code.

Potentially with no idea how the logs were ultimately sourced, some English hackers ask in large group chats for passwords related to targets in particular countries. One I recently saw said they wanted logs for Canadian victims.

When interviewing Dark X, the alleged Hot Topic hacker, they seemed to sense another potential way to make some money. They mentioned they also sell logs.

“You wanna buy? haha,” they wrote.

Inside the Massive Crime Industry That’s Hacking Billion-Dollar Companies

A list of topics we covered in the week of October 28 to November 3 of 2024

November 1, 2024 - Fraudsters running the Phish 'n Ships campaign infected legitimate website and used SEO poisoning to redirect shoppers to their fake web shops

October 31, 2024 - Android malware FakeCall can intercept calls to the bank on infected devices and redirect the target to the criminals.

October 30, 2024 - Chrome issued a security update that patches two critical vulnerabilities. One of which was reported by Apple

October 29, 2024 - Apple has issued patches for several of its operating systems. The ones for iOS and iPadOS deserve your immediate attention.

October 28, 2024 - There is a whole ecosystem behind the sales and distribution of counterfeit goods. Best to stay away from them.

Tag

#android