The Pakistan-based advanced persistent threat actor has been carrying on a cyber-espionage campaign targeting organizations on the subcontinent for more than a decade, and it's now using a new and improved "ElizaRAT" malware.

Source: Mehaniq vis Shutterstock

Pakistan's APT36 threat group is using a new and improved version of its core ElizaRAT custom implant, in what appears to be a growing number of successful attacks on Indian government agencies, military entities, and diplomatic missions over the past year.

The latest ElizaRAT variant includes new evasion techniques, enhanced command-and-control (C2) capabilities, and an additional dropper component that makes it harder for defenders to detect the malware, researchers at Check Point Research (CPR) discovered when analyzing the group's activities recently. Heightening the threat is a new stealer payload dubbed ApoloStealer, which APT36 has begun using to collect targeted file types from compromised systems, store their metadata, and transfer the information to the attacker's C2 server.

**A Step-by-Step Cyberattack Capability**

"With the introduction of their new stealer, the group can now implement a 'step-by-step' approach, deploying malware tailored to specific targets," says Sergey Shykevich, threat intelligence group manager at Check Point Software. "This ensures that even if defenders detect their activities, they primarily find only a segment of the overall malware arsenal."

Heightening the challenge is the threat group's using of legitimate software, living off the land binaries (LoLBins), and legitimate services like Telegram, Slack, and Google Drive for C2 communications. The use of these services has significantly complicated the task of tracking malware communications in network traffic, Shykevich says.

APT36, who security vendors variously track as Transparent Tribe, Operation C-Major, Earth Karkaddan, and Mythic Leopard, is a Pakistani threat group that. since around 2013, has primarily targeted Indian government and military entities in numerous intelligence gathering operations. Like many other tightly focused threat groups, APT36s campaigns have occasionally targeted organizations in other countries, including Europe, Australia, and the US.

The threat actor's current malware portfolio includes tools for compromising Windows, Android, and increasingly, Linux devices. Earlier this year, BlackBerry reported an APT36 campaign where 65% of the group's attacks involved ELF binaries (Linkable Executable and Linkable Format) targeting Maya OS, a Unix-like operating system that India's defense ministry has developed as an alternative to Windows. And SentinelOne last year reported observing APT36 using romantic lures to spread malware called CopraRAT on Android devices belonging to Indian diplomatic and military personnel.

ElizaRAT is malware that the threat actor incorporated into its attack kit last September. The group has been distributing the malware via phishing emails containing links to malicious Control Panel files (CPL) stored on Google Storage. When a user opens the CPL file, it runs code that initiates the malware infection on their device, potentially giving the attacker remote access or control over the system.

**Three Campaigns, Three Versions**

Check Point researchers observed APT36 actors using at least three different versions of ElizaRAT in three separate campaigns — all targeting Indian entities — over the past year.

The first was an ElizaRAT variant that used Slack channels as C2 infrastructure. APT36 began using that variant sometime late last year and about a month later began deploying ApoloStealer with it. Starting early this year, the threat group switched to using a dropper component to stealthily drop and unpack a compressed file containing a new and improved version of ElizaRAT. The new variant, like its predecessor first checked to verify if the time zone of the machine it was on was set to Indian Standard Time before executing and further malicious activity.

The latest — third — version uses Google Drive for C2 communications. It lands on victim systems via malicious CPL files that act as a dropper for ElizaRAT. The CPL files execute a variety of tasks including creating a working directory for the malware, establishing persistence and registering the victim with the C2 server. What sets the latest version apart from the two previous ElizaRAT iteration is its continuous use of cloud services like Google Cloud for its C2 communication, Shykevich says. In addition, the latest APT36 campaign features a new USB stealer called ConnectX that the threat actor is using to examine files on USBs and other external drives that might be attached to a compromised device, he says.

"Introducing new payloads such as ApolloStealer marks a significant expansion of APT36’s malware arsenal and suggests the group is adopting a more flexible, modular approach to payload deployment," CPR said in its report. "These methods primarily focus on data collection and exfiltration, underscoring their sustained emphasis on intelligence gathering and espionage."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

APT36 Refines Tools in Attacks on Indian Targets

When you download a piece of pirated software, you might also be getting a piece of infostealer malware, and entering a highly complex hacking ecosystem that’s fueling some of the biggest breaches on the planet.

On October 20, a hacker who calls themselves Dark X said they logged in to a server and stole the personal data of 350 million Hot Topic customers. The following day, Dark X listed the data, including alleged emails, addresses, phone numbers, and partial credit card numbers, for sale on an underground forum. The day after that, Dark X said Hot Topic kicked them out.

Dark X told me that the apparent breach, which is possibly the largest hack of a consumer retailer ever, was partly due to luck. They just happened to get login credentials from a developer who had access to Hot Topic’s crown jewels. To prove it, Dark X sent me the developer’s login credentials for Snowflake, a data warehousing tool that hackers have repeatedly targeted recently. Alon Gal from cybersecurity firm Hudson Rock, which first found the link between infostealers and the Hot Topic breach, said he was sent the same set of credentials by the hacker.

The luck part is true. But the claimed Hot Topic hack is also the latest breach directly connected to a sprawling underground industry that has made hacking some of the most important companies in the world child’s play.

AT&T. Ticketmaster. Santander Bank. Neiman Marcus. Electronic Arts. These were not entirely isolated incidents. Instead, they were all hacked thanks to “infostealers,” a type of malware that is designed to pillage passwords and cookies stored in the victim’s browser. In turn, infostealers have given birth to a complex ecosystem that has been allowed to grow in the shadows and where criminals fulfill different roles. There are Russian malware coders continually updating their code; teams of professionals who use glitzy advertising to hire contractors to spread the malware across YouTube, TikTok, or GitHub; and English-speaking teenagers on the other side of the world who then use the harvested credentials to break into corporations. At the end of October, a collaboration of law enforcement agencies announced an operation against two of the world’s most prevalent stealers. But the market has been able to grow and mature so much that now law enforcement action against even one part of it is unlikely to make any lasting dent in the spread of infostealers.

Based on interviews with malware developers, hackers who use the stolen credentials, and a review of manuals that tell new recruits how to spread the malware, 404 Media has mapped out this industry. Its end result is that a download of an innocent-looking piece of software by a single person can lead to a data breach at a multibillion-dollar company, putting Google and other tech giants in an ever-escalating cat-and-mouse game with the malware developers to keep people and companies safe.

“We are professionals in our field and will continue to work on bypassing future Google updates,” an administrator for LummaC2, one of the most popular pieces of infostealer malware, told me in an online chat. “It takes some time, but we have all the resources and knowledge to continue the fight against Chrome.”

**The Stealers**

The infostealer ecosystem starts with the malware itself. Dozens of these exist, with names like Nexus, Aurora, META, and Raccoon. The most widespread infostealer at the moment is one called RedLine, according to cybersecurity firm Recorded Future. Having a prepackaged piece of malware also dramatically lowers the barrier to entry for a budding new hacker. The administrator of LummaC2, which Recorded Future says is in the top 10 of infostealers, said it welcomes both beginner and experienced hackers.

Initially, many of these developers were interested in stealing credentials or keys related to cryptocurrency wallets. Armed with those, hackers could empty a victim’s digital wallets and make a quick buck. Many today still market their tools as being able to steal bitcoin and have even introduced OCR to detect seed phrases in images. But recently those same developers and their associates figured out that all of the other stuff stored in a browser—passwords to the victim’s place of work, for example—could generate a secondary stream of revenue.

“Malware developers and their clients have realized that personal and corporate credentials, such as login details for online accounts, financial data, and other sensitive information, hold substantial value on the black market,” RussianPanda, an independent security researcher who follows infostealers closely, told 404 Media. Infostealer creators pivoted to capture this information too, she said. In essence, the exhaust from cryptocurrency-focused heists has created an entire new industry in its own right that is causing even more destruction across healthcare, tech, and other industries.

Some stealers then sell these collected credentials and cookies, or logs, themselves via bots on Telegram. Telegram, rather than acting as simply a messaging app, provides critical infrastructure for these teams. The entire process from buying to selling stolen logs is automated through Telegram bots. Telegram did not respond to a request for comment.

Infostealers are not especially hard to write, but the malware developers constantly butt heads with engineers inside tech giants, such as Google, who are trying to stop them from stealing users’ credentials.

In July, for example, Google Chrome rolled out an update that was designed to lock applications other than Chrome—including malware—from accessing cookie data. For a moment, Chrome had the upper hand. LummaC2 gave its users some workarounds, but none were a reliable fix. Some malware developers make their grievances known more explicitly. In one update, a pair of infostealers included the phrase “ChromeFuckNewCookies” in their malware’s code.

“It's a little bit of a cat and mouse, but we think that this is a game that we want to play as much as we can if the outcomes remain positive,” Will Harris, staff software engineer on Google Chrome, said. “We want to protect users, obviously, as much as we can.” That doesn’t just come in securing Chrome itself and protecting more data from infostealers. It also includes “disruption,” such as more researchers writing about infostealers’ particular techniques, which in turn constrains the tools available to the malware developers. Releasing updates one by one on a regular basis, rather than all at once, can also disrupt the malware developers. Instead of the criminal coders knowing what they need to fix all in one go, they can never be quite sure what Google is going to clamp down on next, wasting more of their time.

After one update, a lot of the customers of a stealer were “extremely upset, and they \[the malware makers\] had to work nights on coming up with a bypass,” Harris said. He added that one stealer, called Vidar, increased the cost of its tool too. “We have to stay agile here. I mean the infostealers are moving fast on this as well, and we want to be keeping up with them, and I think we are able to in this case,” he said.

He also pointed specifically to Microsoft Windows. “When you compare Windows with, say, Android, or with ChromeOS, or even macOS, those platforms have this strong application isolation.” Meaning, that malware has a harder time stealing data from other parts of the system. “We noticed on Windows, which was obviously a major platform for us, that these protections didn’t exist.”

In an email, a Microsoft spokesperson said, “In addition to the hardware-backed baseline requirements for all Windows PCs—such as, TPM, Secure Boot, and virtualization-based security, there are many security features now enabled by default in Win11 which makes it more difficult for info-stealers. Our guidance is that users should run as Standard User and not Admin on their Windows device. Running standard user means users (and apps being used by users) can make changes to their computer but do not have full system access by default, so that info stealers will not have the full access required to make it easy to steal the data that they are after.”

Infostealer malware for Mac does exist, but to a much smaller degree, according to Recorded Future.

A malware creator may have an effective piece of software in their hands. But ultimately getting that software onto victims’ computers is the job of someone else.

**The Traffers**

With electronic rap music playing in the background, a man stretches his hands forward and leans back into a chair. The camera pans around their alleged apartment: huge floor-to-ceiling windows in a large dining room, wood-paneled floors, and a funky chandelier. In another shot the man opens a laptop, types away, and then takes a sip of what looks like whiskey. The implication: This could be you if we work together.

This is one of a dizzying number of adverts on an underground forum called Lolz where “traffers” gather to look for new recruits. In this case, the man in the video is looking for people to push a fake casino tool that can steal people’s funds. But much of the rest of the “traffers” section is dedicated to proliferating infostealers. The job of these contractors is to help spread the malware or get them traffic, with teams vying for attention in a crowded marketplace. Each tries to one-up the other with outrageous advertising and branding. They use names such as “Billionaire Boys Club,” “Baphomet,” and “Chemodan.” Their adverts include animated GIFs of computer-generated luxury cars or private jets. Another for “Cryptoland Team” shows a knight in armor looking down at a skeleton in a hood writing on parchment paper. Cryptoland Team say they work with LummaC2 and another stealer called Rhadamanthys.

“Payment by logs or money. We give you a choice: Either you take the logs, or we buy them,” one advert from a team called Baphomet, with satanic branding, says.

Each lists the brand of infostealer they use, what split of the profits a collaborator can expect, and whether they allow an associate to take any extra exfiltrated logs. And most explicitly say that anyone they work with is prohibited from targeting the Commonwealth of Independent States (СНГ), or former members of the Soviet Union, which includes Belarus, Ukraine, and Russia. Collaborators then leave reviews and screenshots proving they’ve made money working with the team.

Many of these teams take new applications via their own Telegram bots. Some are strict in that they only want to work with people who are already experienced, while others seemingly take anyone on board. 404 Media was able to easily pass an application process for two traffer teams by answering some basic questions. After that, the bots sent links to the teams’ respective manuals, which lay out how to spread the malware.

One manual from Baphomet, for example, recommends bundling the stealer into cheating software for Roblox. It then describes how to set up a YouTube video advertising the cheat, and by extension, help propagate the malware.

Another advert from a traffer team says it works with TikTok, Telegram, Instagram, Twitter, Facebook, YouTube, YouTube Shorts, email newsletters, bloggers, and influencers. In the video of the hacker drinking whiskey, at one point his laptop shows a page on TikTok. Many of the manuals reflect this and recommend distributing infostealers via other social media sites or point to GitHub as an effective trafficking method.

Some infostealers are also hidden inside cracked or pirated software. One reason they’re so effective is that users are seeking the software out, not the other way around. People are actively searching for free software, be damned about the consequences.

A Google spokesperson said in an email, “We have policies in place to prevent spam, scams, or other deceptive practices that take advantage of the YouTube community. This includes prohibiting content where the main purpose is to trick others into leaving YouTube for another site.”

Meta did not respond to a request for comment. TikTok acknowledged a request but did not provide a response in time for publication.

And these traffers and others are clearly successful on a massive scale. Recorded Future says it sees 250,000 new infostealer infections every day.

**The Channels and Sites**

The harvested credentials are then fed into Telegram channels, where a tsunami of cookies and logins are available for purchase. The administrator for LummaC2 told me “This brings us good income, but I am not ready to disclose specific amounts,” referring to selling the stolen logs. Testing out the Telegram bot, it’s possible to filter by country, the number of cookies, or passwords available. 404 Media saw many U.S. logs available for sale. Over the past few weeks, some of these Telegram channels have been deleted. Telegram did not respond to a request for comment asking if it had taken action against them.

These, in turn, have their own branding, much like the traffers. Many channels also distribute stolen credentials for free, likely in an attempt to advertise their paid offerings. Even the freely available credentials can be devastating for a targeted organization. Earlier this year, a security researcher used exposed logins to compromise a server belonging to AU10TIX, an identity verification company that works with TikTok, Uber, and X. Those credentials came from a free stream available on Telegram, the researcher showed 404 Media at the time.

Some websites are also dedicated to, or have sections for, selling infostealer logs. Genesis Market is a site where the hackers responsible for the 2021 breach of Electronic Arts sourced a login token for the company’s Slack. In 2023, authorities shut down Genesis Market. But much of the credential selling has moved over to another long-running site, Russian Market, according to Recorded Future.

And this is where the hackers come in. Judische, the hacker linked to breaches at AT&T, Ticketmaster, and other companies that used Snowflake, likely lifted stolen credentials from these sorts of feeds and then used those to log into target servers. In some instances, those companies were not using multifactor authentication. But the power of logs is that they can sometimes bypass that extra layer of protection—a cookie can trick a service into thinking the user is trusted, and not prompt them for an extra login code.

Potentially with no idea how the logs were ultimately sourced, some English hackers ask in large group chats for passwords related to targets in particular countries. One I recently saw said they wanted logs for Canadian victims.

When interviewing Dark X, the alleged Hot Topic hacker, they seemed to sense another potential way to make some money. They mentioned they also sell logs.

“You wanna buy? haha,” they wrote.

Inside the Massive Crime Industry That’s Hacking Billion-Dollar Companies

A list of topics we covered in the week of October 28 to November 3 of 2024

November 1, 2024 - Fraudsters running the Phish 'n Ships campaign infected legitimate website and used SEO poisoning to redirect shoppers to their fake web shops

October 31, 2024 - Android malware FakeCall can intercept calls to the bank on infected devices and redirect the target to the criminals.

October 30, 2024 - Chrome issued a security update that patches two critical vulnerabilities. One of which was reported by Apple

October 29, 2024 - Apple has issued patches for several of its operating systems. The ones for iOS and iPadOS deserve your immediate attention.

October 28, 2024 - There is a whole ecosystem behind the sales and distribution of counterfeit goods. Best to stay away from them.

 A week in security (October 28 &#8211; November 3) 

Cybersecurity researchers have discovered a new version of a well-known Android malware family dubbed FakeCall that employs voice phishing (aka vishing) techniques to trick users into parting with their personal information.
"FakeCall is an extremely sophisticated Vishing attack that leverages malware to take almost complete control of the mobile device, including the interception of incoming

Mobile Security / Financial Fraud

Cybersecurity researchers have discovered a new version of a well-known Android malware family dubbed **FakeCall** that employs voice phishing (aka vishing) techniques to trick users into parting with their personal information.

"FakeCall is an extremely sophisticated Vishing attack that leverages malware to take almost complete control of the mobile device, including the interception of incoming and outgoing calls," Zimperium researcher Fernando Ortega said in a report published last week.

"Victims are tricked into calling fraudulent phone numbers controlled by the attacker and mimicking the normal user experience on the device."

FakeCall, also tracked under the names FakeCalls and Letscall, has been the subject of multiple analyses by Kaspersky, Check Point, and ThreatFabric since its emergence in April 2022. Previous attack waves have primarily targeted mobile users in South Korea.

The names of the malicious package names, i.e., dropper apps, bearing the malware are listed below -

*   com.qaz123789.serviceone
*   com.sbbqcfnvd.skgkkvba
*   com.securegroup.assistant
*   com.seplatmsm.skfplzbh
*   eugmx.xjrhry.eroreqxo
*   gqcvctl.msthh.swxgkyv
*   ouyudz.wqrecg.blxal
*   plnfexcq.fehlwuggm.kyxvb
*   xkeqoi.iochvm.vmyab

Like other Android banking malware families that are known to abuse accessibility services APIs to seize control of the devices and perform malicious actions, FakeCall uses it to capture information displayed on the screen and grant itself additional permissions as required.

Some of the other espionage features include capturing a wide range of information, such as SMS messages, contact lists, locations, and installed apps, taking pictures, recording a live stream from both the rear- and front-facing cameras, adding and deleting contacts, grabbing audio snippets, uploading images, and imitating a video stream of all the actions on the device using the MediaProjection API.

The newer versions are also designed to monitor Bluetooth status and the device screen state. But what makes the malware more dangerous is that it instructs the user to set the app as the default dialer, thus giving it the ability to keep tabs on all incoming and outgoing calls.

This not only allows FakeCall to intercept and hijack calls, but also enables it to modify a dialed number, such as those to a bank, to a rogue number under their control, and lure the victims into performing unintended actions.

In contrast, previous variants of FakeCall were found to prompt users to call the bank from within the malicious app imitating various financial institutions under the guise of a loan offer with a lower interest rate.

"When the compromised individual attempts to contact their financial institution, the malware redirects the call to a fraudulent number controlled by the attacker," Ortega said.

"The malicious app will deceive the user, displaying a convincing fake UI that appears to be the legitimate Android's call interface showing the real bank's phone number. The victim will be unaware of the manipulation, as the malware's fake UI will mimic the actual banking experience, allowing the attacker to extract sensitive information or gain unauthorized access to the victim's financial accounts."

The emergence of novel, sophisticated mishing (aka mobile phishing) strategies highlights a counter-response to improved security defenses and the prevalent use of caller identification applications, which can flag suspicious numbers and warn users of potential spam.

In recent months, Google has also been experimenting with a security initiative that automatically blocks the sideloading of potentially unsafe Android apps, counting those that request accessibility services, across Singapore, Thailand, Brazil, and India.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New FakeCall Malware Variant Hijacks Android Devices for Fraudulent Banking Calls

Operation EMERALDWHALE compromises over 15,000 cloud credentials, exploiting exposed Git and Laravel files. Attackers use compromised S3 buckets…

Operation EMERALDWHALE compromises over 15,000 cloud credentials, exploiting exposed Git and Laravel files. Attackers use compromised S3 buckets for storage, increasing the risks of phishing and cloud account breaches.

The Sysdig Threat Research Team discovered a global operation called EMERALDWHALE, which targeted Git configurations, resulting in over 15,000 cloud service credentials being stolen. The primary goal of stealing credentials was phishing and spam, with the credentials potentially worth hundreds of dollars per account.

****The Attack Chain****

The campaign used private tools to abuse misconfigured web services, allowing attackers to steal credentials, clone repositories, and extract cloud credentials from their source code. Over 10,000 private repositories were collected, and the stolen data was stored in a previous victim’s S3 bucket.

The Sysdig Threat Research Team reported that attackers used tools such as httpx and Masscan to scan large portions of the internet for servers with exposed Git configuration files (/.git/config) and Laravel environment files (.env). Upon finding exposed files, attackers leveraged tools like MZR V2 and Seyzo-v2 to extract sensitive information, including usernames, passwords, and API keys, using regular expressions to locate relevant data within the files.

The stolen credentials enabled attackers to clone private repositories, exposing additional sensitive data, such as source code. Verified credentials were then tested across various cloud services to find valid ones, which were afterwards used for malicious activities, including phishing, spam campaigns, or further compromises of cloud accounts. Ultimately, the attackers uploaded stolen data to compromised S3 buckets.

****EMERALDWHALE’s Tools of Choice****

The investigation identified two main tools used by EMERALDWHALE: MZR V2 (MIZARU) and Seyzo-v2. MZR V2, a suite of Python and shell scripts, supports target discovery, credential extraction, repository cloning, and credential validation. Similarly, Seyzo-v2 automates credential theft from exposed Git configurations through scripts, enabling attackers to locate and extract sensitive data efficiently.

In addition to Git configurations, EMERALDWHALE also targeted exposed Laravel environment files (.env). These files often contain sensitive information like database credentials and cloud service API keys. Multigrabber v8.5 is a popular tool used to exploit vulnerabilities in Laravel and steal this sensitive data.

Operation EMERALDWHALE is one of the examples of how the stolen credentials market has become a lucrative business for cybercriminals. For example, target lists of exposed Git configurations were found to be sold for around $100. Valid cloud service credentials can also be sold in bulk or through automated shops, fetching a huge profit for attackers.

Tools being sold on Telegram (Via Sysdig Threat Research Team)

The finding shows the importance of proper configuration management in securing sensitive information. Ensuring Git configuration files are not publicly accessible, limiting access to necessary variables, and conducting regular vulnerability scans are crucial to staying protected.

“This attack shows that secret management alone is not enough to secure an environment. There are just too many places credentials could leak from. Monitoring the behaviour of any identities associated with credentials is becoming a requirement to protect against these threats,” the report read.

Rom Carmel, Co-Founder and CEO at Apono, weighed in on the recent development stating “This is yet another example of how credentials remain a top target for hackers who follow the adage, ‘teach a man to phish, and he’ll have access for a lifetime.’_“_

“With the right credentials, attackers can access all resources an identity is privileged to, creating an endless list of potential targets. Given the rise in leaked credentials and the availability of phishing kits bypassing MFA, organizations must adopt an ‘assumed breach’ posture.”

1.  Best Practices for Cloud Computing Security
2.  Abandoned S3 Buckets Used for Malicious Payloads
3.  350 million credentials exposed on misconfigured AWS S3 bucket
4.  iOS and Android Users at Risk as Popular Apps Expose Cloud Keys
5.  AI Firm’s Misconfigured Server Leaked 5.3TB of Mental Health Records

EMERALDWHALE Steals 15,000+ Cloud Credentials, Stores Data in S3 Bucket

Ubuntu Security Notice 7088-1 - Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7088-1October 31, 2024linux, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm,linux-ibm-5.4 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe-5.4: Linux hardware enablement (HWE) kernel- linux-ibm-5.4: Linux kernel for IBM cloud systemsDetails:Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linuxkernel contained an integer overflow vulnerability. A local attacker coulduse this to cause a denial of service (system crash). (CVE-2022-36402)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM64 architecture;  - PowerPC architecture;  - User-Mode Linux (UML);  - x86 architecture;  - Block layer subsystem;  - Cryptographic API;  - Android drivers;  - Serial ATA and Parallel ATA drivers;  - ATM drivers;  - Drivers core;  - CPU frequency scaling framework;  - Device frequency scaling framework;  - GPU drivers;  - HID subsystem;  - Hardware monitoring drivers;  - InfiniBand drivers;  - Input Device core drivers;  - IOMMU subsystem;  - IRQ chip drivers;  - ISDN/mISDN subsystem;  - LED subsystem;  - Multiple devices driver;  - Media drivers;  - EEPROM drivers;  - VMware VMCI Driver;  - MMC subsystem;  - Network drivers;  - Near Field Communication (NFC) drivers;  - NVME drivers;  - Device tree and open firmware driver;  - Parport drivers;  - PCI subsystem;  - Pin controllers subsystem;  - Remote Processor subsystem;  - S/390 drivers;  - SCSI drivers;  - QCOM SoC drivers;  - Direct Digital Synthesis drivers;  - TTY drivers;  - Userspace I/O drivers;  - DesignWare USB3 driver;  - USB subsystem;  - BTRFS file system;  - File systems infrastructure;  - Ext4 file system;  - F2FS file system;  - JFS file system;  - NILFS2 file system;  - BPF subsystem;  - Core kernel;  - DMA mapping infrastructure;  - Tracing infrastructure;  - Radix Tree data structure library;  - Kernel userspace event delivery library;  - Objagg library;  - Memory management;  - Amateur Radio drivers;  - Bluetooth subsystem;  - CAN network layer;  - Networking core;  - Ethtool driver;  - IPv4 networking;  - IPv6 networking;  - IUCV driver;  - KCM (Kernel Connection Multiplexor) sockets driver;  - MAC80211 subsystem;  - Netfilter;  - Network traffic control;  - SCTP protocol;  - Sun RPC protocol;  - TIPC protocol;  - TLS protocol;  - Wireless networking;  - AppArmor security module;  - Simplified Mandatory Access Control Kernel framework;  - SoC audio core drivers;  - USB sound devices;(CVE-2024-43894, CVE-2024-46737, CVE-2024-46828, CVE-2024-42244,CVE-2024-46723, CVE-2024-41073, CVE-2024-46756, CVE-2024-42288,CVE-2024-46840, CVE-2024-46771, CVE-2024-46757, CVE-2024-43860,CVE-2024-46747, CVE-2024-41017, CVE-2024-42246, CVE-2024-44988,CVE-2024-42281, CVE-2024-36484, CVE-2024-43856, CVE-2024-47668,CVE-2024-46759, CVE-2024-46744, CVE-2024-42289, CVE-2024-42131,CVE-2024-46679, CVE-2024-42304, CVE-2024-46818, CVE-2024-43858,CVE-2024-44960, CVE-2024-45028, CVE-2024-26885, CVE-2024-46676,CVE-2024-46780, CVE-2024-42310, CVE-2024-44987, CVE-2024-41090,CVE-2024-44954, CVE-2024-45026, CVE-2024-42285, CVE-2023-52614,CVE-2024-27051, CVE-2024-43880, CVE-2024-43839, CVE-2024-43884,CVE-2024-42311, CVE-2024-43893, CVE-2024-41072, CVE-2024-41091,CVE-2024-46758, CVE-2024-41022, CVE-2024-46745, CVE-2024-42305,CVE-2024-46673, CVE-2024-42284, CVE-2024-46844, CVE-2024-46677,CVE-2024-45025, CVE-2024-43861, CVE-2024-43914, CVE-2024-46783,CVE-2024-41012, CVE-2024-44999, CVE-2024-44946, CVE-2024-42276,CVE-2024-46740, CVE-2024-42295, CVE-2024-44947, CVE-2024-41059,CVE-2024-26669, CVE-2024-38602, CVE-2024-42306, CVE-2023-52918,CVE-2024-42297, CVE-2024-42229, CVE-2024-43853, CVE-2024-45006,CVE-2024-44998, CVE-2024-42283, CVE-2024-44952, CVE-2024-46761,CVE-2024-43841, CVE-2024-44944, CVE-2024-42313, CVE-2024-45008,CVE-2024-46714, CVE-2024-41065, CVE-2024-43883, CVE-2024-43867,CVE-2024-42286, CVE-2024-43879, CVE-2024-43846, CVE-2024-42280,CVE-2024-43854, CVE-2021-47212, CVE-2024-35848, CVE-2024-41020,CVE-2024-41068, CVE-2024-45021, CVE-2024-41098, CVE-2024-44965,CVE-2024-43890, CVE-2024-45003, CVE-2024-44969, CVE-2024-41011,CVE-2024-46738, CVE-2024-41071, CVE-2024-26800, CVE-2024-46721,CVE-2024-42292, CVE-2024-41081, CVE-2024-44948, CVE-2023-52531,CVE-2024-26891, CVE-2024-26641, CVE-2024-42287, CVE-2024-46722,CVE-2024-41042, CVE-2024-46675, CVE-2024-46743, CVE-2024-42259,CVE-2024-41015, CVE-2024-43908, CVE-2024-46719, CVE-2024-43871,CVE-2024-46739, CVE-2024-42301, CVE-2024-47659, CVE-2024-42271,CVE-2024-26668, CVE-2024-43835, CVE-2024-46829, CVE-2024-47667,CVE-2024-44995, CVE-2024-47669, CVE-2024-38611, CVE-2024-40929,CVE-2024-46815, CVE-2024-43830, CVE-2024-42309, CVE-2024-41063,CVE-2024-46782, CVE-2024-46777, CVE-2024-42265, CVE-2024-46781,CVE-2024-26607, CVE-2024-41064, CVE-2024-46685, CVE-2024-43882,CVE-2024-44935, CVE-2024-46800, CVE-2024-46822, CVE-2024-46755,CVE-2024-46817, CVE-2024-43829, CVE-2024-46798, CVE-2024-46689,CVE-2024-42290, CVE-2024-46750, CVE-2024-26640, CVE-2024-47663,CVE-2024-41070)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS  linux-image-5.4.0-1082-ibm      5.4.0-1082.87  linux-image-5.4.0-1102-gkeop    5.4.0-1102.106  linux-image-5.4.0-1139-gcp      5.4.0-1139.148  linux-image-5.4.0-200-generic   5.4.0-200.220  linux-image-5.4.0-200-generic-lpae  5.4.0-200.220  linux-image-5.4.0-200-lowlatency  5.4.0-200.220  linux-image-gcp-lts-20.04       5.4.0.1139.141  linux-image-generic             5.4.0.200.196  linux-image-generic-lpae        5.4.0.200.196  linux-image-gkeop               5.4.0.1102.100  linux-image-gkeop-5.4           5.4.0.1102.100  linux-image-ibm-lts-20.04       5.4.0.1082.111  linux-image-lowlatency          5.4.0.200.196  linux-image-oem                 5.4.0.200.196  linux-image-oem-osp1            5.4.0.200.196  linux-image-virtual             5.4.0.200.196Ubuntu 18.04 LTS  linux-image-5.4.0-1082-ibm      5.4.0-1082.87~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-1139-gcp      5.4.0-1139.148~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-200-generic   5.4.0-200.220~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-200-lowlatency  5.4.0-200.220~18.04.1                                  Available with Ubuntu Pro  linux-image-gcp                 5.4.0.1139.148~18.04.1                                  Available with Ubuntu Pro  linux-image-generic-hwe-18.04   5.4.0.200.220~18.04.1                                  Available with Ubuntu Pro  linux-image-ibm                 5.4.0.1082.87~18.04.1                                  Available with Ubuntu Pro  linux-image-lowlatency-hwe-18.04  5.4.0.200.220~18.04.1                                  Available with Ubuntu Pro  linux-image-oem                 5.4.0.200.220~18.04.1                                  Available with Ubuntu Pro  linux-image-oem-osp1            5.4.0.200.220~18.04.1                                  Available with Ubuntu Pro  linux-image-snapdragon-hwe-18.04  5.4.0.200.220~18.04.1                                  Available with Ubuntu Pro  linux-image-virtual-hwe-18.04   5.4.0.200.220~18.04.1                                  Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7088-1  CVE-2021-47212, CVE-2022-36402, CVE-2023-52531, CVE-2023-52614,  CVE-2023-52918, CVE-2024-26607, CVE-2024-26640, CVE-2024-26641,  CVE-2024-26668, CVE-2024-26669, CVE-2024-26800, CVE-2024-26885,  CVE-2024-26891, CVE-2024-27051, CVE-2024-35848, CVE-2024-36484,  CVE-2024-38602, CVE-2024-38611, CVE-2024-40929, CVE-2024-41011,  CVE-2024-41012, CVE-2024-41015, CVE-2024-41017, CVE-2024-41020,  CVE-2024-41022, CVE-2024-41042, CVE-2024-41059, CVE-2024-41063,  CVE-2024-41064, CVE-2024-41065, CVE-2024-41068, CVE-2024-41070,  CVE-2024-41071, CVE-2024-41072, CVE-2024-41073, CVE-2024-41081,  CVE-2024-41090, CVE-2024-41091, CVE-2024-41098, CVE-2024-42131,  CVE-2024-42229, CVE-2024-42244, CVE-2024-42246, CVE-2024-42259,  CVE-2024-42265, CVE-2024-42271, CVE-2024-42276, CVE-2024-42280,  CVE-2024-42281, CVE-2024-42283, CVE-2024-42284, CVE-2024-42285,  CVE-2024-42286, CVE-2024-42287, CVE-2024-42288, CVE-2024-42289,  CVE-2024-42290, CVE-2024-42292, CVE-2024-42295, CVE-2024-42297,  CVE-2024-42301, CVE-2024-42304, CVE-2024-42305, CVE-2024-42306,  CVE-2024-42309, CVE-2024-42310, CVE-2024-42311, CVE-2024-42313,  CVE-2024-43829, CVE-2024-43830, CVE-2024-43835, CVE-2024-43839,  CVE-2024-43841, CVE-2024-43846, CVE-2024-43853, CVE-2024-43854,  CVE-2024-43856, CVE-2024-43858, CVE-2024-43860, CVE-2024-43861,  CVE-2024-43867, CVE-2024-43871, CVE-2024-43879, CVE-2024-43880,  CVE-2024-43882, CVE-2024-43883, CVE-2024-43884, CVE-2024-43890,  CVE-2024-43893, CVE-2024-43894, CVE-2024-43908, CVE-2024-43914,  CVE-2024-44935, CVE-2024-44944, CVE-2024-44946, CVE-2024-44947,  CVE-2024-44948, CVE-2024-44952, CVE-2024-44954, CVE-2024-44960,  CVE-2024-44965, CVE-2024-44969, CVE-2024-44987, CVE-2024-44988,  CVE-2024-44995, CVE-2024-44998, CVE-2024-44999, CVE-2024-45003,  CVE-2024-45006, CVE-2024-45008, CVE-2024-45021, CVE-2024-45025,  CVE-2024-45026, CVE-2024-45028, CVE-2024-46673, CVE-2024-46675,  CVE-2024-46676, CVE-2024-46677, CVE-2024-46679, CVE-2024-46685,  CVE-2024-46689, CVE-2024-46714, CVE-2024-46719, CVE-2024-46721,  CVE-2024-46722, CVE-2024-46723, CVE-2024-46737, CVE-2024-46738,  CVE-2024-46739, CVE-2024-46740, CVE-2024-46743, CVE-2024-46744,  CVE-2024-46745, CVE-2024-46747, CVE-2024-46750, CVE-2024-46755,  CVE-2024-46756, CVE-2024-46757, CVE-2024-46758, CVE-2024-46759,  CVE-2024-46761, CVE-2024-46771, CVE-2024-46777, CVE-2024-46780,  CVE-2024-46781, CVE-2024-46782, CVE-2024-46783, CVE-2024-46798,  CVE-2024-46800, CVE-2024-46815, CVE-2024-46817, CVE-2024-46818,  CVE-2024-46822, CVE-2024-46828, CVE-2024-46829, CVE-2024-46840,  CVE-2024-46844, CVE-2024-47659, CVE-2024-47663, CVE-2024-47667,  CVE-2024-47668, CVE-2024-47669Package Information:  https://launchpad.net/ubuntu/+source/linux/5.4.0-200.220  https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1139.148  https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1102.106  https://launchpad.net/ubuntu/+source/linux-ibm/5.4.0-1082.87

Ubuntu Security Notice USN-7088-1

Cybersecurity researchers have disclosed a new phishing kit that has been put to use in campaigns targeting Australia, Japan, Spain, the U.K., and the U.S. since at least September 2024.
Netcraft said more than 2,000 phishing websites have been identified the kit, known as Xiū gǒu, with the offering used in attacks aimed at a variety of verticals, such as public sectors, postal, digital services

Cybersecurity researchers have disclosed a new phishing kit that has been put to use in campaigns targeting Australia, Japan, Spain, the U.K., and the U.S. since at least September 2024.

Netcraft said more than 2,000 phishing websites have been identified the kit, known as Xiū gǒu, with the offering used in attacks aimed at a variety of verticals, such as public sectors, postal, digital services, and banking services.

"Threat actors using the kit to deploy phishing websites often rely on Cloudflare's anti-bot and hosting obfuscation capabilities to prevent detection," Netcraft said in a report published Thursday.

Some aspects of the phishing kit were documented by security researchers Will Thomas (@ BushidoToken) and Fox\_threatintel (@banthisguy9349) last month.

Phishing kits like Xiū gǒu pose a risk because they could lower the barrier of entry for less skilled hackers, potentially leading to an increase in malicious campaigns that could lead to theft of sensitive information.

Xiū gǒu, which is developed by a Chinese-speaking threat actor, provides users with an admin panel and is developed using technologies like Golang and Vue.js. The kit is also designed to exfiltrate credentials and other information from the fake phishing pages hosted on the ".top" top-level domain via Telegram.

The phishing attacks are propagated via Rich Communications Services (RCS) messages rather than SMS, warning recipients of purported parking penalties and failed package deliveries. The messages also instruct them to click on a link that's shortened using a URL shortener service to pay the fine or update the delivery address.

"The scams typically manipulate victims into providing their personal details and making payments, for example, to release a parcel or fulfill a fine," Netcraft said.

RCS, which is primarily available via Apple Messages (starting with iOS 18) and Google Messages for Android, offers users an upgraded messaging experience with support for file-sharing, typing indicators, and optional support for end-to-end encryption (E2EE).

In a blog post late last month, the tech giant detailed the new protections it's taking to combat phishing scams, including rolling out enhanced scam detection using on-device machine learning models to specifically filter out fraudulent messages related to package delivery and job opportunities.

Google also said it's piloting security warnings when users in India, Thailand, Malaysia, and Singapore receive text messages from unknown senders with potentially dangerous links. The new protections, which are expected to be expanded globally later this year, also block messages with links from suspicious senders.

Lastly, the search major is adding the option to "automatically hide messages from international senders who are not existing contacts" by moving them to the "Spam & blocked" folder. The feature was first enabled as a pilot in Singapore.

The disclosure comes as Cisco Talos revealed that Facebook business and advertising account users in Taiwan are being targeted by an unknown threat actor as part of a phishing campaign designed to deliver stealer malware such as Lumma or Rhadamanthys.

The lure messages come embedded with a link that, when clicked, takes the victim to a Dropbox or Google Appspot domain, triggering the download of a RAR archive packing a fake PDF executable, which serves as a conduit to drop the stealer malware.

"The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware," Talos researcher Joey Chen said, adding the activity has been ongoing since July 2024.

"The emails demand the removal of the infringing content within 24 hours, cessation of further use without written permission, and warn of potential legal action and compensation claims for non-compliance."

Phishing campaigns have also been observed impersonating OpenAI targeting businesses worldwide, instructing them to immediately update their payment information by clicking on an obfuscated hyperlink.

"This attack was sent from a single domain to over 1,000 recipients," Barracuda said in a report. "The email did, however, use different hyperlinks within the email body, possibly to evade detection. The email passed DKIM and SPF checks, which means that the email was sent from a server authorized to send emails on behalf of the domain. However, the domain itself is suspicious."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Phishing Kit Xiū gǒu Targets Users Across Five Countries With 2,000 Fake Sites

Android malware FakeCall can intercept calls to the bank on infected devices and redirect the target to the criminals.

An Android banking Trojan called FakeCall is capable of hijacking the phone calls you make to your bank. Instead of reaching your bank, your call will be redirected to the cybercriminals.

The Trojan accomplishes this by installing itself as the default call handler on the infected device. The default call handler app is responsible for managing incoming and outgoing calls, allowing users to answer or reject calls, as well as initiate calls.

As you can imagine handing these options to a malicious app comes with some serious risks.

Last time FakeCall reared its head, BleepingComputer reported that the malware was being distributed as fake banking apps that impersonate large financial institutions, as well as being distributed in phishing emails. When the receiver clicked a link in the email they’d download an Application Package (APK file) which acted as a dropper for the malicious app.

Likely without realizing, when the user gives the app permission to set it as the default call handler, the malware gains permission to intercept and manipulate both outgoing and incoming calls.

The FakeCall malware abuses this trust by hijacking the user’s call to a financial institution. To better understand how the attackers use this, you’ll need to know that FakeCall is a very versatile tool. It can also steal sensitive information from the infected devices which enables the cybercriminals to deploy targeted attacks against the owners of infected devices.

They will know which bank the target primarily uses and will send them offers that might be of interest to them, via in-app notifications or vishing (voice-phishing). The cybercriminals may, for example, offer a loan with a low interest rate and ask the target to call if they’re interested.

Regardless, whether the target uses the displayed phone number or tries to directly call the number of his bank, the call will get redirected to the criminals.

The FakeCall app is hard to detect since it uses several methods to evade detection, and it uses several names to mimic legitimate banking apps. This is where Malwarebytes for Android can help you, by identifying these apps and removing them.

Malwarebytes for Android detects FakeCall as Android/Trojan.Banker.Fakecall.

 Android malware FakeCall intercepts your calls to the bank 

A malvertising campaign is exploiting Meta’s platform to spread SYS01 infostealer, targeting men 45+ via fake ads for…

A malvertising campaign is exploiting Meta’s platform to spread SYS01 infostealer, targeting men 45+ via fake ads for popular software. The malware steals Facebook credentials, hijacks accounts espicially those administrating business pages, and spreads further attacks globally.

A new malvertising campaign is exploiting Meta’s advertising platform to spread the **SYS01 infostealer**, a cybersecurity threat known to Meta and particularly Facebook users for stealing their personal information.

What makes this attack targeted is that millions of users globally, specifically men aged 45 and above, are potential victims of this ongoing attack, which cleverly disguises itself as advertisements for popular software, games, and online services.

This campaign, first detected in September 2024, stands out due to its impersonation tactics and popular brands that it exploits. Instead of focusing on a single lure, the attackers mimic a broad range of trusted brands, including productivity tools like Office 365, creative software like Canva and Adobe Photoshop, VPN services like ExpressVPN, streaming platforms like Netflix, messaging apps like Telegram, and even popular video games like Super Mario Bros Wonder.

****How the Attack Works:****

According to Bitdefender’s **blog post** shared with Hackread.com ahead of publishing on Wednesday, the malicious ads often lead to MediaFire links offering direct downloads of seemingly legitimate software. These downloads, packaged as zip archives, contain a malicious Electron application.

Once executed, this application drops and **runs the SYS01 infostealer**, often while displaying a decoy app that mimics the advertised software. This deceptive tactic makes it difficult for victims to realize they’ve been compromised.

For your information, an Electron application is a type of desktop app built with web technologies like HTML, CSS, and JavaScript. Electron is an open-source framework developed by GitHub that allows developers to create cross-platform applications that run on Windows, macOS, and Linux, all from a single codebase.

In this attack however, behind the scenes, the Electron app uses obfuscated Javascript code and a standalone 7zip executable to extract a password-protected archive containing the core malware components. This archive includes PHP scripts responsible for **installing the infostealer** and establishing persistence on the victim’s system. The malware also incorporates anti-sandbox checks to evade detection by security researchers.

****Stealing Data and Hijacking Accounts:****

The primary goal of the SYS01 infostealer is to harvest Facebook credentials, particularly those associated with business accounts. These compromised accounts are then used to further attacks/scams.

What’s worse, the attack also leverages the advertising capabilities of hijacked accounts, allowing attackers to create **new malicious ads** that appear more legitimate and easily bypass security filters. This creates a self-sustaining cycle where stolen accounts are used to spread the malware even further. The stolen credentials are also likely sold on underground marketplaces, further enriching the criminals.

Fake Netflix, Super Mario Bros. Wonder, and other malicious ads are currently being used in the campaign (Via Bitdefender)

****Global Reach and Protection****

While the campaign has a global reach, impacting users in the EU, North America, Australia, and Asia, Bitdefender could not verify the full extent of its impact, especially outside the EU, which remains unclear due to limited data transparency.

Nevertheless, if you are on Facebook—especially if you run a business page—you must watch out for SYS01 Infostealer and **similar threats**. While using common sense is essential, here are some vital steps you should take:

1.  **Monitor your accounts:** Regularly check your Facebook and other social media accounts for suspicious activity. Report any unauthorized access immediately and change your passwords.
2.  **Be wary of ads:** Exercise caution when clicking on ads, especially those offering free downloads or deals that seem too good to be true. Verify the source before downloading any software.
3.  **Stick to official sources:** Download software directly from official websites or trusted app stores. Avoid third-party platforms and file-sharing services.
4.  **Use strong security software:** Install reputable security software and keep it updated. Choose a solution that offers real-time protection and advanced threat detection.
5.  **Enable two-factor authentication (2FA):** Activate 2FA on your Facebook and other important online accounts for added security.

1.  **Fake GTA VI Beta Download Spreads Malware**
2.  **ALPHV Ransomware Uses Google Ads to Target Victims**
3.  **Fake WhatsApp clone steals crypto on Android and Windows**
4.  **Facebook, Meta, Apple, Amazon Most Impersonated in Scams**
5.  **Fake ChatGPT and Facebook Ads Used in DNS Investment Scam**

Fake Meta Ads Hijacking Facebook Accounts to Spread SYS01 Infostealer

A new variant of the sophisticated attacker tool gives cybercriminals even more control over victim devices to conduct various malicious activities, including fraud and cyber espionage.

Source: Brian Jackson via Alamy Stock Photo

A new variant of a sophisticated malware that helps attackers carry out advanced voice and mobile phishing (aka vishing and mishing) attacks against Android users has evolved with new capabilities that extend their control over compromised devices to commit further malicious activities.

FakeCall, a malware that's been tracked by various research groups since at least 2022, conducts the attacks by tricking victims into calling fraudulent phone numbers controlled by the attacker, and then impersonating a typical conversation with bank employees or other entities aimed at defrauding the user in some way.

FakeCall's capability historically lies inherently in its design for communicating with an attacker-controlled command-and-control (C2) server, enabling it to execute a range of actions aimed at deceiving the end user. In addition to allowing attackers to control a person's phone calls, it also allows them to gain access to various permissions to Android devices for other malicious activity.  

Researchers at Zimperium zLabs now have discovered a new variant of FakeCall that adds novel capabilities — some of which appear to be under development — that give attackers even more capabilities to monitor people's device activity and control the device with even more precision, they revealed in a blog post published today.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

The variant demonstrates attackers coming up with new and strategic ways to create a more seamless integration with Android devices, which can help the malware avoid detection and remain active on a user's device without them knowing, the researchers found.

**FakeCall's Extension of Malicious Capabilities**

Specifically, one of the features allows for the malware to integrate with Android's Accessibility Service to give attackers "significant control over the user interface and the ability to capture information displayed on the screen," according to the post.

The feature demonstrates how attackers can evolve past simple device permissions to abuse an even more complex attack vector, "granting attackers near-total control to intercept calls, access sensitive data, and manipulate the user interface," notes Jason Soroko, senior fellow at Sectigo, a provider of certificate life-cycle management (CLM).

By seamlessly mimicking legitimate interfaces, attackers also are making detection by users "nearly impossible," he says, highlighting a critical need for advanced security solutions capable of detecting this threat.

Other new features extend FakeCall's persistent spyware capabilities, which have existed since it was first discovered and set it apart from other vishing and mishing attacks, which tend to be a one-time engagement. One of these is a Bluetooth receiver that acts as a listener to monitor Bluetooth status and changes, while the other is similar, but it acts as a screen receiver to monitor the state of the device's screen.

Related:French ISP Confirms Cyberattack, Data Breach Affecting 19M

**How a FakeCall Attack Works**

FakeCall was first detailed by researchers at Kaspersky in April 2022 as a banking Trojan with extended capability to intercept calls that users make with their banks, to create a fake customer-service experience for malicious purposes.

The malware also had some spyware capabilities, including a feature to turn on a device's microphone and send recordings from it to an attacker's C2 server; the ability to secretly broadcast audio and video from the phone in real time; and the option to pinpoint device location.

A typical FakeCall attack begins when victims download a malicious APK file (masquerading as a legitimate app) onto an Android mobile device through a phishing attack, which acts as a dropper for FakeCall. When launched, the app prompts the user to set it as the default call handler and, once designated, attackers can manage all incoming and outgoing calls. The malware then displays a custom interface mimicking the native Android dialer, seamlessly integrating its malicious functionality.

Related:Delta Launches $500M Lawsuit Against CrowdStrike

While the primary function of FakeCall is to monitor outgoing calls and transmit info to attackers via a C2 server, cyberattackers also can commit other malicious activities using the malware. These include identity fraud, which can be done by exploiting FakeCall's position as the default call handler. The malware can modify the dialed number, replacing it with a malicious one and thus deceiving users into making fraudulent calls.

Attackers also can use FakeCall's adversary-in-the-middle (AitM) approach to hijack incoming and outgoing calls, to make unauthorized connections with other mobile device users. "In this case, users may be unaware until they remove the app or restart their device," according to the post.

**Defending Against FakeCall Attacks**

As vishing and mishing attacks have become a worldwide epidemic that defrauds users of millions of dollars annually — including even the most tech-savvy individuals — it's imperative that people learn to defend themselves from sophisticated versions of these attacks, experts say.

One way to do this is to scrutinize carefully any Android apps being downloaded or used on devices, and to only acquire apps from trusted app stores, Soroko says.

FakeCall is especially dangerous to enterprises given that mobile these days is a primary tool for doing business. This makes compromise of that device potentially "catastrophic," notes Mika Aalto, co-founder and CEO at Hoxhunt, a human risk management platform.

To avoid this scenario, the most important thing that companies can do, Aalto says, is to "equip senior management and employees with the skills and tools to recognize and safely report a mobile phishing attack."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#android