Picus Security, a San Francisco, CA-based security validation company, raised $45M in funding. The round, which brought total funds raised to $80M, was led by Riverwood Capital, with participation from existing investor Earlybird Digital East Fund.
Cyware News – Latest Cyber News – Read More
Two suspects, Malone Lam and Jeandiel Serrano, were arrested by the US Department of Justice for stealing and laundering over $230 million worth of cryptocurrency in Miami.
Cyware News – Latest Cyber News – Read More
Recently, our team of analysts discovered a sample of a yet-unknown ransomware that they dubbed Kransom. The malware employed the malicious DLL-sideloading technique to hijack the execution flow of an .exe file belonging to the popular game Honkai: Star Rail. Here is everything we have on the threat so far.
View the sandbox session for detailed analysis.
The Kransom ransomware attack began with a deceptive archive containing two files: an executable and a DLL (Dynamic Link Library) file.
The executable was signed with a valid certificate from COGNOSPHERE PTE. LTD, the publishing company for Honkai: Star Rail, a popular RPG.
Kransom employs a technique known as DLL side-loading to evade detection and inject its malicious payload. The method involves loading a malicious DLL into the process of a legitimate application.
Upon launching the legitimate executable named “StarRail.exe”, the user triggers the loading of the malicious DLL (see analysis of StarRailBase.dll), which is responsible for initiating the infection and encrypting the victim’s files.
Kransom utilizes a simple XOR encryption algorithm with a weak key (0xaa) to encrypt files on the infected system.
ANY.RUN’s sandbox helps you track all the encrypted files and see their contents.
Following successful file encryption, Kransom drops a ransom note that instructs the user to contact “hoyoverse” for solutions.
This is a social engineering tactic designed to impersonate the game’s legitimate developer, Hoyoverse, and extort money from victims.
To stay updated on the latest Kransom attacks and enrich your investigations to this and other threats, use Threat intelligence Lookup.
The service pulls threat data from thousands of public malware and phishing samples analyzed in the ANY.RUN sandbox on a daily basis.
It lets you search its database using over 40 different parameters, helping you zero in on threat using different details like registry keys, IP addresses, mutexes, and more.
Here is an example of a query you can use to find more samples of Kransom that use the DLL-sideloading technique:
The service returns more than 20 sandbox sessions that you can explore along with synchronization events and files that match the query.
The targeting of games like Honkai: Star Rail in ransomware attacks suggests a potential risk of threat actors using similar methods with other popular software. Organizations need to stay alert and take proactive steps to protect their systems. This includes being careful with downloads from unknown sources, receiving official software updates, and using reliable tools like ANY.RUN’s Interactive Sandbox and Threat Intelligence Lookup as part of a layered security architecture.
ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
With ANY.RUN you can:
Detect malware in seconds
Interact with samples in real time
Save time and money on sandbox setup and maintenance
Record and study all aspects of malware behavior
Collaborate with your team
Scale as you need
The post Kransom Ransomware: New Threat Using DLL-Sideloading to Hijack Popular RPG appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
Here at Kaspersky Daily we’re forever urging readers of our blog to be real careful when downloading content to their devices. After all, even Google Play isn’t immune to malware — let alone unofficial sources with mods and hacked versions. For as long as the digital world keeps turning, Trojans will continue to worm their way onto devices that don’t have reliable protection.
Today we tell the story of how 11 million Android users worldwide fell victim to the Necro Trojan. Read on to learn which apps we found it in — and how to protect yourself.
Our regular readers may recall reading about Necro when we first wrote about it back in 2019. Back then, our experts discovered a Trojan in CamScanner, a text recognition app, which had clocked up over 100 million downloads on Google Play. Now the “necromancers” have injected new blood into the old Trojan: we found a version richer in features both in popular apps on Google Play and in various app mods on unofficial sites. Most likely, the developers of these apps used an unverified ad integration tool through which Necro infiltrated the code.
Today’s Necro is a loader obfuscated to avoid detection (but that didn’t stop us from finding it). It downloads the malicious payload in no less a crafty way using steganography to hide its code in a seemingly harmless image.
And downloaded malicious modules are able to load and run any DEX files (compiled code written for Android), install downloaded apps, tunnel through the victim’s device, and even — potentially — take out paid subscriptions. In addition, they can display and interact with ads in invisible windows, as well as open arbitrary links and run any JavaScript code.
Read more about how Necro is designed and how it operates on our Securelist blog.
We found traces of the malware in a user-modded version of Spotify, in the photo editing app Wuta Camera, in Max Browser, and in mods for both WhatsApp and popular games (including Minecraft).
At the very start of our investigation, our eye was caught by an unusual modification of the Spotify Plus app. Users were invited to download a new version of their favorite app from an unofficial source — for free and with an unlocked subscription offering unlimited listening, both online and off. The nice green Download Spotify MOD APK button looks so tempting, right? Stop! It’s malware. Never mind the Security Verified and Official Certification guarantees; this app will wreak havoc.
When this app was launched, the Trojan sent information about the infected device to the attackers’ C2 server, and in response got a link to download a PNG image. The malicious payload was hidden in this image by means of steganography.
While the Spotify mod was distributed through unofficial channels, the Necro-infected Wuta Camera found its way onto Google Play, from where the app was downloaded more than 10 million times. According to our data, the Necro loader penetrated version 6.3.2.148 of Wuta Camera, with clean versions starting from 6.3.7.138. So, if your version is lower than that, you need to update immediately.
Max Browser’s audience is much smaller — just one million users. Necro infiltrated its app code in version 1.2.0. The app was removed from Google Play following our notification, but it’s still available on third-party resources. These, of course, should be trusted even less, since trojanized versions of the browser may still live there.
Alternative messenger clients usually boast more features than their official cousins. But you should treat all mods, be they on Google Play or a third-party site, as suspicious, for they often come bundled with Trojans.
For instance, we found mods for WhatsApp with the Necro loader being distributed from unofficial sources, as well as mods for Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox. And this selection sure isn’t random — attackers always target the most popular games and apps.
First of all, we strongly advise against downloading apps from unofficial sources because the risk of device infection is extremely high. Secondly, apps on Google Play and other official platforms should also be treated with a healthy dose of skepticism. Even a popular app like Wuta Camera, with 10 million downloads, proved powerless in the face of Necro.
Make sure to protect your devices so as not to be caught off guard by a Trojan. Kaspersky for Android detects Necro and other similar malware.
Check the app page in the store before downloading. We particularly recommend looking at reviews with low ratings, as these generally give heads-up about potential pitfalls. Rave reviews could be fake, while a high overall score is easy to inflate.
Don’t look for mods or hacked versions. Such apps are almost always stuffed with all kinds of Trojans: from the most harmless to mobile spyware like CanesSpy.
Kaspersky official blog – Read More
macOS Sequoia updates are causing cybersecurity software failures and breaking network connectivity for many.
The post Cybersecurity Products Conking Out After macOS Sequoia Update appeared first on SecurityWeek.
SecurityWeek – Read More
This unique malware campaign stood out for its precise targeting of Italian victims, with checks implemented to ensure the system language was set to Italian before infecting the device.
Cyware News – Latest Cyber News – Read More
The Lumma Stealer malware is being distributed through deceptive human verification pages that trick Windows users into running malicious PowerShell commands, leading to sensitive information theft.
Cyware News – Latest Cyber News – Read More
Threat actors with ties to North Korea have been observed using poisoned Python packages as a way to deliver a new malware called PondRAT as part of an ongoing campaign.
PondRAT, according to new findings from Palo Alto Networks Unit 42, is assessed to be a lighter version of POOLRAT (aka SIMPLESEA), a known macOS backdoor that has been previously attributed to the Lazarus Group and deployed in
The Hacker News – Read More
Since June 2024, a new Android Spyware campaign has been identified targeting individuals in South Korea, leveraging an Amazon AWS S3 bucket as its Command and Control (C&C) server.
The Spyware is capable of exfiltrating sensitive information from an infected device, including SMSs, contact lists, images, and videos.
The stolen data, stored openly on the S3 bucket, suggests poor operational security, potentially leading to unintended leaks of sensitive information.
The spyware operates with a simple source code and few key permissions, demonstrating that even simple malware can be highly effective in exfiltrating sensitive data.
The malware remained undetected by all major antivirus solutions. Four unique samples were identified, exhibiting zero detection rates across all engines.
Cyble Research and Intelligence Labs (CRIL) has uncovered a previously undetected Android spyware campaign targeting individuals in South Korea, which has been active since June 2024. The spyware leverages an Amazon AWS S3 bucket as its Command and Control (C&C) server and is designed to exfiltrate sensitive data from compromised devices, including contacts, SMS messages, images, and videos.
The spyware samples observed disguise themselves as live video apps, adult apps, refund apps, and interior design applications. Below are the icons used by the malware.
Two malicious URLs distributing the spyware have been identified:
hxxps://refundkorea[.]cyou/REFUND%20KOREA.apk
hxxps://bobocam365[.]icu/downloads/pnx01.apk
Since its emergence, this malware has remained undetected by all security solutions, allowing it to operate stealthily. CRIL has identified four unique samples linked to this spyware, all exhibiting zero detection rates across major antivirus engines.
All identified spyware samples were observed communicating with the same Command and Control (C&C) server hosted on an Amazon S3 bucket: hxxps://phone-books[.]s3.ap-northeast-2.amazonaws.com/. Our analysis revealed that the stolen data, including contacts, SMS messages, images, and videos, was openly stored in the S3 bucket (C&C server), further confirming that the malware specifically targeted individuals in South Korea.
The attackers’ poor operational security resulted in the unintentional exposure of sensitive data. We reported the misuse of the AmazonAWS S3 bucket to Amazon Trust and Safety, which disabled access to the URL and made the data no longer accessible. Furthermore, our investigation found no other C&C servers utilizing S3 buckets or exposing stolen data linked to this campaign.
After installation, all spyware samples display a single screen with a message in Korean tailored to the app’s theme.
The source code of this spyware is relatively simple. It utilizes a minimal set of permissions, including “READ_SMS,” “READ_CONTACTS,” and “READ_EXTERNAL_STORAGE,” to carry out its malicious operations. The manifest file specifies only the main activity, which triggers the malicious functionality upon execution.
Upon installation, the spyware requests the necessary permissions; once granted, it executes its malicious functions. These functions, responsible for collecting data from the infected device, are executed within the API method “onRequestPermissionsResult”, as illustrated in the image below.
To exfiltrate images and videos, the malware queries the device’s content provider and uploads each file to the C&C server via the endpoint “/media/+filename”. This behavior is evident in the exposed data, as shown in Figure 3.
The malware gathers contacts and SMS messages from the infected device and stores them in two separate files: phone.json for contacts and sms.json for SMS data. These files are then transmitted to the C&C server, as demonstrated in the figure below.
This campaign highlights the growing sophistication of Android spyware targeting individuals in South Korea. By utilizing an Amazon AWS S3 bucket for Command and Control infrastructure, the threat actors were able to maintain stealth and evade detection for an extended period. This spyware strain utilizes a minimalist approach—leveraging only a few key permissions to exfiltrate sensitive data such as contacts, SMS messages, images, and videos—and demonstrates how even simple malware can be extremely effective.
It is concerning that attackers are increasingly turning to trusted cloud services like AWS as part of their malicious infrastructure. This tactic allows them to bypass traditional security measures and stay under the radar.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Download and install software only from official app stores like Google Play Store or the iOS App Store.
Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
Use strong passwords and enforce multi-factor authentication wherever possible.
Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
Be wary of opening any links received via SMS or emails delivered to your phone.
Ensure that Google Play Protect is enabled on Android devices.
Be careful while enabling any permissions.
Keep your devices, operating systems, and applications updated.
Tactic
Technique ID
Procedure
Initial Access (TA0027)
Phishing (T1660)
Malware distribution via phishing site
Collection (TA0035)
Protected User Data: Contact List (T1636.003)
The malware collects contacts from the infected device
Collection (TA0035)
Protected User Data: SMS Messages
(T1636.004)
Steals SMSs from the infected device
Collection (TA0035)
Data from the Local System (T1533)
Malware steals images and videos from an infected device
Command and Control (TA0037)
Application Layer Protocol: Web Protocols (T1437)
Malware uses HTTPS protocol for C&C communication
Exfiltration (TA0036)
Exfiltration Over C2 Channel (T1646)
Sending exfiltrated data over C&C server
Indicators
Indicator Type
Description
afc2baf71bc16bdcef943172eb172793759d483470cce99e542d750d2ffee851 63952a785e2c273a4dc939adc46930f9599b9438 1d7bbb5340a617cd008314b197844047
SHA256 SHA1 MD5
Spyware hashes
d9106d06d55b075757b2ca6a280141cbdaff698094a7bec787e210b00ad04cde 46eb3ba5206baf89752fe247eff9ce64858f4135 68e6401293e525bf583bade1c1a36855
SHA256 SHA1 MD5
Spyware hashes
a8e398fc4b483a1779706d227203647db3e04d305057fdc7f3f6a4318677b9c8 d07a165b1b7c177c2f57b292ae1b2429b6187e45 16139baf56200f3975e607f89e39419a
SHA256 SHA1 MD5
Spyware hashes
3608f739c66c9ca18628fecded6c3843630118baaab80e11a2bacee428ef01b3 1fc56a6d34f1a59a4987c3f8ff266f867e80d35c fa073ca9ae9173bb5f0384471486cce2
SHA256 SHA1 MD5
Spyware hashes
hxxps://phone-books.s3.ap-northeast-2.amazonaws.com/
URL
C&C server
hxxps://bobocam365[.]icu/downloads/pnx01.apk
hxxps://refundkorea[.]cyou/REFUND%20KOREA.apk
URL
Distribution URL
The post Undetected Android Spyware Targeting Individuals In South Korea appeared first on Cyble.
Blog – Cyble – Read More
A suspected advanced persistent threat (APT) originating from China targeted a government organization in Taiwan, and possibly other countries in the Asia-Pacific (APAC) region, by exploiting a recently patched critical security flaw impacting OSGeo GeoServer GeoTools.
The intrusion activity, which was detected by Trend Micro in July 2024, has been attributed to a threat actor dubbed Earth Baxia
The Hacker News – Read More
