Cyble Recognized in G2 Fall 2024 Report as a Testament to Excellence in Brand Intelligence 

In an era where cybersecurity is paramount, the recognition and reputation of a security solution provider can significantly influence its credibility and market standing. Cyble has once again set a higher benchmark in the cybersecurity industry by achieving multiple prestigious accolades in the G2 Fall 2024 Report. These achievements include being recognized as a High Performer Fall, Leader Asia Fall, Leader Asia Pacific Fall, Easiest to Use Fall, and Easiest Setup Fall 2024 in the Brand Intelligence category. This comprehensive recognition underscores Cyble’s commitment to excellence and user satisfaction. 

The Importance of G2’s Recognition 

G2, a globally renowned platform for software and services reviews, plays a crucial role in the decision-making processes of businesses worldwide. What sets G2 apart is its reliance on authentic user reviews and experiences. Earning high ranks in G2 reports is a direct reflection of user satisfaction, product reliability, and the overall quality of service provided. Therefore, Cyble’s multiple recognitions in G2’s Fall 2024 Report are particularly noteworthy and demonstrate the company’s industry leadership. 

High Performer Fall 2024: Consistent Excellence 

Cyble’s recognition as a High Performer Fall 2024 signifies its consistent delivery of superior brand intelligence solutions. High Performer awards are given to firms that have high customer satisfaction scores in their respective categories but may not have the presence of market giants. Despite the competitive nature of the cybersecurity landscape, this accolade highlights the effectiveness and reliability of Cyble’s brand intelligence solutions, tailored to meet the unique needs of various organizations. Users have acknowledged the platform’s robust capabilities, marked improvement in threat detection, and intelligent insights that help businesses safeguard their digital assets. 

Leader Asia Fall and Leader Asia Pacific Fall 2024: Regional Dominance 

Cyble’s dual recognition as a Leader in both Asia and Asia Pacific regions in the Fall 2024 Report is a testament to its regional dominance and understanding of localized cybersecurity challenges. This recognition is awarded to companies that are not only high performers but also have significant market presence and influence in their respective regions.  

In regions where cyber threats are evolving rapidly and are often sophisticated, organizations require resilient and adaptive solutions. Cyble has successfully addressed these needs by providing insightful, region-specific intelligence that helps businesses anticipate, mitigate, and respond to potential threats. User reviews from these regions highlight Cyble’s ability to deliver effective, culturally aware, and linguistically sensitive cybersecurity solutions

Easiest to Use Fall 2024: User-Friendly Interface 

Ease of use is a critical factor in the adoption and effective application of any cybersecurity tool. In recognition of this, Cyble has been awarded the Easiest to Use Fall 2024 badge in the Brand Intelligence category, reflecting its commitment to providing a seamless and intuitive user experience. The platform’s interface is designed to be user-friendly, enabling even those with minimal technical knowledge to navigate and utilize its powerful features effectively. 

User testimonials praise the platform’s intuitive dashboard, straightforward navigation, and comprehensive yet easy-to-understand reports. This user-centric approach empowers businesses to quickly grasp and act on crucial cybersecurity insights without the steep learning curve often associated with high-end security solutions. 

Easiest Setup Fall 2024: Rapid Deployment and Integration 

In today’s fast-paced business environment, time is of the essence. The Easiest Setup Fall 2024 award recognizes Cyble’s excellence in enabling swift deployment and integration. A user-friendly setup process ensures that companies can get their cybersecurity measures up and running without unnecessary delays. This is particularly beneficial for businesses that need to quickly address their security needs without diverting significant resources to understanding and implementing complex solutions. 

Customers have highlighted the platform’s straightforward installation process, smooth integration with existing systems, and minimal need for extensive technical support. This ease of setup has been pivotal in helping businesses, regardless of size, to fortify their defenses promptly and efficiently. 

The Holistic Impact of Cyble’s Recognitions 

Cyble’s multiple accolades in the G2 Fall 2024 Report serve as a comprehensive validation of its capabilities and market influence. Each award captures a different aspect of user satisfaction and product excellence, highlighting a broader picture of Cyble as a leader in brand intelligence

1. Customer-Centric Approach: The recognitions reaffirm Cyble’s focus on understanding and addressing customer needs, delivering user-friendly and effective solutions. 

2. Regional Expertise: Being a leader in Asia and Asia Pacific showcases Cyble’s ability to cater to diverse market requirements, handling region-specific challenges adeptly. 

3. Innovative Solutions: The consistent delivery of high performance and ease of use highlights Cyble’s innovative approach to cybersecurity, focusing on making advanced technology accessible and practical for all users. 

Future Prospects and Continuous Improvement 

While these accolades are a significant achievement, Cyble remains committed to continuous improvement and innovation. The ever-evolving nature of cyber threats demands that cybersecurity solutions providers stay ahead of the curve, anticipating new challenges and developing proactive measures. Cyble’s approach involves ongoing research, user feedback, and leveraging advanced technologies like artificial intelligence and machine learning to enhance its offerings continually. 

Conclusion 

Cyble’s recognition in the G2 Fall 2024 Report as a High Performer, Leader in Asia and Asia Pacific, Easiest to Use, and Easiest Setup underlines its excellence in the brand intelligence sector. These accolades reflect the company’s enduring commitment to delivering high-quality, user-centric cybersecurity solutions that address both global and regional challenges. As businesses worldwide navigate the complexities of digital transformation and increasing cyber threats, Cyble stands out as a trusted partner, committed to safeguarding their digital futures with innovative and reliable brand intelligence tools. 

The future looks promising as Cyble continues to push the boundaries of cybersecurity, maintaining its position as an industry leader dedicated to protecting businesses in an interconnected world. 

The post Cyble Recognized in G2 Fall 2024 Report as a Testament to Excellence in Brand Intelligence  appeared first on Cyble.

Blog – Cyble – ​Read More

How to Intercept Data Exfiltrated by Malware via Telegram and Discord

Often, malware uses platforms like — Telegram and Discord for data exfiltration. Due to its simplicity and the lack of need for building a server architecture, this exfiltration method has gained significant popularity. However, this very simplicity is also its weakness. 

In this article we’ll show you how to obtain information related to threat actors’ activities using Telegram API, which can help reveal their identity, attribute malware samples to known families or discover new ones.  

Parsing a Telegram Chat  

First, we need to find a relevant malware sample using Threat Intelligence Lookup with the following query: 

TI Lookup instantly provides matching sandbox sessions found across its vast database 

TI Lookup reveals a hundred sandbox sessions featuring samples that match our query.

Start your first investigation in TI Lookup 



Get a free trial


We can select one of them and rerun it with the MITM Proxy feature enabled.

The sandbox analysis setup window in ANY.RUN lets you configure your environment 

In Telegram, to send a message, two main methods are typically used: 

/sendMessage 

/sendDocument 

For sending text 

For sending text and files 

Any HTTP method (GET, POST, etc.) can be used. The GET method allows parameters to be passed in the query string (url-encoded) 

Only the POST method is available. The POST method requires parameters to be passed in the request body 

After turning on the MITM Proxy and starting the sandbox session, we navigate to the HTTP Requests tab, where we can see a request to api.telegram.org. 

The HTTP Requests tab displays all requests recorded during the session

Looking at the POST request to /sendDocument, we see that it uses the form-data method for transmission. 

In this case, the bot token can be obtained from the URL of the request, and the chat_id from the body (in the screenshot, it is the first parameter in the body). 

Data/contents of the request to the Telegram API

We can also examine the response from the server. It arrives in JSON format and contains a lot of useful information: the chat_id, bot username, bot name/title, chat name, and chat type. 

The server response examined in the ANY.RUN sandbox 

In this sandbox session, we can see an example of a request to /sendMessage using the GET method, where the data is passed in the query string (url-encoded): 

Encoded query string shown in the ANY.RUN sandbox 

Analyze malware and phishing in ANY.RUN sandbox 



Sign up for free


Using CyberChef, we can decode the query string. Here is what the sent data looks like: 

The system info exfiltrated to a Telegram bot 

In this case, the bot token and chat_id are present in the query string. 

Now, let’s use the attacker’s chat_id and bot token. The chat_id can refer to either a group chat or direct messages. First, we check if the bot has a webhook: 

https://api.telegram.org/bot<token>/getWebhookInfo

The presence of a webhook means a high chance of early detection of abuse.

The result of a request to /getWebhookInfo when no webhook is set 

If a webhook is present, we save its data and delete it using /deleteWebhook. 

NOTE! The webhook may have a secret token which could reveal the substitution. 

Description of the secret token

If there is no webhook, the likelihood of detection is very low.  

Next, you need to:  

Create a Telegram group  

Make yourself anonymous 

And only then add the bot to the group 

Here is how you can create a group using different clients: 

Telegram Desktop 

Menu (☰) > New Group > Next > Create  

Telegram Web (K version) 

New (🖉) > New group > Next (⮕) > Next (⮕) 

Telegram App 

Menu (☰) > New Group > Next (⮕) > Create (✓) 

Then the group chat will open, if not – open it manually 

Next, we need to set the Administrators list and change your user settings:

Telegram Desktop 

Settings (⋮) > Manage Group > Administrators > Right click on your profile > Edit admin rights 

Telegram Web (K version) 

Click on group header > Side-menu appears > Edit (🖉) > Administrators > Click on your user profile 

Telegram App 

Click on group header > Edit (🖉) > Administrators > Click on your user profile 

In the opened window, toggle Remain anonymous and click Save

It’s important to select Remain anonymous 

If everything is successful, the input field will display the placeholder “Send anonymously.” For Telegram Web, you may need to refresh the page. 

The input field contains the “Send anonymously” text 

Now, let’s add the bot to the group: 

Telegram Desktop 

Click on group header > Add member (+) > Enter bot name and click > Add 

Telegram Web (K version) 

Click on group header > Side-menu appears > Add member (+) > Enter bot name and click > Next (⮕) > Pop-up appears > Add 

Telegram App 

Click on group header > Click on “+ Add members” > Enter bot name and click > Submit (✓) > Pop-up appears > Add 

The bot username can be obtained by calling /getMe.

The bot username is “LABKEN_BOT”

After adding the bot, the following message will be displayed: 

The bot was successfully added

Next, it is necessary to call the /getUpdates method with the argument offset=-1. 

This will reset the bot’s update history to the most recent update. 

The latest update awaiting processing by the bot, in JSON format

From the data received from the server (see the image above), we take the update_id and chat_id and save them. The chat_id is the ID of the group to which we added the bot. 

Next, we call /getUpdates again with the argument offset=update_id + 1. 

The server returns an empty array of updates 

This will completely clear the bot’s update history. After this, if a webhook existed, we restore it using /setWebhook. 

Once the bot has been added, you can use several methods such as /forwardMessage, /copyMessage, /deleteMessage, /getChat, and /getChatAdministrators, which are among the most useful. 

You can experiment with these methods in interactive mode here: https://telegram-bot-api.vercel.app 

Remove the “bot” part when entering the bot token

We enter the bot token in the token field. 

Next, we call /forwardMessage with the arguments: 

chat_id: the ID of the group chat 

from_chat_id: from the malware request 

message_id: the index of the message in the chat 

Fill out the fields

We enter the parameters in the corresponding fields (chat_id, from_chat_id, message_id) and click Execute.

JSON response

As a result, we receive a response in JSON format containing information about the forwarded message. 

As a result of the request, a message is sent to the group

You can also do this directly in the browser: 

https://api.telegram.org/bot<token>/forwardMessage?chat_id=<your_chat_id>&from_chat_id=<malware_chat_id>&message_id=<message_id_from_malware>

For demonstration purposes, we will use another bot mentioned earlier. The actual request is: https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/forwardMessage?chat_id=-1002455457772&from_chat_id=6354844663&message_id=49817 

The server response

The server returns data about the forwarded message, similar to the previous example. Here, we can see the message_id (in our group), the sender (from), the original chat (forward_origin, forward_from), and the date the original message was sent as a UNIX timestamp (forward_date). 

The result in the chat: 

Executing the request resulted in the message being forwarded to the group 

How to Copy the Entire Chat 

If you want to copy a chat entirely, you need to understand how message_id works. 

This id is actually the index of the message. 

For private chats and each group (group/supergroup), the indices run in parallel. Message_id for private chats is shared across all chats with users. With each message received from an individual user or sent to an individual user, the message_id increments by one. 

Thus, the first message in a chat with one user might have a message_id of 4096, even though in the context of the chat it should have a message_id of 1. In groups, however, message_id works as expected, starting from 1. 

This can be visualized as follows: 

Message_id 

Group 1 

Group 2 

User 1 

User 2 

 

 

 

 

 

To determine the type of chat, you can use the /getChat method. 

If it is a group (group/supergroup), there shouldn’t be any significant issues 

If it is a private chat, there is a possibility that the bot has chats with multiple users, and some messages may not be accessible without the IDs of those users.

There is no simple way to retrieve all messages from a chat; some messages may not be accessible to the bot, but it will definitely have access to the messages it has sent.

In the malware request, we can see the message_id of the message from the malware, allowing us to estimate the number of messages. 

Next, we iterate through all messages from 1 to the required number. Telegram allows for a stable rate of 20 requests per minute with short bursts. 

To copy multiple messages at once, you can use /forwardMessages, which allows copying up to 100 messages in a single request. Thus, in one minute, you can stably copy 2000 messages or more if you utilize bursts. 

Using a Python script, we can copy the entire chat

We recommend saving the server responses, as they contain additional data useful for research: the date of the original message, its ID, and the ID of the original chat. 

For more detailed information on the Telegram Bot API, refer to the documentation.

Parsing Discord 

Replicating the same method with Discord is challenging due to the use of webhooks. 

A Discord webhook allows sending messages to a chat for which it was designated. Retrieving a message without knowing the message_id is difficult because Discord uses a snowflake ID, which includes the timestamp of the message and service information for identification. 

The only known message IDs for you will be those you managed to intercept. 

Among the methods that can be executed directly in the browser, there are only two: 

Retrieving webhook data: 


Retrieving a message: 

following sandbox session

We once again run it with the MITM Proxy enabled.

The HTTP Requests tab shows a POST request to discord.com/api/webhooks

Next, we find a request to Discord.  

The full URL of the request, including the webhook_id and webhook_token 

We copy the request URL. 

The result of executing a GET request in the browser

By inserting the URL into the browser’s address bar, we can obtain data about the webhook, including its name (name) and the channel it is associated with (channel_id) 

Now, let’s open the server response in the sandbox session. We’ll use the simplified view to find the message ID. 

After a POST request to the webhook URL, the server returns all information about the message
The information in JSON format

More useful are the methods that require POST and PATCH requests. 

By sending a request to the previous URL, we can modify the message using PATCH. 

You can also edit the webhook. Similarly, instead of retrieving webhook data using GET, you can use PATCH. 

A POST request to the webhook URL will allow you to send a message. 

For more detailed information, refer to the webhook documentation.

Python Scripts for Parsing Telegram Chats

We have prepared demonstration scripts in Python to make it easier to replicate the techniques shown above. You can find these scripts in our GitHub repo.  

Script 1: prepare_bot.py 

This script allows you to obtain the chat ID of the group to which the bot will be added. The script will warn about the presence of a webhook and offer to delete it. If the bot already has unprocessed updates, the script will offer to delete them. 

After that, you only need to add the bot to the group. The script will restore the webhook if it existed and delete the update about being added to the group. 

As an example, we’ll use the following bot token: 

bot6562806943:AAGufR13-622BXIjHsbpmkQygiIJA1Vo–c 

Once we run the script , the chat ID will be displayed. 

The result of running the script with no webhook 

If a webhook is present:

The script reports a webhook, displays its parameters, and warns about potential risks

Script 2: forward_message.py 

The next useful script is forward_message.py, which allows forwarding messages from one chat to another. 

The bot must have access to messages from the first chat and must be able to send messages to the second chat. 

You can specify the range of messages to forward, the method for handling HTTP 429 (too many requests), and the frequency of requests. 

All request results will be saved in a separate directory, which can also be reassigned. 

Here is how you can use forward_message.py

The script writes the launch parameters to the console and the ID of the message it attempts to forward. 

The results of running forward_message.py

Server responses will be saved in separate JSON files in a specified directory. 

Example of a saved server responses 

Script 3: forward_messages.py 

The next script is forward_messages.py. Despite the similar name and settings, it has some differences from forward_message.py: 

It forwards up to 100 messages in a single request. 

You do not receive data about the messages. 

Here is how you can use forward_messages.py

Example: 

The results of running forward_messages.py

The script writes the launch parameters to the console, the range of messages it attempts to forward, and the number of messages that were successfully forwarded within that range. 

Example of saved server responses

The server returns only an array containing the IDs of the messages forwarded using the /forwardMessages. 

Malware configs 

For more convenient data extraction, ANY.RUN lets you access malware’s configuration via the MalConf tab (see sandbox session). In this configuration, you can find the token. If there is info about requests in the process memory, their parameters are also displayed.

You can also explore ready-made links for API requests, which you can paste into your browser’s address bar.

The available links for Telegram are: 

Get info about the bot 

Get incoming updates 

Get webhook 

Delete webhook 

Drop incoming updates 

Example of a config for a Telegram bot, displaying its token

For Discord, malware typically uses webhooks. With a GET request, the only available action is to retrieve information about the webhook itself. 

See another session with an extracted malware config

The configuration displays the webhook token in the format webhook_id/webhook_token

In most cases, the malware retains data about the request and its result in memory, and you can obtain these details from the configuration.  

For Telegram, the most important data are chat_id and token. Thanks to ANY.RUN’s config extraction, you can see the text of the message sent by the malware. 

Extracted request from which you can obtain the bot_token and chat_id
Example of an extracted response from the server

Malware that uses Discord is often written in Python or JavaScript.  

In most cases, they do not leave complete data about requests in memory. However, if such data remains, you will be able to see it in the MalConf tab. 

We can obtain the message ID, channel ID, sending date, URL for downloading attachments, and other useful information from the server response.

Response from the server containing information about the sent message

About ANY.RUN  

ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

Detect malware in seconds

Interact with samples in real time

Save time and money on sandbox setup and maintenance

Record and study all aspects of malware behavior

Collaborate with your team 

Scale as you need

Request free trial →

Sandbox Sessions Used in Research

Telegram API

POST request to /sendDocument: https://app.any.run/tasks/93e29328-a39a-4769-94d7-44256e1c9cbb

GET request to /sendMessage: https://app.any.run/tasks/861482ae-8f96-41ff-918f-3a642c87db79/ 

Discord API

POST request to webhook URL: https://app.any.run/tasks/189ce54d-7b1a-4d6f-a3ab-c6ea88d1aa5b 

Configurations

Two telegram bots and one discord webhook in one sample: https://app.any.run/tasks/861482ae-8f96-41ff-918f-3a642c87db79?malconf=66e7c1acfec4983250763c78 

Discord webhook and server response: https://app.any.run/tasks/b86b6efc-093b-4418-ab4d-7385e1761bb8?malconf=true 

IOCs 

Statement of Account as of AUGUST 2024SOA.pdf.exe ()

MD5: ddbaaa52ea1192377573a76e4ac8fb7b

SHA256:  

svchost.exe / Builder.exe 

MD5: 6aba4665085cf92ad3d569a7b37f2b53 

SHA256: 7f158a2e68162d7e882dc389c8c4d8e4dcd1161272fd4ba5a2edd63e31385f69 

Builder.exe 

MD5: 3c168aa3065d0ff315220f060fbae7b3 

SHA256: e72325336065b6a088a43221a4e7da4e86e2c627c2b671c1b05a643dc19e9060 

svchost.exe  

MD5: 50dce71a753bad01a07904f2af283123 

SHA256: 8fb751033d1546ce28f5dcef171857ee879bdd31d76be2ae556f246c258473f3 

csrss.exe 

MD5: 0998890ccf8a3d8702db7a84fe6dd7b3 

SHA256: c33e1408ea96b9ea7a72d44d7742effb4a98776711b7c94c4997a155af61b220 

Stlr.exe 

MD5: 712e31bac690f0f557c37f324cfe541b 

SHA256: 5809167017915ccd66d1fff1c39da41ea43f0dcf0a6b8fd3e5938281a5d78ac4 

The post How to Intercept Data Exfiltrated by Malware via Telegram and Discord appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

How to make offline backups of documents, photos, music, and videos from websites and online services | Kaspersky official blog

With browser bookmarks, Gmail’s bottomless inbox, the ever-present Wikipedia, and the effective backup of iOS devices in iCloud, it’s easy to get the impression that data online is stored both safely and forever. Sadly though —  it’s not always the case. Therefore, it’s a good idea to make a backup of important personal information and protect it from ransomware and spyware. This post examines the whats, whys, and hows of the backup process.

Nine loss scenarios

We could write a fat textbook on how online data can disappear or otherwise become inaccessible, but we’ll limit ourselves here to listing some real-life instances of data going AWOL to better demonstrate their variety:

You bookmark your favorite recipes on a cooking website, but, after a redesign and restructuring of the site, the articles move to new addresses and your links are broken.
You listen to music on a streaming service, but songs disappear from your playlist because of copyright issues.
You chat with friends in a messenger and expect the chat history to be there forever — but the service shuts down and your history is lost.
You compile a bibliography for a thesis or research paper, but some of the referenced articles are published on sites that later close down or get paywalled.
You use a free note-taking service that suddenly becomes payable or shuts down.
You saved a link to a helpful tax and benefits guide on a government website, but some time later it becomes unavailable.
You store your photos and videos in an online photo album, but the provider decides to lower the image resolution, which causes blurring of video backgrounds and text in screenshots.
You published a website, but the hosting provider loses all your data in a cyberattack.
You liked or published a social media post, but a few months later you can’t find it. It might not even be deleted — you just have no means to search for it.

Online content loss can be divided up into two distinct types: (1) where you can no longer find information that used to be publicly available; and (2) where you lose your own data: notes, photos, or documents.

The first type of data loss is global in scale: according to a recent study, 38% of links active in 2013 were broken ten years later. For government websites, this figure is 13%; for Wikipedia links — 11%. A recent report on China’s internet landscape stated that web pages published before 2004 were near impossible to find since site owners actively purge old content. In an ironic twist, the posts of a Chinese blogger on this topic were themselves deleted.

Losing your own non-public data occurs less often, but hits much harder, so backing it up should be a priority.

What to save and how

First of all, make a list of all your important data. Think carefully about what’s really valuable to you in the digital world, and where it’s stored. Family photos? Household accounts? PhD thesis? Design ideas for your future apartment? Personal notes? Tracks of all your runs? Sort everything in descending order of importance, and make backups working your way down. Depending on the type of information, there are several backup options.

Downloading files to your drive

This is the simplest way to back up photos, documents, and other files that are stored online and can be easily opened on a computer. Saving web pages in the same way is harder, but still doable — for example, you can use the “Save as PDF” option. We recommend creating a coherent storage system on your computer so that you can easily find such files later. If their volume is too large, you can use a removable drive or set up network-attached storage (NAS) at home. To protect your data from ransomware and spyware, use robust security software, such as Kaspersky Premium. And to insure against equipment malfunction, you can set up a RAID array of drives on your computer or NAS device (the simplest, most reliable, but pricier option is RAID 1).

Exporting from online services

Online applications and services that don’t use files as such (messengers, email clients, databases, note apps) often let you export data, or create an archive file or backup. Read the respective help and explore the settings to find out how to export and what formats are available.

Usually, the most common formats are offered: HTML, PDF, TXT, or CSV. In this case, exported data can be easily viewed without specialized software and then migrated to another service. At the end of this post you’ll find links to backup-guides for popular online services.

But sometimes the export file is a black box containing a backup that only allows data restoration within the same service. This is the case, for example, with WhatsApp backups stored on Google Drive or iCloud.

Using specialized software

Some online services offer no export or backup options at all — social networks and streaming services are often guilty of this. In this case, it’s worth doing a search for a specialized export tool or online service using queries like SERVICENAME export or SERVICENAME backup. Two important warnings: before downloading anything, (1) install reliable protection on your computer to avoid picking up malware instead of a useful tool; and (2) make sure that the export procedure doesn’t violate local laws or copyrights.

Saving data backup to another online service

For important web pages, you can create backups in specialized services. For example, Pocket is great for personal use — the premium version saves not just a link to the document, but a full-text copy of it. For public use, copies of web pages can be saved to the internet archive web.archive.org or the like-minded archive.is. We’ll soon be posting about these services separately.

Storing backups in multiple online services at the same time

This insures against shutdown or technical issues with one of the services. You can combine this tip with the first one above by downloading files and saving them, say, to a Dropbox local folder on your own drive, which will automatically sync with your cloud storage. This way, the file will have both offline and cloud backups. Storing two copies of a document, for example, in OneDrive and Google Drive may seem paranoid, but it truly is reliable.

Setting up automatic backups to another service

This is the pinnacle of internet archiving — eliminating the need to update backups manually. For files, you can create a scheduled task for copying from one folder to another — allowing you to duplicate them on your home server and in cloud storage. Some note-taking services have additional sync modules that let you automatically create, say, a note in Joplin or Obsidian when new tasks appear in Todoist, add movies marked “favorite” on IMDb to separate notes, copy articles saved in Pocket to Evernote, and so on. Many such scenarios can be implemented through ready-made recipes in cross-platform automation tools like IFTTT and Zapier.

When data migration is backed up by the law

In some countries and regions, the right to download one’s data and migrate it to another service (data portability) is enshrined in law: among them are the European Union, India, Brazil, and the US State of California. If your online service offers no export or backup options, you can contact support, cite the relevant law, and get a copy of your data.

Remember to back up your online data on a regular basis — at least once a month.

How to back up data from specific online services

Because recommendations vary depending on the service and type of data, we have a series of dedicated posts grouped together with the backup tag. The list will be updated and supplemented regularly, but right now you can read about creating backups for the following:

Notion
Telegram
WhatsАpp
Authenticator apps for two-factor authentication
Other services

And don’t forget to keep your backups safe!…

Kaspersky official blog – ​Read More

Is technology amplifying threats in relationships? | Kaspersky official blog

The rise of online dating has created a fertile ground for manipulation and in today’s digital world, it’s easy to trust someone that you’ve never met in person, sharing personal details or intimate images before you truly understand who they are. In fact, our recent study reveals that 39% of people aged 25-34 have shared intimate images with someone they’ve never met in real life.

Unfortunately, this openness is often exploited. Whether it’s through intimate image abuse, stalkerware, or deepfakes, online daters are increasingly vulnerable to dangers that weren’t as common just a few years ago. With that in mind, here’s a breakdown of the top three threats to watch out for.

1. Private photos, public nightmares: the growing threat of image abuse

Intimate image abuse (IIA), or “revenge porn” is a harmful form of digital abuse. As sharing intimate images becomes more normalized, many feel secure when trusting partners or online matches with personal photos. In our “Naked Truth” survey of 9,000 people, nearly half reported experiencing or knowing someone who had been affected by Intimate Image Abuse. The issue is particularly severe among younger generations, with 69% of 16-24-year-olds admitting that they’ve been exposed to it. Despite the risks, victim-blaming remains common, with 50% of respondents believing that those who share intimate images are responsible if they’re leaked, reflecting a widespread misunderstanding of consent and privacy.

How to protect yourself:

Think twice before sharing: сonsider the potential consequences of sharing private images and gauge the level of trust with the recipient.
Stay informed: many social media platforms have systems in place to detect and remove non-consensual intimate images. Learn how to report such content.
Manage your passwords wisely: always use a reliable password manager, like Kaspersky Password Manager, to create and store strong, unique passwords for each account. Avoid reusing passwords across multiple platforms, as this can make you more vulnerable to breaches.

2. When your apps spy on you: the threat of stalkerware

Stalkerware is software that secretly tracks a person’s location, messages, and daily activities, often disguised as anti-theft or parental control tools but used for malicious purposes. In 2023, over 31,000 cases of stalkerware were identified globally, a 6% rise from the previous year. Countries most affected include Germany, France, and the UK. Many victims are unaware they’re being monitored due to the hidden nature of these apps. Beyond stalkerware, tools like GPS tracking and social media are also being misused, with 34% of people admitting to checking their date’s profiles as “due diligence.”

How to protect yourself:

Be vigilant: look for signs of stalkerware on your device, such as unusual battery drain, apps you don’t recognize, or sudden permission changes.
Avoid tampering with stalkerware: if you believe stalkerware is on your device, do not attempt to erase or disable it on your own. This could tip off the perpetrator or delete important evidence that could be used in legal action. Instead, contact a local support organization or consult the Coalition Against Stalkerware for expert help.
Update your privacy settings: regularly review app permissions and adjust privacy settings to minimize the risk of being monitored.

3. Deepfake threats: when what you see isn’t real

Deepfakes use artificial intelligence (AI) to create hyper-realistic fake images, videos and even audio recordings. Once dismissed as low-quality, easy-to-spot tricks, deepfakes have now evolved to become incredibly convincing. Open-source tools have made it easy for anyone with basic tech skills to create deepfakes, making this technology a growing concern in online relationships.

While celebrity deepfakes were the first to capture the public’s attention, ordinary individuals are now victims of this technology. In romantic contexts, deepfakes can be used to create fake compromising images or videos. These materials are then used for blackmail, with perpetrators threatening to release the content unless their demands are met.

How to protect yourself:

Know the warning signs: be cautious if someone makes threats involving compromising media. They could be using deepfake technology.
Report deepfakes: many platforms now use AI detection tools to flag and remove deepfake content. If you are targeted, report the content to the platform.
Stay informed: awareness is key. Educate yourself about deepfake technology and its potential misuse in online dating.

Building a Safer Digital Space: A Call for Education

Education is key to reducing online dating risks. Consent in the digital world must be ongoing, not a one-time agreement. 30% of men believe receiving an intimate image means they own it, highlighting a serious issue around digital privacy. Targeted education for boys and men is crucial to address intimate image abuse, stalking, and harassment. As technology reshapes relationships, we must stay informed and vigilant to protect against growing threats like image abuse, stalkerware, and deepfakes.

By understanding these risks and taking steps to protect ourselves, by Installing a comprehensive security solution such as Kaspersky Premium, you can help protect your devices from threats like stalkerware and other malware.

For more details, read our report and safe dating guide.

Kaspersky official blog – ​Read More

Introducing Safebrowsing: Explore Suspicious Links in a Safe Virtual Browser

Current security measures against phishing links focus on automated checks and timely blocking before they reach users. Yet, some links still make it to their targets, leaving them vulnerable as they often have no simple, fast, and reliable tool at hand to check these links at the final stage. 

To address this security gap, we created Safebrowsing, which makes it easy to safely and easily open any link and manually verify its content.

What is Safebrowsing? 

Safebrowsing offers a fully-interactive browser in the cloud that lets you open and navigate any website as you normally would in a completely isolated and secure environment. This ensures that any malicious activity encountered during browsing is contained and does not affect your local systems or network. 

With Safebrowsing, you can launch a quick virtual browser session to manually explore potentially harmful URLs. The service identifies malicious content in real time using ANY.RUN‘s proprietary technology and notifies you about it.  

After each session, you receive a list of indicators of compromise (IOCs) along with a detailed threat report. 

Safebrowsing gives you the ability to follow the entire chain of attack when facing phishing threats and get an in-depth network traffic analysis, including: 

Connections  

DNS and HTTP requests 

Network threats identified by Suricata IDS 

Free beta of Safebrowsing is available to all ANY.RUN users 



Try it now


How does it work? 

Safebrowsing is built to be simple and effective, letting you quickly run analysis in three steps: 

Step 1: Submit URL

You can quickly submit any URL to open it in a safe virtual browser

You enter the URL of the website you want to analyze and hit “Browse”. 

Step 2: Interact and Examine Threats

You are free to interact with websites just like in a standard browser

You interact with the website, clicking links, opening tabs, solving CAPTCHAs, and seeing what happens after each step with your own eyes.

The service lets you observe network traffic and learn about detected threats

While you explore, the service monitors the websites for any malicious content and lets you know about the danger. 

Step 3: Collect IOCs

Safebrowsing provides a list of identified IOCs

Once you finish, the service generates a report outlining detected threats and suspicious activities, as well as lets you export packet data in PCAP. 

Safebrowsing demonstration 

The service quickly identifies malicious content and provides access to triggered Suricata detection rules

Check out the video above in which we investigate a phishing link using Safebrowsing. 

How is Safebrowsing different from the ANY.RUN sandbox? 

Unlike our advanced malware sandbox, Safebrowsing focuses exclusively on URL analysis.  

It provides a less complex interface that eliminates the need for in-depth system monitoring and file system access, which makes it easy-to-use for non-experts. Yet, ANY.RUN’s signature interactivity is still there. 

How is Safebrowsing different from a URL scanner? 

Compared to URL scanners that simply check any given URL against a database of known malicious URLs, Safebrowsing provides a fully interactive environment for exploring websites. 

What are possible use cases for Safebrowsing? 

Safebrowsing is a universal tool that can be of great help in different scenarios.  

Open URLs within a secure, isolated, and full-size virtual browser to prevent any potential threats from affecting your local system. 

Speed up the process of analyzing and responding to suspicious links.   

Make link checks safe, simple, and quick for non-security employees. 

Prevent infections and increase the general level of security in the organization. 

Demonstrate the risks of clicking on suspicious links as part of training on safe browsing practices. 

Observe network traffic for malicious activity to detect threats in real time. 

Improve detection of phishing threats thanks to ANY.RUN’s advanced capabilities. 

Download traffic data and the identified indicators of compromise. 

Share the completed session as evidence of malicious content. 

How Safebrowsing can help your business 

Phishing Protection  

By allowing your team to safely explore suspicious URLs, Safebrowsing helps in identifying phishing attempts before they can impact your organization. The proactive approach significantly reduces the risk of data breaches and financial losses. 

Staff Training  

Safebrowsing can be used as a training tool to educate employees about the dangers of phishing and other web-based threats. By demonstrating real-world examples in a safe environment, you can enhance your team’s awareness and preparedness. 

Empowering Non-Expert Employees  

Safebrowsing equips non-expert employees with a fast and safe way to check suspicious links without needing to involve the security team. This saves time and resources, allowing your security professionals to focus on more critical tasks 

Try Safebrowsing beta now 

Real-time threat detection, fast performance, and easy-to-use interface make Safebrowsing a perfect tool for any individual and organization that wants to avoid falling victim to phishing attacks.  

The FREE beta version is available to all ANY.RUN users. 

Analyze your first URL right away

About ANY.RUN  

ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

Detect malware in seconds

Interact with samples in real time

Save time and money on sandbox setup and maintenance

Record and study all aspects of malware behavior

Collaborate with your team 

Scale as you need

Request free trial →

The post Introducing Safebrowsing: Explore Suspicious Links in a Safe Virtual Browser appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Critical Vulnerability Discovered in Versa Director: What Organizations Need to Know

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has highlighted a vulnerability in Versa Networks’ Versa Director, a centralized management platform for Secure SD-WAN and SASE solutions. This vulnerability, identified as CVE-2024-45229, stems from improper input validation and affects various versions of the software. Organizations using vulnerable versions of Versa Director are urged to take immediate action to protect their network security.

Versa Director plays an important role in orchestrating and managing network and security policies across diverse locations. Its REST APIs facilitate automation and streamline operations through a unified interface, allowing IT teams to configure and monitor their network systems efficiently. However, the recent vulnerability exposes critical weaknesses that could compromise its effectiveness and, more importantly, the security of the organizations utilizing it.

The identified flaw involves improper input validation in certain APIs that do not require authentication by design. For Versa Directors connected directly to the Internet, attackers could potentially exploit this vulnerability by injecting invalid arguments into a GET request. This could expose authentication tokens of currently logged-in users, which can then be used to access additional APIs on port 9183. Importantly, this exploit does not reveal usernames or passwords, but the implications of token exposure could lead to broader security breaches.

Affected Versions and Severity Assessment

The vulnerability identified in Versa Director, tracked as CVE-2024-45229, highlights critical security risks that organizations must address promptly. This flaw arises from improper input validation in certain REST APIs, which are integral to the platform’s operation. As a centralized management solution for Secure SD-WAN and SASE, Versa Director plays a vital role in orchestrating and managing network and security policies across various locations. The implications of this vulnerability can impact the security and functionality of network operations for affected organizations.

The vulnerability affects multiple versions of Versa Director, specifically those released prior to September 9, 2024, including 22.1.4, 22.1.3, and 22.1.2, along with all versions of 22.1.1, 21.2.3, and 21.2.2. The CVSS score assigned to this vulnerability is 6.6, indicating a high severity level. The flaw primarily stems from certain APIs that, by design, do not require authentication. These include interfaces for logging in, displaying banners, and registering devices.

When Versa Directors are directly connected to the Internet, attackers can exploit this vulnerability by injecting invalid arguments into a GET request. This exploitation can lead to the unauthorized exposure of authentication tokens belonging to currently logged-in users. While this flaw does not compromise usernames or passwords, the exposure of these tokens can allow attackers to access additional APIs. Such unauthorized access could facilitate broader security breaches, potentially impacting sensitive data and operational integrity.

Conclusion

The vulnerability discovered in Versa Director represents a serious security risk, particularly for the instances exposed to the Internet. As the management platform plays a crucial role in network operations, organizations need to prioritize patching and security enhancements. The CISA advisory highlights the importance of being proactive in addressing vulnerabilities, as failure to do so could lead to severe consequences, including data breaches and operational disruptions.

Mitigation and Recommendations


Implement the latest patches provided by Versa Networks immediately.

Upgrade from version 22.1.1 to 22.1.3 and from 21.2.2 to 21.2.3 for comprehensive protection.

Critical systems are isolated through network segmentation to limit potential attack surfaces.

Using Web Application Firewalls (WAF) or API gateways to block access to vulnerable URLs.

Utilizing advanced Security Information and Event Management (SIEM) systems to detect unusual activities.

Regularly reviewing logs and alerts for real-time threat identification.

Uncover weaknesses in the network infrastructure.

Remediate vulnerabilities before malicious actors can exploit them.

The post Critical Vulnerability Discovered in Versa Director: What Organizations Need to Know appeared first on Cyble.

Blog – Cyble – ​Read More

Kransom Ransomware: New Threat Using DLL-Sideloading to Hijack Popular RPG

Recently, our team of analysts discovered a sample of a yet-unknown ransomware that they dubbed Kransom. The malware employed the malicious DLL-sideloading technique to hijack the execution flow of an .exe file belonging to the popular game Honkai: Star Rail. Here is everything we have on the threat so far.

Initial Infection Vector

View the sandbox session for detailed analysis.

The archive distributed as part of the Kransom attack analyzed in the ANY.RUN sandbox

The Kransom ransomware attack began with a deceptive archive containing two files: an executable and a DLL (Dynamic Link Library) file.

The certificate of the executable found inside the archive

The executable was signed with a valid certificate from COGNOSPHERE PTE. LTD, the publishing company for Honkai: Star Rail, a popular RPG. 

Easily analyze malware and phishing in ANY.RUN sandbox 



Sign up for free


DLL Side-Loading Technique

The .exe and .dll files extracted from the archive in the ANY.RUN sandbox

Kransom employs a technique known as DLL side-loading to evade detection and inject its malicious payload. The method involves loading a malicious DLL into the process of a legitimate application.

ANY.RUN sandbox lists all the malicious activities performed by the ransomware 

Upon launching the legitimate executable named “StarRail.exe”, the user triggers the loading of the malicious DLL (see analysis of StarRailBase.dll), which is responsible for initiating the infection and encrypting the victim’s files.

File Encryption Method

Kransom utilizes a simple XOR encryption algorithm with a weak key (0xaa) to encrypt files on the infected system.

The Static discovering window displaying one of the encrypted files

ANY.RUN’s sandbox helps you track all the encrypted files and see their contents.

Ransom Note

Following successful file encryption, Kransom drops a ransom note that instructs the user to contact “hoyoverse” for solutions. 

The ransom note shared with victims

This is a social engineering tactic designed to impersonate the game’s legitimate developer, Hoyoverse, and extort money from victims.

Collecting Threat Intelligence on Kransom Ransomware

To stay updated on the latest Kransom attacks and enrich your investigations to this and other threats, use Threat intelligence Lookup

The service pulls threat data from thousands of public malware and phishing samples analyzed in the ANY.RUN sandbox on a daily basis.

It lets you search its database using over 40 different parameters, helping you zero in on threat using different details like registry keys, IP addresses, mutexes, and more.

Here is an example of a query you can use to find more samples of Kransom that use the DLL-sideloading technique:

We can gather more intelligence using the name of the file used in the attack 

The service returns more than 20 sandbox sessions that you can explore along with synchronization events and files that match the query.

Start your first investigation in TI Lookup 



Request a free trial


Conclusion

The targeting of games like Honkai: Star Rail in ransomware attacks suggests a potential risk of threat actors using similar methods with other popular software. Organizations need to stay alert and take proactive steps to protect their systems. This includes being careful with downloads from unknown sources, receiving official software updates, and using reliable tools like ANY.RUN’s Interactive Sandbox and Threat Intelligence Lookup as part of a layered security architecture.

About ANY.RUN  

ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

Detect malware in seconds

Interact with samples in real time

Save time and money on sandbox setup and maintenance

Record and study all aspects of malware behavior

Collaborate with your team 

Scale as you need

Request free trial →

The post Kransom Ransomware: New Threat Using DLL-Sideloading to Hijack Popular RPG appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Necro Trojan infects 11 million Android devices | Kaspersky official blog

Here at Kaspersky Daily we’re forever urging readers of our blog to be real careful when downloading content to their devices. After all, even Google Play isn’t immune to malware — let alone unofficial sources with mods and hacked versions. For as long as the digital world keeps turning, Trojans will continue to worm their way onto devices that don’t have reliable protection.

Today we tell the story of how 11 million Android users worldwide fell victim to the Necro Trojan. Read on to learn which apps we found it in — and how to protect yourself.

What is Necro

Our regular readers may recall reading about Necro when we first wrote about it back in 2019. Back then, our experts discovered a Trojan in CamScanner, a text recognition app, which had clocked up over 100 million downloads on Google Play. Now the “necromancers” have injected new blood into the old Trojan: we found a version richer in features both in popular apps on Google Play and in various app mods on unofficial sites. Most likely, the developers of these apps used an unverified ad integration tool through which Necro infiltrated the code.

Today’s Necro is a loader obfuscated to avoid detection (but that didn’t stop us from finding it). It downloads the malicious payload in no less a crafty way using steganography to hide its code in a seemingly harmless image.

And downloaded malicious modules are able to load and run any DEX files (compiled code written for Android), install downloaded apps, tunnel through the victim’s device, and even — potentially — take out paid subscriptions. In addition, they can display and interact with ads in invisible windows, as well as open arbitrary links and run any JavaScript code.

Read more about how Necro is designed and how it operates on our Securelist blog.

Where Necro hides

We found traces of the malware in a user-modded version of Spotify, in the photo editing app Wuta Camera, in Max Browser, and in mods for both WhatsApp and popular games (including Minecraft).

In modded Spotify

At the very start of our investigation, our eye was caught by an unusual modification of the Spotify Plus app. Users were invited to download a new version of their favorite app from an unofficial source — for free and with an unlocked subscription offering unlimited listening, both online and off. The nice green Download Spotify MOD APK button looks so tempting, right? Stop! It’s malware. Never mind the Security Verified and Official Certification guarantees; this app will wreak havoc.

Well I never, all versions are viewable. Could Necro or other Trojans be lurking there too?

When this app was launched, the Trojan sent information about the infected device to the attackers’ C2 server, and in response got a link to download a PNG image. The malicious payload was hidden in this image by means of steganography.

In apps on Google Play

While the Spotify mod was distributed through unofficial channels, the Necro-infected Wuta Camera found its way onto Google Play, from where the app was downloaded more than 10 million times. According to our data, the Necro loader penetrated version 6.3.2.148 of Wuta Camera, with clean versions starting from 6.3.7.138. So, if your version is lower than that, you need to update immediately.

The impressive download count and decent ratings masked a Trojan

Max Browser’s audience is much smaller — just one million users. Necro infiltrated its app code in version 1.2.0. The app was removed from Google Play following our notification, but it’s still available on third-party resources. These, of course, should be trusted even less, since trojanized versions of the browser may still live there.

In mods for WhatsApp, Minecraft, and other popular apps

Alternative messenger clients usually boast more features than their official cousins. But you should treat all mods, be they on Google Play or a third-party site, as suspicious, for they often come bundled with Trojans.

For instance, we found mods for WhatsApp with the Necro loader being distributed from unofficial sources, as well as mods for Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox. And this selection sure isn’t random — attackers always target the most popular games and apps.

How to guard against Necro

First of all, we strongly advise against downloading apps from unofficial sources because the risk of device infection is extremely high. Secondly, apps on Google Play and other official platforms should also be treated with a healthy dose of skepticism. Even a popular app like Wuta Camera, with 10 million downloads, proved powerless in the face of Necro.

Make sure to protect your devices so as not to be caught off guard by a Trojan. Kaspersky for Android detects Necro and other similar malware.
Check the app page in the store before downloading. We particularly recommend looking at reviews with low ratings, as these generally give heads-up about potential pitfalls. Rave reviews could be fake, while a high overall score is easy to inflate.
Don’t look for mods or hacked versions. Such apps are almost always stuffed with all kinds of Trojans: from the most harmless to mobile spyware like CanesSpy.

Kaspersky official blog – ​Read More

Undetected Android Spyware Targeting Individuals In South Korea

Key Takeaways


Since June 2024, a new Android Spyware campaign has been identified targeting individuals in South Korea, leveraging an Amazon AWS S3 bucket as its Command and Control (C&C) server.

The Spyware is capable of exfiltrating sensitive information from an infected device, including SMSs, contact lists, images, and videos.

The stolen data, stored openly on the S3 bucket, suggests poor operational security, potentially leading to unintended leaks of sensitive information.

The spyware operates with a simple source code and few key permissions, demonstrating that even simple malware can be highly effective in exfiltrating sensitive data.

The malware remained undetected by all major antivirus solutions. Four unique samples were identified, exhibiting zero detection rates across all engines.

Overview

Cyble Research and Intelligence Labs (CRIL) has uncovered a previously undetected Android spyware campaign targeting individuals in South Korea, which has been active since June 2024. The spyware leverages an Amazon AWS S3 bucket as its Command and Control (C&C) server and is designed to exfiltrate sensitive data from compromised devices, including contacts, SMS messages, images, and videos.

The spyware samples observed disguise themselves as live video apps, adult apps, refund apps, and interior design applications. Below are the icons used by the malware.

Two malicious URLs distributing the spyware have been identified:


hxxps://refundkorea[.]cyou/REFUND%20KOREA.apk

hxxps://bobocam365[.]icu/downloads/pnx01.apk

Since its emergence, this malware has remained undetected by all security solutions, allowing it to operate stealthily. CRIL has identified four unique samples linked to this spyware, all exhibiting zero detection rates across major antivirus engines.

All identified spyware samples were observed communicating with the same Command and Control (C&C) server hosted on an Amazon S3 bucket: hxxps://phone-books[.]s3.ap-northeast-2.amazonaws.com/. Our analysis revealed that the stolen data, including contacts, SMS messages, images, and videos, was openly stored in the S3 bucket (C&C server), further confirming that the malware specifically targeted individuals in South Korea.

The attackers’ poor operational security resulted in the unintentional exposure of sensitive data. We reported the misuse of the AmazonAWS S3 bucket to Amazon Trust and Safety, which disabled access to the URL and made the data no longer accessible. Furthermore, our investigation found no other C&C servers utilizing S3 buckets or exposing stolen data linked to this campaign.

Technical Details

After installation, all spyware samples display a single screen with a message in Korean tailored to the app’s theme.

The source code of this spyware is relatively simple. It utilizes a minimal set of permissions, including “READ_SMS,” “READ_CONTACTS,” and “READ_EXTERNAL_STORAGE,” to carry out its malicious operations. The manifest file specifies only the main activity, which triggers the malicious functionality upon execution.

Upon installation, the spyware requests the necessary permissions; once granted, it executes its malicious functions. These functions, responsible for collecting data from the infected device, are executed within the API method “onRequestPermissionsResult”, as illustrated in the image below.

To exfiltrate images and videos, the malware queries the device’s content provider and uploads each file to the C&C server via the endpoint “/media/+filename”. This behavior is evident in the exposed data, as shown in Figure 3.

The malware gathers contacts and SMS messages from the infected device and stores them in two separate files: phone.json for contacts and sms.json for SMS data. These files are then transmitted to the C&C server, as demonstrated in the figure below.

Conclusion

This campaign highlights the growing sophistication of Android spyware targeting individuals in South Korea. By utilizing an Amazon AWS S3 bucket for Command and Control infrastructure, the threat actors were able to maintain stealth and evade detection for an extended period. This spyware strain utilizes a minimalist approach—leveraging only a few key permissions to exfiltrate sensitive data such as contacts, SMS messages, images, and videos—and demonstrates how even simple malware can be extremely effective.

It is concerning that attackers are increasingly turning to trusted cloud services like AWS as part of their malicious infrastructure. This tactic allows them to bypass traditional security measures and stay under the radar.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:


Download and install software only from official app stores like Google Play Store or the iOS App Store.

Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.

Use strong passwords and enforce multi-factor authentication wherever possible.

Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.

Be wary of opening any links received via SMS or emails delivered to your phone.

Ensure that Google Play Protect is enabled on Android devices.

Be careful while enabling any permissions.

Keep your devices, operating systems, and applications updated.

MITRE ATT&CK® Techniques

Tactic
Technique ID
Procedure

Initial Access (TA0027)
Phishing (T1660)
Malware distribution via phishing site

Collection (TA0035)
Protected User Data: Contact List (T1636.003)
The malware collects contacts from the infected device

Collection (TA0035)
Protected User Data: SMS Messages
(T1636.004)
Steals SMSs from the infected device

Collection (TA0035)
Data from the Local System (T1533)
Malware steals images and videos from an infected device

Command and Control (TA0037)
Application Layer Protocol: Web Protocols (T1437)
Malware uses HTTPS protocol for C&C communication

Exfiltration (TA0036)
Exfiltration Over C2 Channel (T1646)
Sending exfiltrated data over C&C server

Indicators of Compromise (IOCs)

Indicators
Indicator Type
Description

afc2baf71bc16bdcef943172eb172793759d483470cce99e542d750d2ffee851 63952a785e2c273a4dc939adc46930f9599b9438 1d7bbb5340a617cd008314b197844047
SHA256 SHA1 MD5
Spyware hashes

d9106d06d55b075757b2ca6a280141cbdaff698094a7bec787e210b00ad04cde 46eb3ba5206baf89752fe247eff9ce64858f4135 68e6401293e525bf583bade1c1a36855
SHA256 SHA1 MD5
Spyware hashes

a8e398fc4b483a1779706d227203647db3e04d305057fdc7f3f6a4318677b9c8 d07a165b1b7c177c2f57b292ae1b2429b6187e45 16139baf56200f3975e607f89e39419a
SHA256 SHA1 MD5
Spyware hashes

3608f739c66c9ca18628fecded6c3843630118baaab80e11a2bacee428ef01b3 1fc56a6d34f1a59a4987c3f8ff266f867e80d35c fa073ca9ae9173bb5f0384471486cce2
SHA256 SHA1 MD5
Spyware hashes

hxxps://phone-books.s3.ap-northeast-2.amazonaws.com/
URL
C&C server

hxxps://bobocam365[.]icu/downloads/pnx01.apk
hxxps://refundkorea[.]cyou/REFUND%20KOREA.apk
URL
Distribution URL

The post Undetected Android Spyware Targeting Individuals In South Korea appeared first on Cyble.

Blog – Cyble – ​Read More

FBI, CISA warning over false claims of hacked voter data – Week in security with Tony Anscombe

With just weeks to go before the US presidential election, the FBI and the CISA are warning about attempts to sow distrust in the electoral process

WeLiveSecurity – ​Read More