In a strongly worded advisory, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have urged software developers to cease unsafe development practices that lead to “unforgivable” buffer overflow vulnerabilities. 

“Despite the existence of well-documented, effective mitigations for buffer overflow vulnerabilities, many manufacturers continue to use unsafe software development practices that allow these vulnerabilities to persist,” the agencies said in the February 12 Secure By Design alert. “For these reasons—as well as the damage exploitation of these defects can cause—CISA, FBI, and others designate buffer overflow vulnerabilities as unforgivable defects.” 

The agencies said threat actors leverage buffer overflow vulnerabilities to gain initial access to networks, thus making them a critical point for preventing attacks. 

We’ll look at the prevalence of buffer overflow vulnerabilities, some examples cited by CISA and the FBI, and guidance for secure development and use of memory-safe programming languages. 

Buffer Overflow Vulnerabilities: Prevalence and Examples 

The FBI-CISA guidance specifically mentions the common software weaknesses CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), along with stack-based buffer overflows (CWE-121) and heap-based buffer overflows (CWE-122). 

The phrase “buffer overflow” occurs in 67 of the 1270 vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog, or 5.28% of the KEV database. The words “buffer” and “overflow” occur in 84 of the KEV vulnerabilities (6.6%). 

CISA and the FBI cited six examples of buffer overflow vulnerabilities in IT products: 

• CVE-2025-21333, a Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege vulnerability 
• CVE-2025-0282, a stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 
• CVE-2024-49138, a Windows Common Log File System Driver Elevation of Privilege vulnerability 
• CVE-2024-38812, a VMware vCenter Server heap-overflow vulnerability 
• CVE-2023-6549, an Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Citrix Systems’ NetScaler ADC and NetScaler Gateway 
• CVE-2022-0185, a heap-based buffer overflow flaw in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length (the CWE in this case was CWE-190, Integer Overflow or Wraparound). 

“These vulnerabilities can lead to data corruption, sensitive data exposure, program crashes, and unauthorized code execution,” the agency guidance said. “Threat actors frequently exploit these vulnerabilities to gain initial access to an organization’s network and then move laterally to the wider network.” 

They added that “the use of unsafe software development practices that allow the persistence of buffer overflow vulnerabilities—especially the use of memory-unsafe programming languages—poses unacceptable risk to our national and economic security.” 

Memory-Safe Software Development 

The agencies urged manufacturers “to take immediate action to prevent these vulnerabilities from being introduced into their products. … Software manufacturer senior executives and business leaders should ask their product and development teams to document past buffer overflow vulnerabilities and how they are working to eliminate this class of defect.” 

Customers should hold manufacturers accountable by requesting a Software Bill of Materials (SBOM) and a secure software development attestation, the FBI and CISA said. 

For development teams, the agencies recommended the following secure by design practices to prevent buffer overflow vulnerabilities: 

• Memory-safe languages should be used whenever possible “to shift the burden of memory management from the developer to the programming language’s built-in safety features.” They added that developers should never disable or override memory safety guarantees in languages when it’s possible to do so, and that using a memory-safe language in one part of a software package will not fix memory-unsafe code in other libraries. 

• A phased transition plan for implementing memory-safe languages should be used for upgrading existing codebases while using technologies to limit memory vulnerabilities in existing code. “Ideally, this plan should include using memory-safe languages to develop new code and—over time and when feasible—transition their software’s most highly privileged/exposed code to memory-safe languages,” the agencies said. 

• Enable compiler flags that implement compile time and runtime protections against buffer overflows to the extent that application performance allows, and “implement canaries that alert if an overflow occurs.” 

• Conduct unit tests with an instrumented toolchain such as AddressSanitizer and MemorySanitizer that checks source code for buffer overflows and other memory safety issues. 

• Perform adversarial product testing that includes static analysis, fuzzing, and manual reviews to ensure code safety and quality throughout the development lifecycle. 

• Publish a memory-safety roadmap that outlines plans to develop new products with memory-safe languages and to migrate older ones based on risk. 

• Conduct root cause analysis of past vulnerabilities, including buffer overflows, to identify patterns. “Where possible, take actions to eliminate entire classes of vulnerabilities across products, rather than the superficial causes,” the agencies said. 

The alert said eliminating buffer overflow vulnerabilities “can help reduce the prevalence of other memory safety issues, such as format string, off-by-one, and use-after-free vulnerabilities.” 

Conclusion 

As an initial entry point for attackers into a network, the importance of buffer overflow vulnerability prevention can’t be overstated. Development teams would be wise to implement CISA and the FBI’s advice to the maximum extent possible. 

Customers also have a role to play by demanding memory-safe documentation from suppliers. But they also shouldn’t neglect basic cybersecurity practices for the eventual vulnerabilities that will slip past even the most vigilant development teams. Zero trust, risk-based vulnerability management, segmentation, tamper-proof backups and network and endpoint monitoring are all critically important practices for limiting the damage from any cyberattacks that do occur. 

The post FBI, CISA Urge Memory-Safe Practices for Software Development  appeared first on Cyble.

Blog – Cyble – ​Read More

Cybercriminals around the world keep honing their schemes to steal accounts in WhatsApp, Telegram, and other popular messaging apps – and any of us could fall for their scams. Only by becoming a victim of such an attack can you fully appreciate how vital a tool instant messaging has become, and how diverse the damage from hacking a WhatsApp or Telegram account may be. But better not to let it come to that, and to learn to recognize key hijacking scams in order to prevent them in time.

Why hijack your WhatsApp or Telegram account?

A stolen account can be appealing because of its content, access rights, or simply the fact that it’s verified, linked to a phone number, and has a good reputation. Having stolen your Telegram or WhatsApp account, cybercriminals can use it in a variety of ways:

• To send spam and phishing messages on your behalf to all your contacts – including private channels and communities.
• To write sob stories to all your friends asking for money. Worse yet – to use AI to fake a voice or video message asking for help.
• To steal accounts from your friends and family by asking them to vote in a contest, “gifting” them a fake Telegram Premium subscription, or employing some other fraudulent scheme – of which there are many. Coming from someone the recipient knows, messages like this tend to inspire greater trust.
• To hijack a Telegram channel or WhatsApp community you manage.
• To blackmail you with the contents of your chats – especially if there’s sexting or other compromising messages.
• To read your chats quietly, which may have strategic value if you’re a businessman, politician, military or security officer, or civil servant.
• To upload a new photo to your account, change your name, and use your account for targeted scams: from flirting with crypto investors (pig butchering) to requests from the victim’s boss (boss scams).

Due to this variety of applications, criminals need new accounts all the time, and anyone can become a victim.

WhatsApp, Telegram, and QQ quishing

Scammers used to steal accounts by tricking people into giving them text verification codes (required to log in), or by intercepting these codes. But since this method is no longer as effective, the focus has shifted to trying to link an additional device to the victim’s account. This works best when using phishing schemes based on QR codes – known as quishing.

Attackers either put up their own ads or carefully stick malicious QR codes on top of someone else’s to overlay the legitimate code. They can also print a QR code on a flyer and drop it in a mailbox, post it on a social network or website, or simply send it by email. The pretext can be anything: an invitation to join a neighborhood chat; connect to an office, campus, or school community; download a restaurant menu or claim a discount; or view cinema showtimes or extra information on movies and other events.

The code alone can’t cause your account to be hijacked, but it can lure you to a scam website containing detailed instructions telling you where to click in the messaging app, and what to do after that. The site shows you another, dynamically generated, QR code, which the attackers’ server requests from WhatsApp or Telegram when it asks the service to link a new device to your account. And if you, determined to enjoy every benefit civilization has to offer, decide that another code won’t hurt and follow the instructions, then the device used by the attackers will get access to all your data in the app. In fact, you can see it in the “Devices” or “Linked devices” sections of Telegram or WhatsApp, respectively. However, this attack is designed for those who aren’t very familiar with messaging app settings, and who might not check such submenus regularly. Incidentally, users of QQ, China’s most popular messaging app, are also targeted by similar attacks.

Malicious polls, fraudulent gifts, and girls… undressing

Aside from QR codes, scammers may also attack you by sending seemingly harmless links, such as those for “people’s choice” votes, instant lotteries, or giveaways. On Telegram, they like to mimic the interface used for receiving a Premium subscription as a gift.

Typically, you get to such pages through messages from friends or acquaintances whose accounts have already been compromised by the same scammers. The homepage is always full of catchy phrases like “vote for me” and “claim your gift”.

A variation on the scam involves messages from a “messaging app security service”. You might get contacted by someone using a name like “Security” or “Telegram security team”. They offer to protect your data by transferring your account to a secure account clicking a link and enabling “advanced security options”.

Lastly, you could get an ad for a service or bot that offers something useful or fun – like an AI chatbot or a… nude generator.

There’s another potential scam scenario for Telegram: since 2018, the service has offered website owners authentication of visitors using the Telegram Login Widget. It’s a real, functioning system, but scammers take advantage of the fact that few people know how this authentication is supposed to work – replacing it with a phishing page to steal information.

In any of these scenarios, once you’re through the enticing landing page, you’ll be asked to “sign in to your messaging app”. This procedure might involve scanning a QR code or simply entering your phone number and the OTP code on the website. This part of the website is typically disguised as a standard WhatsApp or Telegram authentication interface – creating the illusion that you’ve been redirected to the official website for login. In reality, the entire process is happening on the attackers’ own site. If you comply and enter the data or scan the code, cybercriminals will immediately gain control of your messaging app account. Your only reward? Some kind of thank-you message like your premium subscription will activate within 24 hours (it won’t; who knew?!).

Hacking a smartphone with a fake WhatsApp or Telegram app

An old yet still effective way to hijack accounts is by using trojanized mods; that is – modified versions of messaging apps. This threat is especially relevant for Android users. You can come across ads touting “improved” versions of popular messaging apps on forums, in groups chats, or simply in search results. WhatsApp mods often promise the ability to read deleted messages and see the statuses of those who hid them, while Telegram fans are promised free Premium features.

Downloading and installing a mod like this infects your phone with malware that can steal the messaging account along with all the other data on the device. Interestingly, Android users can encounter spyware-infected mods even in the “holy of holies”: the official Google Play store.

What happens to a hijacked Telegram or WhatsApp account?

The fate of your hijacked account depends on the attackers’ intentions. If their goal is espionage or blackmail, they’ll just quickly download all your chats for analysis, and you may not notice anything at all.

If cybercriminals want to send fraudulent messages to your contacts, they’ll immediately delete sent messages by using the “delete for me only” feature to make sure you don’t notice anything for as long as possible. However, sooner or later, you’ll start receiving messages from surprised, outraged, or simply vigilant friends, or you yourself will notice traces of an unauthorized presence.

Another consequence of hacking may be the messaging service’s reaction to the spam. If recipients report your messages, your account may become restricted or blocked – preventing you from sending messages for several hours or days. You can appeal the restrictions by using a special button, such as “Request a Review” in the message from the moderators, but it’s best to first ensure that you have exclusive control over your account and wait at least a few hours afterward.

Telegram treats all devices linked to an account equally, which means scammers can take over your entire account and kick you out by disconnecting all your devices. However, to do this, they’d need to remain logged in unnoticed for a whole day: Telegram has a 24-hour waiting period before one can log out other devices from a newly connected account. If you’ve been locked out of your own Telegram account, read our detailed recovery guide.

On WhatsApp, the first device you use to log in to your account becomes the primary one, and other devices are secondary. This means hackers can’t pull off that trick there.

How to protect yourself from WhatsApp and Telegram account hijacking

You can find detailed instructions on how to secure your Telegram, WhatsApp, Signal, and Discord in our separate guides. Let’s go over the general principles again:

• Be sure to enable two-factor authentication (also variously known as “cloud password” or “two-step verification”) in the messaging app, and use a long, complex, and unique password or passphrase.
• On WhatsApp, you can choose a passkey instead of a password. This protection is more reliable.
• Avoid taking part in giveaways and lotteries. Don’t accept gifts that you didn’t expect – especially if you need to log in to some websites through the messaging app to receive them.
• Learn how legitimate authorization through Telegram looks, and immediately close any websites that look different. To put it simply, during a legitimate authorization process, all you need to do is click the “Yes, I want to go to such-and-such website” button within the Telegram chat with the bot. No scanning or entering of codes is required.
• Check your WhatsApp and Telegram settings regularly to see what devices are connected. Disconnect any that look old or fishy.
• Always use official messaging apps downloaded from trusted sources like Google Play or the App Store, Galaxy Store, Huawei AppGallery, and other major app stores.
• Be more careful with desktop messaging clients – especially at the office.
• Use a reliable protection system on all your devices to avoid visiting phishing sites or installing malware.

Kaspersky official blog – ​Read More

Overview

Cyble’s weekly industrial control system (ICS) vulnerability report to clients warned about internet-facing medical imaging and critical infrastructure asset management systems that could be vulnerable to cyberattacks.

The report examined six ICS, operational technology (OT), and Supervisory Control and Data Acquisition (SCADA) vulnerabilities in total, but it focused on two in particular after Cyble detected web-exposed instances of the systems.

Orthanc, Trimble Cityworks Vulnerabilities Highlighted by CISA

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued advisories alerting users to vulnerabilities in medical imaging and asset management products.

Orthanc is an open-source DICOM server used in healthcare environments for medical imaging storage and retrieval, while Trimble Cityworks is a GIS-centric asset management system used to manage all infrastructure assets for airports, utilities, municipalities, and counties.

In a February 6 ICS medical advisory, CISA said the Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled, which could result in unauthorized access by a malicious actor. The Missing Authentication for Critical Function vulnerability, CVE-2025-0896, has been assigned a CVSS v3.1 base score of 9.8, just below the maximum score of 10.0.

Orthanc recommends that users update to the latest version or enable HTTP authentication by setting the configuration “AuthenticationEnabled”: true in the configuration file.

Cyble provided a publicly accessible search query for its ODIN vulnerability search tool, which users can use to find potentially vulnerable instances.

“This flaw requires urgent attention, as Cyble researchers have identified multiple internet-facing Orthanc instances, increasing the risk of exploitation,” the Cyble report said. “The exposure of vulnerable instances could allow unauthorized access to sensitive medical data, manipulation of imaging records, or even unauthorized control over the server. Given the high stakes in healthcare cybersecurity, immediate patching to version 1.5.8 or later, along with restricting external access, is strongly recommended to mitigate potential threats.”

CVE-2025-0994 is an 8.6-rated Deserialization of Untrusted Data in Trimble Cityworks that was reported to CISA by Trimble, which quickly patched the vulnerability and issued mitigation guidance. CISA issued an advisory on the vulnerability, which affects Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10, and also added the vulnerability to CISA’s Known Exploited Vulnerabilities catalog.

Cyble provided an ODIN search query for users to check for exposed Cityworks instances and a hash query for ODIN subscribers.

Recommendations for Mitigating ICS Vulnerabilities

Cyble recommends several important controls for mitigating ICS vulnerabilities and improving the overall security of ICS systems. The measures include:

1. Staying on top of security advisories and patch alerts issued by vendors and regulatory bodies like CISA. A risk-based approach to vulnerability management reduces the risk of exploitation.
2. Implementing a Zero-Trust  Policy to minimize exposure and ensure that all internal and external network traffic is scrutinized and validated.
3. Developing a comprehensive patch management strategy that covers inventory management, patch assessment, testing, deployment, and verification. Automating these processes can help maintain consistency and improve efficiency.
4. Proper network segmentation can limit an attacker’s potential damage and prevent lateral movement across networks. This is particularly important for securing critical ICS assets, which should not be exposed to the Internet if possible and properly protected if remote access is essential.
5. Conducting regular vulnerability assessments and penetration testing to identify gaps in security that might be exploited by threat actors.
6. Establishing and maintaining an incident response plan and ensuring that it is tested and updated regularly to adapt to the latest threats.
7. All employees, especially those working with Operational Technology (OT) systems, should be required to undergo ongoing cybersecurity training programs. The training should focus on recognizing phishing attempts, following authentication procedures, and understanding the importance of cybersecurity practices in day-to-day operations.

Conclusion

These vulnerabilities show the danger that medical and critical infrastructure system vulnerabilities can pose to patients, utilities, airports, and other sensitive environments. The organizations and CISA responded rapidly in these cases, but now users must do the same and ensure that the systems are patched and properly protected.

Regardless of the sector, staying on top of ICS vulnerabilities and applying good cybersecurity hygiene and controls can limit risk. This includes limiting internet exposure and properly protecting assets that must be accessed remotely.

To access the full report on ICS vulnerabilities observed by Cyble, along with additional insights and details, click here. By adopting a comprehensive, multi-layered security approach that includes effective vulnerability management, timely patching, and ongoing employee training, organizations can reduce their exposure to cyber threats. With the right tools and intelligence, such as those offered by Cyble, critical infrastructure can be better protected, ensuring its resilience and security in an increasingly complex cyber landscape.

The post Cyble Warns of Exposed Medical Imaging, Asset Management Systems appeared first on Cyble.

Blog – Cyble – ​Read More

Key Takeaways

• BTMOB RAT is an advanced Android malware evolved from SpySolr that features remote control, credential theft, and data exfiltration.
• It spreads via phishing sites impersonating streaming services like iNat TV and fake mining platforms.
• The malware abuses Android’s Accessibility Service to unlock devices, log keystrokes, and automate credential theft through injections.
• It uses WebSocket-based C&C communication for real-time command execution and data theft.
• BTMOB RAT supports various malicious actions, including live screen sharing, file management, audio recording, and web injections.
• The Threat Actor (TA) actively markets the malware on Telegram, offering paid licenses and continuous updates, making it an evolving and persistent threat.

Overview

On January 31, 2025, Cyble Research and Intelligence Labs (CRIL) identified a sample lnat-tv-pro.apk (13341c5171c34d846f6d0859e8c45d8a898eb332da41ab62bcae7519368d2248) being distributed via a phishing site “hxxps://tvipguncelpro[.]com/” impersonating iNat TV – online streaming platform from Turkey posing a serious threat to unsuspecting users.

On VirusTotal, the sample was flagged by Spysolr malware detection, which is based on Crax RAT, developed by the Threat Actor EVLF. During our analysis, we also checked the official Spysolr Telegram channel, where the TA announced a new project called “BTMOB RAT.”

The malware sample downloaded from the phishing site demonstrated typical RAT behavior, establishing a WebSocket connection with a Command and Control (C&C) server at hxxp://server[.]yaarsa.com/con. The request body revealed the “BTMOB” string along with version number “BT-v2.5”, confirming that the sample is indeed the latest version of BTMOB RAT.

Through their Telegram channel, the TA has been advertising BTMOB RAT, highlighting its capabilities, including live screen control, keylogging, injections, lock feature, and collecting various data from infected devices. The actor is offering a lifetime license for $5,000 (in a one-time payment) with an additional $300 per month for updates and support for the latest version of this malware.

Since late January 2025, we have identified approximately 15 samples of BTMOB RAT (v2.5) in circulation. Earlier variants, active since December 2024, were associated with SpySolr malware, which communicated with hxxps://spysolr[.]com/private/SpySolr_80541.php.

The latest BTMOB RAT version exhibits a similar C&C structure and codebase, indicating that it is an upgraded version of SpySolr malware.

An additional BTMOB RAT sample was shared by MalwareHunterTeam and identified by 0x6rss.

Like many other Android malware variants, the BTMOB RAT leverages the Accessibility service to carry out its malicious actions. The following section provides a detailed overview of these activities.

Technical Details

Upon installation, the malware displays a screen urging the user to enable the Accessibility Service. Once the user turns on the Accessibility Service, the malware proceeds to grant the requested permissions automatically.

Meanwhile, the malware connects to the C&C server at “hxxp://78[.]135.93.123/yaarsa/private/yarsap_80541.php,” which follows a structure similar to the Spysolr malware. Once connected, it initiates a WebSocket connection for server-client communication and transmits JSON data containing the device ID (pid), BotID (idf), connection type (subc), and a message (msg).

The image below illustrates the “join” connection type request sent to the server, after which the client receives a “Connected” response with the “type” value in JSON.

Over the course of our analysis, we observed that the malware receives 5 different responses for value “type” as listed below:

Type	Description
proxy	Establish other WebSocket connection
stop	Stops activity based on server response
join	Sends a join message along with device ID and bot ID
com	The malware receives various commands through this response type
connected	The server sends this response upon successful connection establishment
Unauthorized access	The server sends this response when the client fails to register the device

After successfully establishing a WebSocket connection, the malware transmits device-related information, including the device name, OS version, model, battery status, wallpaper, malicious app version number, and the status of malicious activities such as key logs, visited apps, visited links, notifications, and other activities.

The malware receives commands from the server using the “com” response type. The first command it received was “optns.” Along with this command, the server transmits the activity status to be initiated, which the malware then stores in a shared preference file.

Our analysis revealed that the malware receives a total of 16 commands from the server, each of which is listed below, along with its description.

Command	Description
optns	Get action status to enable malicious activities
fetch	Collects the mentioned file in the response or device phone number based on the sub-command
brows	Loads URL into WebView, and perform actions based on JavaScript
lock	Receives lock pin and other details related to lock, and saves them to the Shared Preference variable
ject	Manages injection
file	Manages file operations
clip	Collects clipboard content
chat	Displays a window with the message received from the server, gets the reply entered in the edit field, and sends to the server
wrk	Receives additional commands to perform other activities such as collecting SMS, contacts, location, files, managing audio settings, launching activity, and many other
srh	Search file
mic	Records audio
add	Get all collected data, including keylogs, active injections, links, device information, wallpaper, and SIM information
bc	Opens alert Window or displays notification with the message received from the server
upload	Downloads injection files
screen	Handles live screen activity
scread	Collects content from the screen

brows Command

The primary function of this command is to load a URL or HTML content into the WebView and execute actions like collecting input, clicking, and scrolling using JavaScript.

When the malware receives a “brows” command, the server sends additional parameters within a JSON object, including “ltype” and “extdata”. The “ltype“ parameter dictates specific actions for the malware, such as loading a URL or HTML code into the WebView, keeping a record of visited websites, along with timestamps and input data, and transmitting the collected data, as illustrated in Figures 9 and 10.

Once the malware loads a URL or HTML code into the WebView, it runs JavaScript to collect user-entered data from the webpage. The extracted information, which may include sensitive details like login credentials, along with the date and website link, is then stored in a JSON object.

Once the data is collected, it is saved in a map variable and later transmitted to the C&C server when the malware receives the “lp” value through the “ltype” parameter.

The malware can receive additional commands through the “extdata” parameter, which includes actions such as scrolling, clicking, entering text, navigating, and loading another URL.

The “text” and “enter” actions are executed using JavaScript, while navigation, scroll, and other movement-based actions are carried out using Motion events.

This feature enables the malware to steal login credentials while also providing various options to automate the credential theft process.

screen Command

When the malware initially receives the “optns” command, it checks the live screen activity status to determine whether to proceed. Based on this status, the malware then initiates screen capture using Media Projection.

To perform live actions, the malware receives the command “screen” along with different actions as listed below:

• L: With this action, the malware receives a “lock” value, determining whether to lock or unlock the device. It checks the lock type (PIN, password, or pattern) and unlocks the device accordingly.

If the device is locked with a password, the malware retrieves the saved password from the “mob_lck” shared preference variable, which was previously extracted during “LockActivity”. It then enters the password using “ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE”, as shown in the figure below.

If the device is locked with a pattern or PIN, the malware retrieves the pattern coordinates or PIN digits and uses the dispatchGesture API to either draw the pattern or simulate taps on the PIN keypad to unlock the device.

• Q: Receives the compression quality number to control the quality of screen content

• kb: Controls keyboard state

• mov: Moves the cursor on the screen using specified x and y coordinates.

• nav: Executes navigation actions such as returning to the home screen, switching to recent apps, or going back.

• vol: Adjusts the device’s audio volume.

• snap: Captures a screenshot.

• block: Displays a black screen to conceal live screen activity from the victim.

• paste: Gets the text from the server and enters it using “ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE”

• sklecolor: Receives a color code to change the color of rectangular boundaries using Accessibility Service API

• skilton: Turns on the service responsible for capturing screen content

ject Command

The malware utilizes the “ject” command to manage injection activities, including removing the injection list, collecting extracted data during injection, and deleting the extracted injection data from the device.

The malware maintains an ArrayList “d” to store target application package names, injection paths, and data collected from injection activities. It uses the “upload” command to download an injection ZIP file into the “/protected” directory. The ZIP file is then extracted, and its contents are saved using the “jctid” filename received from the server.

The malware retrieves the package name of the currently running application and checks if it exists in its list. If a match is found, it loads the corresponding injection HTML file from the “/protected” directory and launches “WebInjector.class” to execute the injection.

The WebInjector class loads the injected HTML phishing page into a WebView. When the user enters their credentials on this fake page, the malware captures the input and sends it to the C&C server.

wrk Command

When the malware receives a “wrk” command, it also gets a parameter called “cmnd”, which includes additional instructions for executing various malicious activities.

This command enables the malware to perform various malicious activities, including:

• Collecting contacts, SMS, location data, installed apps, thumbnails, and device information.
• Controlling audio settings.
• Requesting permissions.
• Executing shell commands.
• Managing files (deleting, renaming, creating, encrypting, or decrypting).
• Terminating services.
• Taking screenshots.
• Stealing images.

Conclusion

BTMOB RAT, an evolution of the SpySolr malware, poses a significant threat to Android users by leveraging Accessibility Services to perform a wide range of malicious activities. From stealing login credentials through WebView injections to manipulating screen content, collecting sensitive data, and even unlocking devices remotely, this malware demonstrates a high level of sophistication.

This potent malware uses WebSocket communication with a C&C server to allow real-time command execution, making it a powerful tool for cybercriminals. The malware’s distribution through phishing websites and continuous updates by the threat actor indicate an ongoing effort to enhance its capabilities and evade detection.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

• Download and install software only from official app stores like Google Play Store or the iOS App Store.
• Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
• Use strong passwords and enforce multi-factor authentication wherever possible.
• Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
• Be wary of opening any links received via SMS or emails delivered to your phone.
• Ensure that Google Play Protect is enabled on Android devices.
• Be careful while enabling any permissions.
• Keep your devices, operating systems, and applications updated.

MITRE ATT&CK® Techniques

Tactics	Technique ID	Procedure
Initial Access (TA0027)	Phishing (T1660)	Malware distribution via phishing site
Persistence (TA0028)	Event-Triggered Execution: Broadcast Receivers (T1624.001)	BTMOB listens for the BOOT_COMPLETED intent to automatically launch after the device restarts.
Defense Evasion (TA0030)	Masquerading: Match Legitimate Name or Location (T1655.001)	Malware pretending to be a genuine application
Defense Evasion (TA0030)	Application Discovery (T1418)	Collects installed application package name list to identify target
Defense Evasion (TA0030)	Hide Artifacts: Suppress Application Icon (T1628.001)	Hides application icon
Defense Evasion (TA0030)	Obfuscated Files or Information (T1406)	BTMOB has used string obfuscation
Defense Evasion (TA0030)	Input Injection (T1516)	Malware can mimic user interaction, perform clicks and various gestures, and input data
Credential Access (TA0031)	Clipboard Data (T1414)	Collects clipboard data
Credential Access (TA0031)	Input Capture: Keylogging (T1417.001)	BTMOB can collect credentials via keylogging
Discovery (TA0032)	File and Directory Discovery (T1420)	BTMOB enumerates files and directories on external storage
Discovery (TA0032)	Process Discovery (T1424)	The malware checks the currently running application in the foreground with the help of the Accessibility Service
Discovery (TA0032)	Software Discovery (T1418)	Collects installed application list
Discovery (TA0032)	System Information Discovery (T1426)	Collects device information such as device name, model, manufacturer, and device ID
Discovery (TA0032)	System Network Configuration Discovery (T1422)	Malware collects IP and SIM information
Collection (TA0035)	Audio Capture (T1429)	Malware captures audio using the “mic” command
Collection (TA0035)	Data from Local System (T1533)	Collects files from external storage
Collection (TA0035)	Protected User Data: Contact List (T1636.003)	BTMOB collects contacts from the infected device
Collection (TA0035)	Protected User Data: SMS Messages (T1636.004)	Collects SMSs
Collection (TA0035)	Screen Capture (T1513)	Malware records screen using Media Projection
Command and Control (TA0037)	Application Layer Protocol: Web Protocols (T1437.001)	BTMOB uses HTTP to communicate with the C&C server
Exfiltration (TA0036)	Exfiltration Over C2 Channel (T1646)	Sending exfiltrated data over C&C server
Impact (TA0034)	Data Encrypted for Impact (T1471)	Malware can encrypt files on the device using AES

Indicators of Compromise (IOCs)

Indicators	Indicator Type	Description
8dbfcf6b67ee6c5821564bf4228099beaf5f40e4a87118cbb1e52d8f01312f40	SHA256	Analyzed BTMOB RAT
d7b115003784ac2a595083795abffe68d834cdf0	SHA1	Analyzed BTMOB RAT
cb801ef4d92394f984f726c9fc4f8315	MD5	Analyzed BTMOB RAT
hxxp://78[.]135.93.123/yaarsa/private/yarsap_80541.php	URL	C&C server
hxxp://78[.]135.93.123:8080	URL	WebSocket  connection URL
hxxps://tvipguncelpro[.]com/	URL	Phishing URL
13341c5171c34d846f6d0859e8c45d8a898eb332da41ab62bcae7519368d2248	SHA256	Analyzed BTMOB RAT
23e6d0fd3bbc71c0188acab43d454c39fa56d206	SHA1	Analyzed BTMOB RAT
e54490097af9746e375b87477b1ffd2d	MD5	Analyzed BTMOB RAT
hxxp://server[.]yaarsa.com/con	URL	WebSocket connection URL
b053a3d68abb27e91c2caf5412de7868fe50c7506e1f9314fee4c26285db7f59 b053a3d68abb27e91c2caf5412de7868fe50c7506e1f9314fee4c26285db7f59 bb20f2bfb78fd5a2ff4693939d061368949cd717b8033b6facba82df26b31a1a a4c15afd6cb79b66fce3532907e65ccd13c8140a3cb26cc334138775f7a6aebd 061fdbf0c61a29d31406887a40b4f6a551600f7366a711ecce6063f61965308d 937e77d2a910a1452f951d2de6f614a6219e707c40b6789ccf31cac0d82868cc 9141e25b93d315843399a757cddb63af55bdbdd4094fba4a6b2bbea89bf9ecf9 b724ca474c2bca77573e071524bd5500f0355c8b6b8bb432dcc2d8664ed2d073 6ce41ee43a5d5f773203cfcf810c0208246f0b27505d49b270288751a747f5a3 8548600b4e461580fe32fea6c1e233a5862483ca9a617d79fdea001ebf5556cc 8df615fa33dcd7aa81adc640ac42a6a9a4a2bebbb5308f1d8a35afa169e99229 186cd8d9998d6c4e2d12a1370056ba910a6f8a2176c8b0c9362a868830fcfb07 071d3ad980ea77a9041c580015b2796d3d5d471c2fc1039c8f381501efb3cda0 04241bc4ce9cece5644cd7f8f86ede7def5cb6122b2f3b5760c2c3556da34a7d 2b725322f9a019b0106a084694c18fbb8604cf64c65182153c4d67ff3adf4e48 2b307f11ae418931674156425c47ff1c0645fb0b160290cd358599708ff62668	SHA256	BTMOB RAT

The post BTMOB RAT: Newly Discovered Android Malware Spreading via Phishing Sites appeared first on Cyble.

Blog – Cyble – ​Read More