For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
ClearML XSS and information disclosure vulnerabilities
Discovered by Edwin Molenaar of Cisco Meraki.
ClearML contains two vulnerabilities. ClearML is an open-source AI platform that supports the entire AI development lifecycle from research to production. It is designed to integrate with existing tools and infrastructures, allowing developers and DevOps teams to build, train and deploy models at scale.
TALOS-2024-2110 (CVE-2024-39272) is a cross-site scripting vulnerability. A specially crafted HTTP request can allow an attacker to upload HTML files to a dataset through an existing ClearML account. The files can later be rendered within the browser of an authenticated ClearML user and execute JavaScript.
TALOS-2024-2112 (CVE-2024-43779) is an information disclosure vulnerability. A specially crafted HTTP request can lead to an attacker reading vaults that have been previously disabled, possibly leaking sensitive credentials. An attacker can send a series of HTTP requests to trigger this vulnerability.
Nvidia memory corruption and heap-based buffer overflow vulnerabilities
Discovered by Dimitrios Tatsis.
The nvJPEG2000 library is provided by NVIDIA as a high-performance JPEG2000 encoding and decoding library. The prerequisite is a CUDA enabled GPU in the system that allows faster processing than traditional CPU implementations.
TALOS-2024-2080 (CVE-2024-0142) and TALOS-2024-2095 (CVE-2024-0143) are memory corruption vulnerabilities. A specially crafted JPEG2000 file can lead to an out-of-bounds write with arbitrary data which can lead to further memory corruption and arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
TALOS-2024-2108 (CVE-2024-0144) and TALOS-2024-2113 (CVE-2024-0145) are heap-based buffer overflow vulnerabilities in the Ndecomp field handling and parameter. A specially crafted JPEG2000 file can lead to memory corruption and arbitrary code execution. An attacker can provide a malicious file to trigger these vulnerabilities.
Three out of four organizations worldwide use hybrid clouds, and three-quarters of them consider their IT migration and modernization projects to be successful. But what is success — and how does a successful IT project affect the business and capabilities of a company? Authors of the Enterprise Application Modernization: A Journey through Container-Based Cloud Architecture Transformation study tried to answer these questions and to summarize the available information on how the transition to cloud and container infrastructure affected the activities of companies that have made this transformation.
The economic arguments in favor of the transition turned out to be weighty. In the studied organizations, IT operating costs decreased by an average of 31%, and infrastructure costs by 45%, including routine maintenance costs that decreased by 52%. More importantly, for the first time in many years, businesses were able to unburden their IT teams from the tasks of supporting old code, and use their resources for new developments. In large organizations, IT services spend up to 80% of the budget on legacy IT support, and the transition to modern infrastructure not only speeds it up, but also frees up additional personnel for innovation. Software update cycles are ultimately accelerated by 65%, ensuring a quick response to market changes and better satisfaction of user needs. The authors call the transition to container and microservice architectures in the cloud environment, as well as automated assembly lines, the “three pillars” of efficiency that are responsible for all these radical improvements.
Part of the study is devoted to information security issues. Thanks to this, you can see what contribution various information security tools make to improving the efficiency of IT development, and what indicators you should strive for in your organization. We decided to analyze the main principles and tools and explain how they’re implemented in the updated version of Kaspersky Cloud Workload Security.
Automatic application and monitoring of information security policies
A key challenge for IT and information security is maintaining visibility and control over all IT assets, and this task has become more complex with the transition to hybrid cloud infrastructure. The diversity of assets and management tools results in increased costs and time spent on managing this “zoo” for the company. Therefore, unification of management, compliance control, creation and application of policies should be one of the priority goals in IT transformation projects. If the selected set of information security tools is able to solve this problem in the company’s cloud infrastructure, IT and information security services will save 73% of the time spent on policy management and achieving security compliance.
The practical embodiment of this principle can be seen in the new version of Kaspersky Cloud Workload Security, a solution that provides comprehensive protection for container infrastructure, cloud servers, and virtual machines. Several tools at once simplify work with policies and give administrators a centralized overview and control over the entire infrastructure. The security analysis function of the orchestrator and its clusters helps quickly find problems by structuring them by problem type. Automatic container profiling allows you to improve the security policies applied in the infrastructure with minimal human intervention, as well as to find abnormally operating containers for detailed analysis.
The unified cloud console of Kaspersky Hybrid Cloud Security provides an overview of the cloud or hybrid infrastructure, and allows security personal to instantly update policies for large groups of IT assets or simultaneously run tasks on them.
As for virtual and physical servers, the lightweight agent that protects them performs several functions related to compliance and security posture in automatic mode: from automatic patch management and system hardening to detailed event logging and the use of a role-based access control system (RBAC).
Container scanning in the DevSecOps pipeline
Integration of automated cybersecurity checks at all stages of development and operation of an IT product is the key to significantly increasing the level of security while reducing the workload of IT and information security teams and improving all metrics of the IT system’s “health”. Companies that have implemented a comprehensive approach to container security report a 79% reduction in the number of security-related incidents, and the elimination of 94% of known vulnerabilities at the stages before the deployment of the IT system. As a result, it’s possible to reduce the risk of incidents in the operated system by 89%, the risk of failure at the deployment stage by 68%, and at the same time reach a 99.97% level of unification of the configuration of similar containers. The unification is important because scanning containers is used not only to check for component vulnerabilities and malware, but also the for detection of insecure configurations, as well as typical developer errors, such as API keys and other secrets embedded directly in the code. Kaspersky Cloud Workload Security also implements integration with the HashiCorp Vault, allowing you to securely store solution secrets in this secrets manager software. Kaspersky Cloud Workload Security supports control of container image signatures, and integrates all checks directly with the DevOps pipeline, which helps developers not to take malicious and vulnerable images as a basis of their projects, as well as interrupt the process product development if critical security defects are detected. In general, KCWS helps the development team implement a shift-left approach, in which testing and quality assurance are performed at the early stages of development, including verification of APIs, container configurations, and microservice interactions. All this allows you to find and fix errors earlier, reducing the cost of maintaining and testing of the final product.
Effective monitoring of running processes
Despite numerous preliminary checks of images, runtime environments, and other infrastructure components, monitoring running containers, virtual servers, and the computing environment in which all this occurs remains a critical security task. According to the authors of the study, these measures allow detecting 87% of threats in the first half-minute after their occurrence, and preventing 96% of unauthorized access attempts.
Monitoring results in significant costs: additional computing load on cloud services, multiplied by the number of servers and clusters, as well as man-hours of SOC specialists. Therefore, computing and cost efficiency are critical requirements for both the containerization infrastructure itself and its security system.
This aspect is carefully thought out in Kaspersky Cloud Workload Security. For virtual and physical servers, Light Agent technology saves up to 30% of computing resources in a private cloud, and in a container infrastructure, security agents are launched in separate containers to prevent the performance degradation of the entire cluster. The system has excellent scalability and can protect clusters with up to ten thousand nodes.
Savings start right from the installation of the product — from flexible licensing terms adapted to a specific infrastructure, to effective security settings and rules “out of the box” that reduce the time of initial setup significantly.
Rapid incident response
How to prepare for a situation when an attacker has successfully penetrated the system? In this case, the information security team should have playbooks for incident response, and information security systems should provide the necessary tools. In an IT infrastructure equipped with a comprehensive cloud security system, the response time (MTTR), according to research, is reduced by an impressive 71%. The real difference can be seen in the example of a fast ransomware attack: will it be considered a routine information security incident, or a full-scale paralysis of the entire business for several days or weeks?
To simplify response, the new version of Kaspersky Cloud Workload Security has a container forensic function that permits investigating policy violations and gaining deeper insight into both specific violating events and events that occurred in a close time frame. Event logs in a running container have additional fields that are often needed when investigating an incident. Protection and logging are also carried out on the orchestrator nodes. In addition, event logs can now be sent directly from agents to SIEM systems. Comprehensive logging simplifies detection of the source of an attack, helps compare events that are registered during this attack, or detects vulnerabilities and other risks.
The transition to container and cloud infrastructures usually begins with economic necessity and the requirements of a competitive market. But in order to successfully make the transition and get the promised benefits, it’s important not to outweigh them by creating new high cyber-risks, or implementing an information security approach that will be economically ineffective. These negative scenarios can be avoided by implementing a comprehensive and well-scalable cloud security system, such as Kaspersky Cloud Workload Security.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-02-14 13:07:532025-02-14 13:07:53Container security tools and their business benefits | Kaspersky official blog
BSI Expands Cybersecurity Cooperation with Hamburg
Germany continues to strengthen its cybersecurity framework as the Federal Office for Information Security (BSI) and the Free and Hanseatic City of Hamburg formalize their collaboration. The agreement, signed on February 7, at Hamburg City Hall, establishes a structured approach to cyber threat intelligence sharing, incident response coordination, and awareness initiatives for public sector employees.
BSI Vice President Dr. Gerhard Schabhüser called for the urgency of strengthening cybersecurity across federal and state levels:
“In view of the worrying threat situation in cyberspace, Germany must become a cyber nation. State administrations and municipal institutions face cyberattacks daily. Attacks on critical infrastructure threaten social order. Germany is a target of cyber sabotage and espionage. Our goal is to enhance cybersecurity nationwide. To achieve this, we must collaborate at both federal and state levels.”
This partnership is part of a broader federal initiative, with BSI having previously signed cooperation agreements with Saxony, Saxony-Anhalt, Lower Saxony, Hesse, Bremen, Rhineland-Palatinate, and Saarland. These agreements provide a constitutional framework for joint cyber defense efforts, strategic advisory services, and rapid response measures following cyber incidents.
With cyber threats growing in complexity, state-level cooperation plays a vital role in reinforcing Germany’s cybersecurity resilience, ensuring government agencies, public sector institutions, and critical infrastructure operators have the necessary tools and expertise to prevent, detect, and mitigate cyber threats effectively.
Addressing Digital Violence
Days later, on February 11, BSI hosted “BSI in Dialogue: Cybersecurity and Digital Violence” in Berlin, bringing together representatives from politics, industry, academia, and civil society to address the growing risks associated with digital violence in an increasingly interconnected world.
While cybercriminals typically operate remotely, digital violence introduces a new layer of cyber threats, where attackers exploit personal relationships, home technologies, and social connections to manipulate, monitor, or harm individuals. This includes:
Unauthorized access to smart home devices for spying, stalking, or harassment.
Misuse of digital vulnerabilities to monitor victims or leak personal data.
Exploitation of location tracking features to stalk or control individuals.
The event initiated several working groups to develop strategic responses to digital violence and was mainly focused on:
Defining Digital Violence
International research has varied definitions of digital violence, making it difficult to establish a legal and policy framework in Germany.
Experts emphasized the need for a standardized definition to develop measurement tools and track digital violence cases more effectively.
Technical Support for Victims
The WEISSER RING initiative presented concepts for a technical contact point to assist victims.
Discussions concluded that victims and advisors need greater technical expertise to counter digital violence effectively.
Corporate Responsibility
Businesses were encouraged to implement protective policies for employees and integrate security-by-design principles in their products to prevent misuse.
Manufacturers and service providers must take accountability for securing digital products against exploitation.
Empowerment Through Cybersecurity Education
Widespread digital literacy programs can help individuals identify and mitigate digital threats.
BSI-led initiatives will focus on consumer awareness, IT security training, and response strategies for digital violence victims.
Schabhüser pressed on the human aspect of cybersecurity during the meet:
“People can only move safely in a digitalized environment if they recognize the opportunities and risks of digital technologies and can overcome challenges through their own actions.”
BSI’s dual efforts in federal-state cybersecurity collaboration and digital violence prevention reflect Germany’s proactive stance against emerging cyber threats. As cybercriminals adapt and evolve their tactics, both government agencies and individual users must be equipped with the necessary knowledge, tools, and policies to fortify digital resilience.
Conclusion
Through structured cooperation, regulatory frameworks, and public awareness programs, BSI aims to build a secure and cyber-resilient society, ensuring state institutions, businesses, and individuals can operate safely in an increasingly digital world.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-02-14 12:09:592025-02-14 12:09:59Germany is Strengthening Cybersecurity with Federal-State Collaboration and Digital Violence Prevention
In a strongly worded advisory, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have urged software developers to cease unsafe development practices that lead to “unforgivable” buffer overflow vulnerabilities.
“Despite the existence of well-documented, effective mitigations for buffer overflow vulnerabilities, many manufacturers continue to use unsafe software development practices that allow these vulnerabilities to persist,” the agencies said in the February 12 Secure By Design alert. “For these reasons—as well as the damage exploitation of these defects can cause—CISA, FBI, and others designate buffer overflow vulnerabilities as unforgivable defects.”
The agencies said threat actors leverage buffer overflow vulnerabilities to gain initial access to networks, thus making them a critical point for preventing attacks.
We’ll look at the prevalence of buffer overflow vulnerabilities, some examples cited by CISA and the FBI, and guidance for secure development and use of memory-safe programming languages.
Buffer Overflow Vulnerabilities: Prevalence and Examples
The FBI-CISA guidance specifically mentions the common software weaknesses CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), along with stack-based buffer overflows (CWE-121) and heap-based buffer overflows (CWE-122).
The phrase “buffer overflow” occurs in 67 of the 1270 vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog, or 5.28% of the KEV database. The words “buffer” and “overflow” occur in 84 of the KEV vulnerabilities (6.6%).
CISA and the FBI cited six examples of buffer overflow vulnerabilities in IT products:
CVE-2025-21333, a Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege vulnerability
CVE-2025-0282, a stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3
CVE-2024-49138, a Windows Common Log File System Driver Elevation of Privilege vulnerability
CVE-2024-38812, a VMware vCenter Server heap-overflow vulnerability
CVE-2023-6549, an Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Citrix Systems’ NetScaler ADC and NetScaler Gateway
CVE-2022-0185, a heap-based buffer overflow flaw in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length (the CWE in this case was CWE-190, Integer Overflow or Wraparound).
“These vulnerabilities can lead to data corruption, sensitive data exposure, program crashes, and unauthorized code execution,” the agency guidance said. “Threat actors frequently exploit these vulnerabilities to gain initial access to an organization’s network and then move laterally to the wider network.”
They added that “the use of unsafe software development practices that allow the persistence of buffer overflow vulnerabilities—especially the use of memory-unsafe programming languages—poses unacceptable risk to our national and economic security.”
Memory-Safe Software Development
The agencies urged manufacturers “to take immediate action to prevent these vulnerabilities from being introduced into their products. … Software manufacturer senior executives and business leaders should ask their product and development teams to document past buffer overflow vulnerabilities and how they are working to eliminate this class of defect.”
Customers should hold manufacturers accountable by requesting a Software Bill of Materials (SBOM) and a secure software development attestation, the FBI and CISA said.
For development teams, the agencies recommended the following secure by design practices to prevent buffer overflow vulnerabilities:
Memory-safe languages should be used whenever possible“to shift the burden of memory management from the developer to the programming language’s built-in safety features.” They added that developers should never disable or override memory safety guarantees in languages when it’s possible to do so, and that using a memory-safe language in one part of a software package will not fix memory-unsafe code in other libraries.
A phased transition plan for implementing memory-safe languages should be used for upgrading existing codebases while using technologies to limit memory vulnerabilities in existing code. “Ideally, this plan should include using memory-safe languages to develop new code and—over time and when feasible—transition their software’s most highly privileged/exposed code to memory-safe languages,” the agencies said.
Enable compiler flags that implement compile time and runtime protections against buffer overflows to the extent that application performance allows, and “implement canaries that alert if an overflow occurs.”
Conduct unit tests with an instrumented toolchain such as AddressSanitizer and MemorySanitizer that checks source code for buffer overflows and other memory safety issues.
Perform adversarial product testing that includes static analysis, fuzzing, and manual reviews to ensure code safety and quality throughout the development lifecycle.
Publish amemory-safety roadmap that outlines plans to develop new products with memory-safe languages and to migrate older ones based on risk.
Conduct root cause analysis of past vulnerabilities, including buffer overflows,to identify patterns. “Where possible, take actions to eliminate entire classes of vulnerabilities across products, rather than the superficial causes,” the agencies said.
The alert said eliminating buffer overflow vulnerabilities “can help reduce the prevalence of other memory safety issues, such as format string, off-by-one, and use-after-free vulnerabilities.”
Conclusion
As an initial entry point for attackers into a network, the importance of buffer overflow vulnerability prevention can’t be overstated. Development teams would be wise to implement CISA and the FBI’s advice to the maximum extent possible.
Customers also have a role to play by demanding memory-safe documentation from suppliers. But they also shouldn’t neglect basic cybersecurity practices for the eventual vulnerabilities that will slip past even the most vigilant development teams. Zero trust, risk-based vulnerability management, segmentation, tamper-proof backups and network and endpoint monitoring are all critically important practices for limiting the damage from any cyberattacks that do occur.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-02-14 11:06:432025-02-14 11:06:43FBI, CISA Urge Memory-Safe Practices for Software Development
Welcome to this week’s edition of the Threat Source Newsletter.
Love is in the air this week. Wait, is that love? Or is it some tech bro with a housing development company (that would totally love to meet in person but can’t this week) emailing you about an investment opportunity in his cryptocurrency scheme?
You may be seeing a lot of ‘Beware of romance/ pig butchering scams’ articles around Valentines Day. This isn’t really one of those. Although, if said tech bro initiates a course of love bombing mixed in with wire transfer requests, report that dude quicker than the roadrunner declares “meep meep”.
I recently came across an article on The Hacker News that talked about how Interpol is pushing for a “linguistic shift” when it comes to pig butchering scams. They’re advocating for the term to be replaced by ‘romance baiting’.
In a statement, Interpol explained their reasoning:
“The term ‘pig butchering’ dehumanizes and shames victims of such frauds, deterring people from coming forward to seek help and provide information to the authorities,”
Pig butchering originates from a Chinese phrase. Its meaning is derived from “fattening a pig before the slaughter”. When we put that in the context of online scams, the emphasis is on the victim, with some not so nice connotations (and a certain sense of inevitability attached to it).
By flipping the script and renaming pig butchering as romance baiting, Interpol suggests this could have a positive effect on the psychological nature of being targeted:
“Words matter. We’ve seen this in the areas of violent sexual offences, domestic abuse, and online child exploitation. We need to recognize that our words also matter to the victims of fraud,” INTERPOL Acting Executive Director of Police Services Cyril Gout said.
“It’s time to change our language to prioritize respect and empathy for the victims, and to hold fraudsters accountable for their crimes.”
I wholeheartedly agree. Victim blaming only causes more harm. The more we can do to encourage people to report perpetrators, without feeling a sense of shame, the better.
What do you think? Will you be changing the narrative the next time you talk about romance scams? Are there any other terms in our industry that potentially put more focus on the victim than the adversary?
Newsletter reader survey
We want your feedback! Tell us your thoughts and five lucky readers will receive Talos Swag boxes.
In the latest Talos Vulnerability Deep Dive, the team picked out something that had caught their attention during an earlier investigation of the macOS printing subsystem: IPP over USB specification, which defines how printers that are available over USB can only still support network printing via Internet Printing Protocol (IPP). During this new investigation, Talos decided to look at how other operating systems handle the same functionality.
The result? Some pretty good news actually. Although the potential vulnerability Talos discusses in this article is very real, mitigating circumstances make it less severe. The vulnerability is discovered and made unexploitable by modern compiler features, and we are highlighting this as a rare win.
Why do I care?
We often hear of all the failings of software and vulnerabilities and mitigation bypasses, and we felt we should take this opportunity to highlight the opposite. In this case, modern compiler features, static analysis via -Wstringop-overflow and strong mitigation via FORTIFY_SOURCE, saved the day.
So now what?
The modern compiler features detailed above should always be enabled by default. Additionally, those compiler warnings are only useful if someone actually reads them. Check out this excellent write up of the vulnerability, and the proof of concept.
Top security headlines of the week
Lawmakers unite to push forward Cyber Force: “A group of House lawmakers are working to keep the idea of creating a Cyber Force at the Pentagon a top cyber policy topic on Capitol Hill this year.” (Politico).
Authorities Disrupt 8Base Ransomware: “The 8Base ransomware group’s infrastructure has been disrupted and leaders have been arrested in an international law enforcement operation, Europol announced.” (Security Week)
Magecart Attackers Abuse Google Ad Tool to Steal Data: “Attackers are smuggling payment card-skimming malicious code into checkout pages on Magento-based e-commerce sites by abusing the Google Tag Manager ad tool.” (Dark Reading).
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-02-13 19:06:432025-02-13 19:06:43Changing the narrative on pig butchering scams
Cybercriminals around the world keep honing their schemes to steal accounts in WhatsApp, Telegram, and other popular messaging apps – and any of us could fall for their scams. Only by becoming a victim of such an attack can you fully appreciate how vital a tool instant messaging has become, and how diverse the damage from hacking a WhatsApp or Telegram account may be. But better not to let it come to that, and to learn to recognize key hijacking scams in order to prevent them in time.
Why hijack your WhatsApp or Telegram account?
A stolen account can be appealing because of its content, access rights, or simply the fact that it’s verified, linked to a phone number, and has a good reputation. Having stolen your Telegram or WhatsApp account, cybercriminals can use it in a variety of ways:
To send spam and phishing messages on your behalf to all your contacts – including private channels and communities.
To write sob stories to all your friends asking for money. Worse yet – to use AI to fake a voice or video message asking for help.
To steal accounts from your friends and family by asking them to vote in a contest, “gifting” them a fake Telegram Premium subscription, or employing some other fraudulent scheme – of which there are many. Coming from someone the recipient knows, messages like this tend to inspire greater trust.
To hijack a Telegram channel or WhatsApp community you manage.
Due to this variety of applications, criminals need new accounts all the time, and anyone can become a victim.
WhatsApp, Telegram, and QQ quishing
Scammers used to steal accounts by tricking people into giving them text verification codes (required to log in), or by intercepting these codes. But since this method is no longer as effective, the focus has shifted to trying to link an additional device to the victim’s account. This works best when using phishing schemes based on QR codes – known as quishing.
Attackers either put up their own ads or carefully stick malicious QR codes on top of someone else’s to overlay the legitimate code. They can also print a QR code on a flyer and drop it in a mailbox, post it on a social network or website, or simply send it by email. The pretext can be anything: an invitation to join a neighborhood chat; connect to an office, campus, or school community; download a restaurant menu or claim a discount; or view cinema showtimes or extra information on movies and other events.
The code alone can’t cause your account to be hijacked, but it can lure you to a scam website containing detailed instructions telling you where to click in the messaging app, and what to do after that. The site shows you another, dynamically generated, QR code, which the attackers’ server requests from WhatsApp or Telegram when it asks the service to link a new device to your account. And if you, determined to enjoy every benefit civilization has to offer, decide that another code won’t hurt and follow the instructions, then the device used by the attackers will get access to all your data in the app. In fact, you can see it in the “Devices” or “Linked devices” sections of Telegram or WhatsApp, respectively. However, this attack is designed for those who aren’t very familiar with messaging app settings, and who might not check such submenus regularly. Incidentally, users of QQ, China’s most popular messaging app, are also targeted by similar attacks.
Malicious polls, fraudulent gifts, and girls… undressing
Aside from QR codes, scammers may also attack you by sending seemingly harmless links, such as those for “people’s choice” votes, instant lotteries, or giveaways. On Telegram, they like to mimic the interface used for receiving a Premium subscription as a gift.
Typically, you get to such pages through messages from friends or acquaintances whose accounts have already been compromised by the same scammers. The homepage is always full of catchy phrases like “vote for me” and “claim your gift”.
A variation on the scam involves messages from a “messaging app security service”. You might get contacted by someone using a name like “Security” or “Telegram security team”. They offer to protect your data by transferring your account to a secure account clicking a link and enabling “advanced security options”.
Lastly, you could get an ad for a service or bot that offers something useful or fun – like an AI chatbot or a… nude generator.
There’s another potential scam scenario for Telegram: since 2018, the service has offered website owners authentication of visitors using the Telegram Login Widget. It’s a real, functioning system, but scammers take advantage of the fact that few people know how this authentication is supposed to work – replacing it with a phishing page to steal information.
In any of these scenarios, once you’re through the enticing landing page, you’ll be asked to “sign in to your messaging app”. This procedure might involve scanning a QR code or simply entering your phone number and the OTP code on the website. This part of the website is typically disguised as a standard WhatsApp or Telegram authentication interface – creating the illusion that you’ve been redirected to the official website for login. In reality, the entire process is happening on the attackers’ own site. If you comply and enter the data or scan the code, cybercriminals will immediately gain control of your messaging app account. Your only reward? Some kind of thank-you message like your premium subscription will activate within 24 hours (it won’t; who knew?!).
Hacking a smartphone with a fake WhatsApp or Telegram app
An old yet still effective way to hijack accounts is by using trojanized mods; that is – modified versions of messaging apps. This threat is especially relevant for Android users. You can come across ads touting “improved” versions of popular messaging apps on forums, in groups chats, or simply in search results. WhatsApp mods often promise the ability to read deleted messages and see the statuses of those who hid them, while Telegram fans are promised free Premium features.
Downloading and installing a mod like this infects your phone with malware that can steal the messaging account along with all the other data on the device. Interestingly, Android users can encounter spyware-infected mods even in the “holy of holies”: the official Google Play store.
What happens to a hijacked Telegram or WhatsApp account?
The fate of your hijacked account depends on the attackers’ intentions. If their goal is espionage or blackmail, they’ll just quickly download all your chats for analysis, and you may not notice anything at all.
If cybercriminals want to send fraudulent messages to your contacts, they’ll immediately delete sent messages by using the “delete for me only” feature to make sure you don’t notice anything for as long as possible. However, sooner or later, you’ll start receiving messages from surprised, outraged, or simply vigilant friends, or you yourself will notice traces of an unauthorized presence.
Another consequence of hacking may be the messaging service’s reaction to the spam. If recipients report your messages, your account may become restricted or blocked – preventing you from sending messages for several hours or days. You can appeal the restrictions by using a special button, such as “Request a Review” in the message from the moderators, but it’s best to first ensure that you have exclusive control over your account and wait at least a few hours afterward.
Telegram treats all devices linked to an account equally, which means scammers can take over your entire account and kick you out by disconnecting all your devices. However, to do this, they’d need to remain logged in unnoticed for a whole day: Telegram has a 24-hour waiting period before one can log out other devices from a newly connected account. If you’ve been locked out of your own Telegram account, read our detailed recovery guide.
On WhatsApp, the first device you use to log in to your account becomes the primary one, and other devices are secondary. This means hackers can’t pull off that trick there.
How to protect yourself from WhatsApp and Telegram account hijacking
You can find detailed instructions on how to secure your Telegram, WhatsApp, Signal, and Discord in our separate guides. Let’s go over the general principles again:
Be sure to enable two-factor authentication (also variously known as “cloud password” or “two-step verification”) in the messaging app, and use a long, complex, and unique password or passphrase.
On WhatsApp, you can choose a passkey instead of a password. This protection is more reliable.
Avoid taking part in giveaways and lotteries. Don’t accept gifts that you didn’t expect – especially if you need to log in to some websites through the messaging app to receive them.
Learn how legitimate authorization through Telegram looks, and immediately close any websites that look different. To put it simply, during a legitimate authorization process, all you need to do is click the “Yes, I want to go to such-and-such website” button within the Telegram chat with the bot. No scanning or entering of codes is required.
Check your WhatsApp and Telegram settings regularly to see what devices are connected. Disconnect any that look old or fishy.
Always use official messaging apps downloaded from trusted sources like Google Play or the App Store, Galaxy Store, Huawei AppGallery, and other major app stores.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-02-13 15:06:422025-02-13 15:06:42Protecting WhatsApp and Telegram accounts from hacking and hijacking in 2025 | Kaspersky official blog
ANY.RUN proudly presents Threat Intelligence Reports: investigative reports on cyber threats and attacks focused on delivering actionable insights to security professionals and decision makers.
Manually composed by our experienced analysts, the Reports provide data for threat monitoring and detection, incident mitigation and response, R&D, education, strategic planning and compliance.
These detailed attack overviews are based on comprehensive research of cyber threats, including malware, ransomware, phishing campaigns, and other malicious activities. APTs and cybercriminal groups are under special scrutiny as one of the most critical and persistent hazards to organizations and individuals.
How to Get TI Reports
Discover TI Reports at intelligence.any.run
TI Lookup’s paid customers get access to detailed reports with comprehensive intelligence data. For a wider audience, summaries on actors and threats are available. Some reports are also fully available for free.
TI Reports are founded on fresh real-world data about new and ongoing threats, handpicked and processed by ANY.RUN analysts. Our Interactive Sandbox, among other sources, provides us with a constantly filling community-powered collection of malware sample analyses.
Each report lets researchers dive deeper into any indicator or artifact with pre-created TI Lookup search queries to discover more relevant data.
Info You Can Find in TI Reports
Each report begins with the actor or vehicle overview and continues with its basic description: aims, origins, first-seens, targeted industries and countries. The description helps to grasp the scale and context of a threat, letting you understand its relevance to specific industries.
An example of a recent report
A list of TTPsused by the attackers contains their tactics, techniques and procedures which are methods and tools that adversaries engage and combine in their campaigns. TTPs are followed by a collection of indicators — of compromise (IOCs), of behavior (IOBs) and of attack (IOAs) — associated with the threat or the group.
TTPs and indicators are essential for setting up proactive cyber defense and are listed along with links to sandbox sessions showing them in action.
An example of a recent report, continued: data on IOCs
Last but not least, YARA and SIGMA rules are included for tuning the detection systems.
An example of a recent report, continued: YARA rules
References and links for wider research are integrated into report text, and more are added as an appendix.
Learn to Track Emerging Cyber Threats
Check out expert guide to collecting intelligence on emerging threats with TI Lookup
Read full guide
Benefits for SOC Teams
For security analysts and SOC teams, Threat Intelligence Reports are to fuel the critical measures in building and supporting a robust cyber security infrastructure:
Enhanced Threat Detection: gather IOCs, IOBs, IOAs, and TTPs to tune monitoring and detection for SIEMs and firewalls; compose new rules and fine-tune existing ones.
Incident Response: use reports to understand the scope, impact, and nature of threats for reducing response time.
Proactive Defense: block known threats preemptively and prepare mitigations for similar attacks.
Threat Hunting: watch TTPs to look for similar behaviors that might indicate an attack before it unfolds.
Research and Development: add the Reports’ data to your sources for studying new or evolving malware.
Benefits for Businesses
For organization stakeholders and decision makers, TI Reports are a valuable resource for fulfilling security-related business goals and objectives:
Risk Assessment: understand the risk landscape better, see how threats might impact business operations, grasp risks specific to your industry or organization.
Strategic Decision Making: allocate security resources based on threat intelligence, align your budget with actual risks.
Strategic Planning: develop cybersecurity strategies and policies to protect business assets.
Compliance and Reporting: use Reports to signal due diligence in cybersecurity practices, your adequacy in threat monitoring and response.
Communication and IR: accommodate Reports to explain the state of cybersecurity to non-technical stakeholders, to illustrate why certain investments or actions are necessary.
Reputation Management: manage the narrative around how the incident was handled in case it happens.
Insurance and Legal: strengthen your position for insurance purposes or in legal scenarios with access to comprehensive threat intelligence: it can be beneficial in proving due diligence or in understanding the extent of a security incident.
Conclusion
Threat Intelligence Reports, as unique pieces of research crafted by ANY.RUN’s threat analysts with proactive approach to cyber attacks in mind, can assist both security teams in their everyday routine, and management in their strategic planning.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-02-13 12:06:392025-02-13 12:06:39Threat Intelligence Reports: Get Fresh Research on the Latest Cyber Attacks and APTs
Cyble’s weekly industrial control system (ICS) vulnerability report to clients warned about internet-facing medical imaging and critical infrastructure asset management systems that could be vulnerable to cyberattacks.
The report examined six ICS, operational technology (OT), and Supervisory Control and Data Acquisition (SCADA) vulnerabilities in total, but it focused on two in particular after Cyble detected web-exposed instances of the systems.
Orthanc, Trimble Cityworks Vulnerabilities Highlighted by CISA
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued advisories alerting users to vulnerabilities in medical imaging and asset management products.
Orthanc is an open-source DICOM server used in healthcare environments for medical imaging storage and retrieval, while Trimble Cityworks is a GIS-centric asset management system used to manage all infrastructure assets for airports, utilities, municipalities, and counties.
In a February 6 ICS medical advisory, CISA said the Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled, which could result in unauthorized access by a malicious actor. The Missing Authentication for Critical Function vulnerability, CVE-2025-0896, has been assigned a CVSS v3.1 base score of 9.8, just below the maximum score of 10.0.
Orthanc recommends that users update to the latest version or enable HTTP authentication by setting the configuration “AuthenticationEnabled”: true in the configuration file.
Cyble provided a publicly accessible search query for its ODIN vulnerability search tool, which users can use to find potentially vulnerable instances.
“This flaw requires urgent attention, as Cyble researchers have identified multiple internet-facing Orthanc instances, increasing the risk of exploitation,” the Cyble report said. “The exposure of vulnerable instances could allow unauthorized access to sensitive medical data, manipulation of imaging records, or even unauthorized control over the server. Given the high stakes in healthcare cybersecurity, immediate patching to version 1.5.8 or later, along with restricting external access, is strongly recommended to mitigate potential threats.”
CVE-2025-0994 is an 8.6-rated Deserialization of Untrusted Data in Trimble Cityworks that was reported to CISA by Trimble, which quickly patched the vulnerability and issued mitigation guidance. CISA issued an advisory on the vulnerability, which affects Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10, and also added the vulnerability to CISA’s Known Exploited Vulnerabilities catalog.
Cyble provided an ODIN search query for users to check for exposed Cityworks instances and a hash query for ODIN subscribers.
Recommendations for Mitigating ICS Vulnerabilities
Cyble recommends several important controls for mitigating ICS vulnerabilities and improving the overall security of ICS systems. The measures include:
Staying on top of security advisories and patch alerts issued by vendors and regulatory bodies like CISA. A risk-based approach to vulnerability management reduces the risk of exploitation.
Implementing a Zero-Trust Policy to minimize exposure and ensure that all internal and external network traffic is scrutinized and validated.
Developing a comprehensive patch management strategy that covers inventory management, patch assessment, testing, deployment, and verification. Automating these processes can help maintain consistency and improve efficiency.
Proper network segmentation can limit an attacker’s potential damage and prevent lateral movement across networks. This is particularly important for securing critical ICS assets, which should not be exposed to the Internet if possible and properly protected if remote access is essential.
Conducting regular vulnerability assessments and penetration testing to identify gaps in security that might be exploited by threat actors.
Establishing and maintaining an incident response plan and ensuring that it is tested and updated regularly to adapt to the latest threats.
All employees, especially those working with Operational Technology (OT) systems, should be required to undergo ongoing cybersecurity training programs. The training should focus on recognizing phishing attempts, following authentication procedures, and understanding the importance of cybersecurity practices in day-to-day operations.
Conclusion
These vulnerabilities show the danger that medical and critical infrastructure system vulnerabilities can pose to patients, utilities, airports, and other sensitive environments. The organizations and CISA responded rapidly in these cases, but now users must do the same and ensure that the systems are patched and properly protected.
Regardless of the sector, staying on top of ICS vulnerabilities and applying good cybersecurity hygiene and controls can limit risk. This includes limiting internet exposure and properly protecting assets that must be accessed remotely.
To access the full report on ICS vulnerabilities observed by Cyble, along with additional insights and details, click here. By adopting a comprehensive, multi-layered security approach that includes effective vulnerability management, timely patching, and ongoing employee training, organizations can reduce their exposure to cyber threats. With the right tools and intelligence, such as those offered by Cyble, critical infrastructure can be better protected, ensuring its resilience and security in an increasingly complex cyber landscape.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-02-13 12:06:392025-02-13 12:06:39Cyble Warns of Exposed Medical Imaging, Asset Management Systems
In a recent update to its Known Exploited Vulnerabilities Catalog, the Cybersecurity and Infrastructure Security Agency (CISA) has added four security vulnerabilities that are currently under active exploitation. These vulnerabilities span across multiple platforms and pose substantial security risks for both organizations and individual users.
The vulnerabilities identified in CVE-2024-40891, CVE-2024-40890, CVE-2025-21418, and CVE-2025-21391 can be exploited with relative ease if security updates are not applied promptly. Users and organizations should follow the guidance provided by vendors like Zyxel and Microsoft, ensuring that their systems are updated regularly to address the latest security flaws.
For organizations relying on Zyxel DSL routers or Windows-based systems, it is crucial to assess the exposure to these vulnerabilities and take immediate steps to update firmware or software versions.
Details of the Vulnerabilities and Active Exploitation
CVE-2024-40891 and CVE-2024-40890: Critical Command Injection Vulnerabilities in Zyxel DSL Routers
The two vulnerabilities—CVE-2024-40891 and CVE-2024-40890—are related to a series of Command Injection Vulnerabilities affecting Zyxel DSL CPE devices. Specifically, these vulnerabilities affect the Zyxel VMG4325-B10A router model running firmware version 1.00(AAFR.4)C0_20170615.
Both vulnerabilities share a common thread: they allow authenticated attackers to execute arbitrary operating system (OS) commands on the affected devices via Telnet (CVE-2024-40891) or a crafted HTTP POST request (CVE-2024-40890). This puts devices at high risk of being compromised by threat actors who can exploit these weaknesses to gain control of the affected systems.
According to the official Zyxel advisory, both vulnerabilities have been assigned a CVSS severity score of 8.8 (High). These flaws stem from improper neutralization of special elements used in OS commands (CWE-78: Improper Neutralization of Special Elements used in an OS Command). Once successfully exploited, the vulnerabilities could allow attackers to bypass authentication and execute malicious OS commands, effectively compromising the security of the devices.
Zyxel has issued advisories urging users to update their firmware to mitigate these vulnerabilities. Devices using older firmware versions are especially at risk. The active exploitation of these vulnerabilities could lead to severe consequences, such as unauthorized access, data breaches, or complete system takeovers.
CVE-2025-21418: Windows Ancillary Function Driver Buffer Overflow Vulnerability
The third vulnerability in the catalog, CVE-2025-21418, is related to a Heap-based Buffer Overflow in the Windows Ancillary Function Driver for WinSock. This vulnerability affects various Windows operating systems, including Windows 10 (version 1809 and newer) and Windows Server editions, and could allow an attacker to elevate their privileges on the system.
Exploiting this flaw, cybercriminals can gain higher privileges, potentially leading to system compromise. The CVE has been assigned a CVSS score of 7.8, marking it as high severity. The vulnerability arises from improper handling of buffers, specifically during the interaction between the Windows Ancillary Function Driver and WinSock.
Windows users and organizations are encouraged to install security updates to mitigate this threat. If left unpatched, the vulnerability could allow attackers to perform malicious actions that compromise system integrity and confidentiality.
CVE-2025-21391: Windows Storage Link Following Vulnerability
Finally, CVE-2025-21391, a Windows Storage Elevation of Privilege Vulnerability, has been added to the CISA catalog. This vulnerability is tied to an issue in Windows Storage where the system improperly resolves links before accessing files. Known as link following (CWE-59), this vulnerability allows an attacker to perform elevation of privilege attacks, potentially granting them access to files and resources they should not have access to.
This vulnerability affects multiple versions of Windows, including Windows 10, Windows Server 2019, and Windows 11. With a CVSS score of 7.1, this vulnerability is considered moderately severe but still presents cybersecurity risks if left unaddressed. Attackers exploiting this vulnerability can manipulate file access controls to gain higher-level privileges and access critical system components.
Conclusion
The inclusion of CVE-2024-40891, CVE-2024-40890, CVE-2025-21418, and CVE-2025-21391 in CISA’s Known Exploited Vulnerabilities Catalog highlights the ongoing risk of cyberattacks exploiting vulnerabilities in widely used systems. Command injection, buffer overflows, and improper link resolution remain common attack vectors. Organizations must stay vigilant, apply patches promptly, and prioritize security to prevent data breaches and system compromises.
Cyble, with its AI-driven cybersecurity platforms, helps businesses stay protected at all times by providing proactive threat intelligence and real-time vulnerability monitoring. Staying informed and prepared is essential to protecting sensitive data from cyber risks.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-02-13 12:06:382025-02-13 12:06:38CISA Updates Known Exploited Vulnerabilities Catalog with Four Critical Issues
BTMOB RAT is an advanced Android malware evolved from SpySolr that features remote control, credential theft, and data exfiltration.
It spreads via phishing sites impersonating streaming services like iNat TV and fake mining platforms.
The malware abuses Android’s Accessibility Service to unlock devices, log keystrokes, and automate credential theft through injections.
It uses WebSocket-based C&C communication for real-time command execution and data theft.
BTMOB RAT supports various malicious actions, including live screen sharing, file management, audio recording, and web injections.
The Threat Actor (TA) actively markets the malware on Telegram, offering paid licenses and continuous updates, making it an evolving and persistent threat.
Overview
On January 31, 2025, Cyble Research and Intelligence Labs (CRIL) identified a sample lnat-tv-pro.apk (13341c5171c34d846f6d0859e8c45d8a898eb332da41ab62bcae7519368d2248) being distributed via a phishing site “hxxps://tvipguncelpro[.]com/” impersonating iNat TV – online streaming platform from Turkey posing a serious threat to unsuspecting users.
Figure 1 – Phishing site distributing this malicious APK file
On VirusTotal, the sample was flagged by Spysolr malware detection, which is based on Crax RAT, developed by the Threat Actor EVLF. During our analysis, we also checked the official Spysolr Telegram channel, where the TA announced a new project called “BTMOB RAT.”
Figure 2 – BTMOB RAT announcement on the SpySolr Telegram Channel
The malware sample downloaded from the phishing site demonstrated typical RAT behavior, establishing a WebSocket connection with a Command and Control (C&C) server at hxxp://server[.]yaarsa.com/con. The request body revealed the “BTMOB” string along with version number “BT-v2.5”, confirming that the sample is indeed the latest version of BTMOB RAT.
Figure 3 – Request body containing the reference of a BTMOB String
Through their Telegram channel, the TA has been advertising BTMOB RAT, highlighting its capabilities, including live screen control, keylogging, injections, lock feature, and collecting various data from infected devices. The actor is offering a lifetime license for $5,000 (in a one-time payment) with an additional $300 per month for updates and support for the latest version of this malware.
Figure 4 – BTMOB RAT advertisement on the Threat Actor’s Telegram channel
Since late January 2025, we have identified approximately 15 samples of BTMOB RAT (v2.5) in circulation. Earlier variants, active since December 2024, were associated with SpySolr malware, which communicated with hxxps://spysolr[.]com/private/SpySolr_80541.php.
The latest BTMOB RAT version exhibits a similar C&C structure and codebase, indicating that it is an upgraded version of SpySolr malware.
Like many other Android malware variants, the BTMOB RAT leverages the Accessibility service to carry out its malicious actions. The following section provides a detailed overview of these activities.
Technical Details
Upon installation, the malware displays a screen urging the user to enable the Accessibility Service. Once the user turns on the Accessibility Service, the malware proceeds to grant the requested permissions automatically.
Figure 5 – Prompting the victim to grant Accessibility Service access
Meanwhile, the malware connects to the C&C server at “hxxp://78[.]135.93.123/yaarsa/private/yarsap_80541.php,” which follows a structure similar to the Spysolr malware. Once connected, it initiates a WebSocket connection for server-client communication and transmits JSON data containing the device ID (pid), BotID (idf), connection type (subc), and a message (msg).
The image below illustrates the “join” connection type request sent to the server, after which the client receives a “Connected” response with the “type” value in JSON.
Figure 6 – WebSocket Connection
Over the course of our analysis, we observed that the malware receives 5 different responses for value “type” as listed below:
Type
Description
proxy
Establish other WebSocket connection
stop
Stops activity based on server response
join
Sends a join message along with device ID and bot ID
com
The malware receives various commands through this response type
connected
The server sends this response upon successful connection establishment
Unauthorized access
The server sends this response when the client fails to register the device
After successfully establishing a WebSocket connection, the malware transmits device-related information, including the device name, OS version, model, battery status, wallpaper, malicious app version number, and the status of malicious activities such as key logs, visited apps, visited links, notifications, and other activities.
Figure 7 – Sending device information to the TA’s server
The malware receives commands from the server using the “com” response type. The first command it received was “optns.” Along with this command, the server transmits the activity status to be initiated, which the malware then stores in a shared preference file.
Figure 8 – “optns” command
Our analysis revealed that the malware receives a total of 16 commands from the server, each of which is listed below, along with its description.
Command
Description
optns
Get action status to enable malicious activities
fetch
Collects the mentioned file in the response or device phone number based on the sub-command
brows
Loads URL into WebView, and perform actions based on JavaScript
lock
Receives lock pin and other details related to lock, and saves them to the Shared Preference variable
ject
Manages injection
file
Manages file operations
clip
Collects clipboard content
chat
Displays a window with the message received from the server, gets the reply entered in the edit field, and sends to the server
wrk
Receives additional commands to perform other activities such as collecting SMS, contacts, location, files, managing audio settings, launching activity, and many other
srh
Search file
mic
Records audio
add
Get all collected data, including keylogs, active injections, links, device information, wallpaper, and SIM information
bc
Opens alert Window or displays notification with the message received from the server
upload
Downloads injection files
screen
Handles live screen activity
scread
Collects content from the screen
brows Command
The primary function of this command is to load a URL or HTML content into the WebView and execute actions like collecting input, clicking, and scrolling using JavaScript.
When the malware receives a “brows” command, the server sends additional parameters within a JSON object, including “ltype” and “extdata”. The “ltype“ parameter dictates specific actions for the malware, such as loading a URL or HTML code into the WebView, keeping a record of visited websites, along with timestamps and input data, and transmitting the collected data, as illustrated in Figures 9 and 10.
Figure 9 – “ltype” actionsFigure 10 – Loading HTML code or URL into WebView
Once the malware loads a URL or HTML code into the WebView, it runs JavaScript to collect user-entered data from the webpage. The extracted information, which may include sensitive details like login credentials, along with the date and website link, is then stored in a JSON object.
Once the data is collected, it is saved in a map variable and later transmitted to the C&C server when the malware receives the “lp” value through the “ltype” parameter.
Figure 11 – Using JavaScript to get input details
The malware can receive additional commands through the “extdata” parameter, which includes actions such as scrolling, clicking, entering text, navigating, and loading another URL.
The “text” and “enter” actions are executed using JavaScript, while navigation, scroll, and other movement-based actions are carried out using Motion events.
Figure 12 – Additional actions performed via the “extdata” parameter
This feature enables the malware to steal login credentials while also providing various options to automate the credential theft process.
screen Command
When the malware initially receives the “optns” command, it checks the live screen activity status to determine whether to proceed. Based on this status, the malware then initiates screen capture using Media Projection.
Figure 13 – Screen capturing using Media Projection
To perform live actions, the malware receives the command “screen” along with different actions as listed below:
L: With this action, the malware receives a “lock” value, determining whether to lock or unlock the device. It checks the lock type (PIN, password, or pattern) and unlocks the device accordingly.
Figure 14 – lock/unlock function
If the device is locked with a password, the malware retrieves the saved password from the “mob_lck” shared preference variable, which was previously extracted during “LockActivity”. It then enters the password using “ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE”, as shown in the figure below.
Figure 15 – Unlocks device using the password
If the device is locked with a pattern or PIN, the malware retrieves the pattern coordinates or PIN digits and uses the dispatchGesture API to either draw the pattern or simulate taps on the PIN keypad to unlock the device.
Figure 16 – Unlocks device using lock pattern
Q: Receives the compression quality number to control the quality of screen content
kb: Controls keyboard state
mov: Moves the cursor on the screen using specified x and y coordinates.
nav: Executes navigation actions such as returning to the home screen, switching to recent apps, or going back.
vol: Adjusts the device’s audio volume.
snap: Captures a screenshot.
block: Displays a black screen to conceal live screen activity from the victim.
paste: Gets the text from the server and enters it using “ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE”
sklecolor: Receives a color code to change the color of rectangular boundaries using Accessibility Service API
skilton: Turns on the service responsible for capturing screen content
ject Command
The malware utilizes the “ject” command to manage injection activities, including removing the injection list, collecting extracted data during injection, and deleting the extracted injection data from the device.
Figure 17 – ject command operation
The malware maintains an ArrayList “d” to store target application package names, injection paths, and data collected from injection activities. It uses the “upload” command to download an injection ZIP file into the “/protected” directory. The ZIP file is then extracted, and its contents are saved using the “jctid” filename received from the server.
Figure 18 – Downloading injection files
The malware retrieves the package name of the currently running application and checks if it exists in its list. If a match is found, it loads the corresponding injection HTML file from the “/protected” directory and launches “WebInjector.class” to execute the injection.
Figure 19 – Initiating injection activity
The WebInjector class loads the injected HTML phishing page into a WebView. When the user enters their credentials on this fake page, the malware captures the input and sends it to the C&C server.
Figure 20 – Loading HTML injection page into the Webview
wrk Command
When the malware receives a “wrk” command, it also gets a parameter called “cmnd”, which includes additional instructions for executing various malicious activities.
Figure 21 – Receiving additional commands via the “wrk” command
This command enables the malware to perform various malicious activities, including:
Managing files (deleting, renaming, creating, encrypting, or decrypting).
Terminating services.
Taking screenshots.
Stealing images.
Conclusion
BTMOB RAT, an evolution of the SpySolr malware, poses a significant threat to Android users by leveraging Accessibility Services to perform a wide range of malicious activities. From stealing login credentials through WebView injections to manipulating screen content, collecting sensitive data, and even unlocking devices remotely, this malware demonstrates a high level of sophistication.
This potent malware uses WebSocket communication with a C&C server to allow real-time command execution, making it a powerful tool for cybercriminals. The malware’s distribution through phishing websites and continuous updates by the threat actor indicate an ongoing effort to enhance its capabilities and evade detection.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Download and install software only from official app stores like Google Play Store or the iOS App Store.
Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
Use strong passwords and enforce multi-factor authentication wherever possible.
Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
Be wary of opening any links received via SMS or emails delivered to your phone.
Ensure that Google Play Protect is enabled on Android devices.
Be careful while enabling any permissions.
Keep your devices, operating systems, and applications updated.
