Sonicwall’s deeper investigation revealed multiple HTML files in its assets folder, which replicate login pages of various legitimate applications. These files harvest users’ credentials and transmit them back to the C2 server.

Android Malware Mimics Social Media Apps

The malware’s infection chain begins after the malicious application is installed on the victim’s Android devices. During installation, it requests Accessibility service and Device admin permission to seize control over the installed device and carry out additional malicious actions.

The distribution method of this malware remains unclear, but researchers speculate it will utilize traditional social engineering techniques. Once installed, the malware communicates with the C2 server to receive instructions and commands for specific tasks.

The malware executes the following commands:

The C2 URL is embedded in the resource file.

Upon receiving commands from the C2 server, the malware harvests credentials from browsers and other Android applications by presenting a fake login page using HTML files (phishing).

When victims enter their credentials on these phishing pages, they are collected and shared with the showTt function.

Furthermore, the malware gathers the list of phone numbers stored on the victim’s device and tries to alter the device’s wallpaper when certain conditions are met. If the ‘str’ parameter matches the decrypted value to 0, 1, or 2, the condition for changing the wallpaper is associated with a particular resource.

The malware retrieves information about installed applications from the victim’s device. Upon deeper analysis of the code, it was found that the malware utilizes the CameraManager to toggle the flashlight on/off on the victim’s device. Additionally, it sends a message to a specific number based on inputs received from the C2 server.

Indicators Of Compromise

• 0cc5cf33350853cdd219d56902e5b97eb699c975a40d24e0e211a1015948a13d
• 37074eb92d3cfe4e2c51f1b96a6adf33ed6093e4caa34aa2fa1b9affe288a509
• 3df7c8074b6b1ab35db387b5cb9ea9c6fc2f23667d1a191787aabfbf2fb23173
• 6eb33f00d5e626bfd54889558c6d031c6cac8f180d3b0e39fbfa2c501b65f564
• 9b366eeeffd6c9b726299bc3cf96b2e673572971555719be9b9e4dcaad895162
• a28e99cb8e79d4c2d19ccfda338d43f74bd1daa214f5add54c298b2bcfaac9c3
• d09f2df6dc6f27a9df6e0e0995b91a5189622b1e53992474b2791bbd679f6987
• d8413287ac20dabcf38bc2b5ecd65a37584d8066a364eede77c715ec63b7e0f1
• ecf941c1cc85ee576f0d4ef761135d3e924dec67bc3f0051a43015924c53bfbb
• f10072b712d1eed0f7e2290b47d39212918f3e1fd4deef00bf42ea3fe9809c41

The post New Android Malware Mimics Social Media Apps to Steal Sensitive Data appeared first on First Hackers News.

The potency of the Chaos malware stems from a few factors: first, it is designed to work across several architectures, including: ARM, Intel (i386), MIPS and PowerPC – in addition to both Windows and Linux operating systems. Second, unlike largescale ransomware distribution botnets like Emotet that leverage spam to spread and grow, Chaos propagates through known CVEs and brute forced as well as stolen SSH keys.

The cybersecurity firm said that the main downloader script and further payloads are hosted in multiple locations to make sure that the campaign remains active and new infections continue to happen.

The rat functions as below:

• Perform reverse shell
• Download files
• Upload files
• Delete files
• Take screenshots
• Access file explorer
• Gather operating system information
• Restart the PC
• Shutdown the PC
• Open a URL

The CHAOS RAT, once downloaded and launched, transmits detailed system metadata to a remote server, while also coming with capabilities to carry out file operations, take screenshots, shutdown and restart the computer, and open arbitrary URLs.

CHAOS RAT IOCS

HA-256									File name		Detection name

051351f4257d7f87bede9b72455aae5a5b9a8269bfb4bcbecb1501f7a3409957	config.json		PUA.Linux.XMRMiner.AB
759c496b114f9212c610892c5236935cced564a78b3b410bd2d27c9ee6257f42	genshin			Trojan.Linux.CHAOSRAT.USELVHA22													
52ab96b1d99964502a7946eef39a5f636d8a240c747d43f8568d62cf0e960ae9	rn02s62s		Trojan.SH.MALXMR.UWELT
7a96d9f7a25a67ec2873bb814cb0ba104d3b7c1651f65ff09d8e1f76cba6fb79	solr.sh			Trojan.SH.MALXMR.UWELT
fd452da0d978514adaeee1dd5227212aad00bf07f2481d335eed77a4ee08a5e8	xg546sAd		Trojan.SH.MALXMR.UWELT
3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aab	xmrig_setup.exe		Trojan.JS.MALXMR.CMPAW

The post Cryptocurrency Mining Campaign Hits Linux Users with Go-based CHAOS Malware appeared first on First Hackers News.

According to Malwarebytes, one of the Russian organizations which were targeted using this Rat malware is a government-controlled defense corporation.

Woody RAT Malware

This advanced custom Rat is mainly the work of a threat actor that targets Russian entities by using lures in archive file format and more recently Office documents leveraging the Follina vulnerability.

This malware is currently delivered onto targets’ computers via phishing emails through two distribution methods:

ZIP archive files containing the malicious payload or microsoft office documents.

Woody Rat can also execute .NET code and PowerShell commands and scripts received from its C2 server using two DLLs named WoodySharpExecutor and WoodyPowerSession.

Once launched on a compromised device, the malware uses process hollowing to inject itself into a suspended Notepad process, deletes itself from the disk to evade detection from security products, and resumes the thread.

Malwarebytes is yet to attribute the malware and the attacks to a known threat group but said that a very short list of possible suspects includes Chinese and North Korean APTs.

IOCs

Woody Rat:

• 982ec24b5599373b65d7fec3b7b66e6afff4872847791cf3c5688f47bfcb8bf0
• 66378c18e9da070629a2dbbf39e5277e539e043b2b912cc3fed0209c48215d0b
• b65bc098b475996eaabbb02bb5fee19a18c6ff2eee0062353aff696356e73b7a
• 43b15071268f757027cf27dd94675fdd8e771cdcd77df6d2530cb8e218acc2ce
• 408f314b0a76a0d41c99db0cb957d10ea8367700c757b0160ea925d6d7b5dd8e
• 0588c52582aad248cf0c43aa44a33980e3485f0621dba30445d8da45bba4f834
• 5c5020ee0f7a5b78a6da74a3f58710cba62f727959f8ece795b0f47828e33e80
• 3ba32825177d7c2aac957ff1fc5e78b64279aeb748790bc90634e792541de8d3
• 9bc071fb6a1d9e72c50aec88b4317c3eb7c0f5ff5906b00aa00d9e720cbc828d

Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Russian organizations attacked with new Woody RAT malware appeared first on First Hackers News.