Apr 10, 2024NewsroomSoftware Security / Supply Chain Attack

Threat actors are now taking advantage of GitHub’s search functionality to trick unsuspecting users looking for popular repositories into downloading spurious counterparts that serve malware.

The latest assault on the open-source software supply chain involves concealing malicious code within Microsoft Visual Code project files that’s designed to download next-stage payloads from a remote URL, Checkmarx said in a report shared with The Hacker News.

“Attackers create malicious repositories with popular names and topics, using techniques like automated updates and fake stars to boost search rankings and deceive users,” security researcher Yehuda Gelb said.

The idea is to manipulate the search rankings in GitHub to bring threat actor-controlled repositories to the top when users filter and sort their results based on the most recent updates and increase the popularity via bogus stars added via fake accounts.

In doing so, the attack lends a veneer of legitimacy and trust to the fraudulent repositories, effectively deceiving developers into downloading them.

“In contrast to past incidents where attackers were found to add hundreds or thousands of stars to their repos, it appears that in these cases, the attackers opted for a more modest number of stars, probably to avoid raising suspicion with an exaggerated number,” Gelb said.

It’s worth pointing out that previous research from Checkmarx late last year uncovered a black market comprising online stores and chat groups that are selling GitHub stars to artificially boost a repository’s popularity, a technique referred to as star inflation.

What’s more, a majority of these repositories are disguised as legitimate projects related to popular games, cheats, and tools, adding another layer of sophistication to make it harder to distinguish them from benign code.

Some repositories have been observed downloading an encrypted .7z file containing an executable named “feedbackAPI.exe” that has been inflated to 750 MB in a likely attempt to evade antivirus scanning and ultimately launch malware that shares similarities with Keyzetsu clipper.

The Windows malware, which came to light early last year, is often distributed through pirated software such as Evernote. It’s capable of diverting cryptocurrency transactions to attacker-owned wallets by substituting the wallet address copied in the clipboard.

The findings underscore the due diligence that developers must follow when downloading source code from open-source repositories, not to mention the dangers of solely relying on reputation as a metric to evaluate trustworthiness.

“The use of malicious GitHub repositories to distribute malware is an ongoing trend that poses a significant threat to the open-source ecosystem,” Gelb said.

“By exploiting GitHub’s search functionality and manipulating repository properties, attackers can lure unsuspecting users into downloading and executing malicious code.”

The development comes as Phylum said it discovered an uptick in the number of spam (i.e., non-malicious) packages being published to the npm registry by a user named ylmin to orchestrate a “massive automated crypto farming campaign” that abuses the Tea protocol.

“The Tea protocol is a web3 platform whose stated goal is compensating open source package maintainers, but instead of cash rewards, they are rewarded with TEA tokens, a cryptocurrency,” the company’s research team said.

“The Tea protocol is not even live yet. These users are farming points from the ‘Incentivized Testnet,’ apparently with the expectation that having more points in the Testnet will increase their odds of receiving a later airdrop.”

Apr 08, 2024NewsroomInvestment Scam / Mobile Security

Google has filed a lawsuit against two app developers for engaging in an “international online consumer investment fraud scheme” that tricked users into downloading bogus Android apps from the Google Play Store and other sources and stealing their funds under the guise of promising higher returns.

The individuals in question are Yunfeng Sun (aka Alphonse Sun) and Hongnam Cheung (aka Zhang Hongnim or Stanford Fischer), who are believed to be based in Shenzhen and Hong Kong, respectively.

The defendants are said to have uploaded about 87 crypto apps to the Play Store to pull off the social engineering scam since at least 2019, with over 100,000 users downloading them and leading to substantial financial losses.

“The gains conveyed by the apps were illusory,” the tech giant said in its complaint. “And the scheme did not end there.”

“Instead, when individual victims attempted to withdraw their balances, defendants and their confederates would double down on the scheme by requesting various fees and other payments from victims that were supposedly necessary for the victims to recover their principal investments and purported gains.”

While this kind of scam is typically referred to as pig butchering (aka shā zhū pán), Google said it “neither adopts nor endorses the use of this term.” It’s derived from the idea that victims are fattened up like hogs with the promise of lucrative returns before “slaughtering” them for their assets.

In September 2023, the U.S. Financial Crimes Enforcement Network (FinCEN) said these scams are perpetrated by criminal enterprises based in Southeast Asia that employ hundreds of thousands of people who are trafficked to the region by promising them high-paying jobs.

The fraudulent scheme entails the scammers using elaborate fictitious personas to target unsuspecting individuals via social media or dating platforms, enticing them with the prospect of a romantic relationship to build trust and convince them to invest in cryptocurrency portfolios that purport to offer high profits within a short span of time with an aim to steal their funds.

To create the appearance of legitimacy, the financially motivated actors are known to fabricate websites and mobile apps to display a bogus investment portfolio with large returns.

Sun and Cheung, said Google, lured victim investors to download their fraudulent apps through text messages using Google Voice to target victims in the U.S. and Canada. Other distribution methods include affiliate marketing campaigns that offer commissions for “signing up additional users” and YouTube videos promoting the fake investment platforms.

The company described the malicious activity as persistent and continuing, with the defendants “using varying computer network infrastructure and accounts to obfuscate their identities, and making material misrepresentations to Google in the process.”

It also accused them of violating the Racketeer Influenced and Corrupt Organizations Act (RICO), carrying out wire fraud, and breaching the Google Play App Signing Terms of Service, Developer Program Policies, YouTube’s Community Guidelines, as well as the Google Voice Acceptable Use Policy.

“Google Play can continue to be an app-distribution platform that users want to use only if users feel confident in the integrity of the apps,” Google added. “By using Google Play to conduct their fraud scheme, defendants have threatened the integrity of Google Play and the user experience.”

It’s worth noting that the problem is not limited to the Android ecosystem alone, as prior reports show that such bogus apps have also repeatedly made their way to the Apple App Store.

The development is the latest in a series of legal actions that Google has taken to avoid the misuse of its products. In November 2023, the company sued multiple individuals in India and Vietnam for distributing fake versions of its Bard AI chatbot (now rebranded as Gemini) to propagate malware via Facebook.

Mar 22, 2024NewsroomWeb Security / Vulnerability

A massive malware campaign dubbed Sign1 has compromised over 39,000 WordPress sites in the last six months, using malicious JavaScript injections to redirect users to scam sites.

The most recent variant of the malware is estimated to have infected no less than 2,500 sites over the past two months alone, Sucuri said in a report published this week.

The attacks entail injecting rogue JavaScript into legitimate HTML widgets and plugins that allow for arbitrary JavaScript and other code to be inserted, providing attackers with an opportunity to add their malicious code.

The XOR-encoded JavaScript code is subsequently decoded and used to execute a JavaScript file hosted on a remote server, which ultimately facilitates redirects to a VexTrio-operated traffic distribution system (TDS) but only if certain criteria are met.

What’s more, the malware uses time-based randomization to fetch dynamic URLs that change every 10 minutes to get around blocklists. These domains are registered a few days prior to their use in attacks.

“One of the most noteworthy things about this code is that it is specifically looking to see if the visitor has come from any major websites such as Google, Facebook, Yahoo, Instagram etc.,” security researcher Ben Martin said. “If the referrer does not match to these major sites, then the malware will not execute.”

Site visitors are then taken to other scam sites by executing another JavaScript from the same server.

The Sign1 campaign, first detected in the second half of 2023, has witnessed several iterations, with the attackers leveraging as many as 15 different domains since July 31, 2023.

It’s suspected that WordPress sites have been taken over by means of a brute-force attack, although adversaries could also leverage security flaws in plugins and themes to obtain access.

“Many of the injections are found inside WordPress custom HTML widgets that the attackers add to compromised websites,” Martin said. “Quite often, the attackers install a legitimate Simple Custom CSS and JS plugin and inject the malicious code using this plugin.”

This approach of not placing any malicious code into server files allows the malware to stay undetected for extended periods of time, Sucuri said.

Feb 28, 2024NewsroomPhishing Attack / Malware

Mexican users have been targeted with tax-themed phishing lures at least since November 2023 to distribute a previously undocumented Windows malware called TimbreStealer.

Cisco Talos, which discovered the activity, described the authors as skilled and that the “threat actor has previously used similar tactics, techniques and procedures (TTPs) to distribute a banking trojan known as Mispadu in September 2023.

Besides employing sophisticated obfuscation techniques to sidestep detection and ensure persistence, the phishing campaign makes use of geofencing to single out users in Mexico, returning an innocuous blank PDF file instead of the malicious one if the payload sites are contacted from other locations.

Some of the notable evasive maneuvers include leveraging custom loaders and direct system calls to bypass conventional API monitoring, in addition to utilizing Heaven’s Gate to execute 64-bit code within a 32-bit process, an approach that was also recently adopted by HijackLoader.

The malware comes with several embedded modules for orchestration, decryption, and protection of the main binary, while also running a series of checks to determine if it’s running a sandbox environment, the system language is not Russian, and the timezone is within a Latin American region.

The orchestrator module also looks for files and registry keys to double-check that the machine hasn’t been previously infected, before launching a payload installer component that displays a benign decoy file to the user, as it ultimately triggers the execution of TimbreStealer’s primary payload.

The payload is designed to harvest a wide range of data, including credential information from different folders, system metadata, and the URLs accessed, look for files matching specific extensions, and verify the presence of remote desktop software.

Cisco Talos said it identified overlaps with a Mispadu spam campaign observed in September 2023, although the target industries of TimbreStealer are varied and with a focus on manufacturing and transportation sectors.

The disclosure comes amid the emergence of a new version of another information stealer called Atomic (aka AMOS), which is capable of gathering data from Apple macOS systems such as local user account passwords, credentials from Mozilla Firefox and Chromium-based browsers, crypto wallet information, and files of interest, using an unusual combination of Python and Apple Script code.

“The new variant drops and uses a Python script to stay covert,” Bitdefender researcher Andrei Lapusneanu said, noting the Apple Script block for collecting sensitive files from the victim’s computer exhibits a “significantly high level of similarity” with the RustDoor backdoor.

It also follows the emergence of new stealer malware families such as XSSLite, which was released as part of a malware development competition hosted by the XSS forum, even as existing strains like Agent Tesla and Pony (aka Fareit or Siplog) continued to be used for information theft and subsequent sale on stealer logs marketplaces like Exodus.

Feb 05, 2024NewsroomCyber Espionage / Cyber Extortion

The threat actor known as Patchwork likely used romance scam lures to trap victims in Pakistan and India, and infect their Android devices with a remote access trojan called VajraSpy.

Slovak cybersecurity firm ESET said it uncovered 12 espionage apps, six of which were available for download from the official Google Play Store and were collectively downloaded more than 1,400 times between April 2021 and March 2023.

“VajraSpy has a range of espionage functionalities that can be expanded based on the permissions granted to the app bundled with its code,” security researcher Lukáš Štefanko said. “It steals contacts, files, call logs, and SMS messages, but some of its implementations can even extract WhatsApp and Signal messages, record phone calls, and take pictures with the camera.”

As many as 148 devices in Pakistan and India are estimated to have been compromised in the wild. The malicious apps distributed via Google Play and elsewhere primarily masqueraded as messaging applications, with the most recent ones propagated as recently as September 2023.

• Privee Talk (com.priv.talk)
• MeetMe (com.meeete.org)
• Let’s Chat (com.letsm.chat)
• Quick Chat (com.qqc.chat)
• Rafaqat رفاق (com.rafaqat.news)
• Chit Chat (com.chit.chat)
• YohooTalk (com.yoho.talk)
• TikTalk (com.tik.talk)
• Hello Chat (com.hello.chat)
• Nidus (com.nidus.no or com.nionio.org)
• GlowChat (com.glow.glow)
• Wave Chat (com.wave.chat)

Rafaqat رفاق is notable for the fact that it’s the only non-messaging app and was advertised as a way to access the latest news. It was uploaded to Google Play on October 26, 2022, by a developer named Mohammad Rizwan and amassed a total of 1,000 downloads before it was taken down by Google.

The exact distribution vector for the malware is currently not clear, although the nature of the apps suggests that the targets were tricked into downloading them as part of a honey-trap romance scam, where the perpetrators convince them to install these bogus apps under the pretext of having a more secure conversation.

This is not the first time Patchwork – a threat actor with suspected ties to India – has leveraged this technique. In March 2023, Meta revealed that the hacking crew created fictitious personas on Facebook and Instagram to share links to rogue apps to target victims in Pakistan, India, Bangladesh, Sri Lanka, Tibet, and China.

It’s also not the first time that the attackers have been observed deploying VajraRAT, which was previously documented by Chinese cybersecurity company QiAnXin in early 2022 as having been used in a campaign aimed at Pakistani government and military entities. Vajra gets its name from the Sanskrit word for thunderbolt.

Qihoo 360, in its own analysis of the malware in November 2023, tied it to a threat actor it tracks under the moniker Fire Demon Snake (aka APT-C-52).

Outside of Pakistan and India, Nepalese government entities have also been likely targeted via a phishing campaign that delivers a Nim-based backdoor. It has been attributed to the SideWinder group, another group that has been flagged as operating with Indian interests in mind.

The development comes as financially motivated threat actors from Pakistan and India have been found targeting Indian Android users with a fake loan app (Moneyfine or “com.moneyfine.fine”) as part of an extortion scam that manipulates the selfie uploaded as part of a know your customer (KYC) process to create a nude image and threatens victims to make a payment or risk getting the doctored photos distributed to their contacts.

“These unknown, financially motivated threat actors make enticing promises of quick loans with minimal formalities, deliver malware to compromise their devices, and employ threats to extort money,” Cyfirma said in an analysis late last month.

It also comes amid a broader trend of people falling prey to predatory loan apps, which are known to harvest sensitive information from infected devices, and employ blackmail and harassment tactics to pressure victims into making the payments.

According to a recent report published by the Network Contagion Research Institute (NCRI), teenagers from Australia, Canada, and the U.S. are increasingly targeted by financial sextortion attacks conducted by Nigeria-based cybercriminal group known as Yahoo Boys.

“Nearly all of this activity is linked to West African cybercriminals known as the Yahoo Boys, who are primarily targeting English-speaking minors and young adults on Instagram, Snapchat, and Wizz,” NCRI said.

Wizz, which has since had its Android and iOS apps taken down from the Apple App Store and the Google Play Store, countered the NCRI report, stating it’s “not aware of any successful extortion attempts that occurred while communicating on the Wizz app.”

Jan 04, 2024NewsroomCryptocurrency / Social Media

American cybersecurity firm and Google Cloud subsidiary Mandiant had its X (formerly Twitter) account compromised for more than six hours by an unknown attacker to propagate a cryptocurrency scam.

As of writing, the account has been restored on the social media platform.

It’s currently not clear how the account was breached. But the hacked Mandiant account was initially renamed to “@phantomsolw” to impersonate the Phantom crypto wallet service, according to MalwareHunterTeam and vx-underground.

Specifically, the scam posts from the account advertised an airdrop scam that urged users to click on a bogus link and earn free tokens, with follow-up messages asking Mandiant to “change password please” and “check bookmarks when you get account back.”

Mandiant, a leading threat intelligence firm, was acquired by Google in March 2022 for $5.4 billion. It is now part of Google Cloud.

“The Mandiant Twitter account takeover could have happened [in] a number of ways,” Rachel Tobac, CEO of SocialProof Security, said on X.

“Some folks are giving the advice to turn on MFA to prevent ATO and of course that is a good idea always *but it’s also possible that someone in Support at Twitter was bribed or compromised which allowed the attacker access to Mandiant’s account*.”

The Hacker News has reached out to Mandiant for further comments, and we will update the story once we hear back.

Dec 18, 2023NewsroomCryptocurrency / Online Scam

Four U.S. nationals have been charged for participating in an illicit scheme that earned them more than $80 million via cryptocurrency investment scams.

The defendants – Lu Zhang, 36, of Alhambra, California; Justin Walker, 31, of Cypress, California; Joseph Wong, 32, Rosemead, California; and Hailong Zhu, 40, Naperville, Illinois – have been charged with conspiracy to commit money laundering, concealment money laundering, and international money laundering.

The U.S. Department of Justice (DoJ), which announced the arrests of both Zhang and Walker in connection with the fraudulent operation, said the quartet opened shell companies and bank accounts to carry out pig butchering scams, transferring the ill-gotten funds to domestic and international financial entities.

If convicted, Zhang and Walker face a maximum penalty of 20 years in prison. Their alleged co-conspirators remain at large.

“The overall fraud scheme in the related pig-butchering syndicate involved at least 284 transactions and resulted in more than $80 million in victim losses,” the DoJ said. “More than $20 million in victim funds were directly deposited into bank accounts associated with the defendants.”

The enforcement action comes as a Nigerian national named Eze Harrison Arinze was sentenced to three years in prison for his role in conducting pig butchering scams and defrauding 34 victims in 13 countries, leading to $592,000 in losses.

Late last month, the U.S. DoJ also announced the seizure of nearly $9 million worth of Tether that were traced to cryptocurrency addresses allegedly associated with a Southeast Asia based organization that exploited over 70 victims through pig butchering scams.

Pig butchering falls under the category of so-called romance-investment scams, wherein people are targeted via dating apps under fictitious identities to gain their trust and dupe them into investing their money in seemingly legitimate and profitable ventures, typically promising high investment returns within a short span of time.

“After persuading the victim to invest, the scammers collect the funds, often using digital payment platforms or cryptocurrencies to make tracking more difficult,” Trend Micro said in a report detailing the scam.

“Once they have received a substantial sum from their victims, or once the victims try to withdraw funds from the account, the scammers will suddenly become unreachable, or the brokerage platform will have trouble transferring funds. Scammers could also delete their online presence or create new identities, making it difficult for victims to recover their lost funds.”

One of the emerging trends in the space involves the use of group chats, indicating that the cyber criminals are adapting and refining their strategies to make them more effective.

In these cases, prospective victims are added to a fake investment chat group under their control. Should the target express interest in investing in cryptocurrencies, the conversation is moved to a one-to-one chat, where they are introduced to a bogus brokerage platform and persuaded to transfer their funds to the service.

According to the Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) report, cryptocurrency investment scams have led to unprecedented losses totaling $2.57 billion in 2022, registering a 183% increase from 2021.

“A significant portion of these phone numbers can be traced back to leaked databases containing personal information,” the cybersecurity firm said. “More than half of the numbers added to the fake group chats have been found in such databases, indicating that scammers could be using leaked information to find their next victims.”