Feb 09, 2024NewsroomMobile Security / Cyber Threat

Threat hunters have identified a new variant of Android malware called MoqHao that automatically executes on infected devices without requiring any user interaction.

“Typical MoqHao requires users to install and launch the app to get their desired purpose, but this new variant requires no execution,” McAfee Labs said in a report published this week. “While the app is installed, their malicious activity starts automatically.”

The campaign’s targets include Android users located in France, Germany, India, Japan, and South Korea.

MoqHao, also called Wroba and XLoader (not to be confused with the Windows and macOS malware of the same name), is an Android-based mobile threat that’s associated with a Chinese financially motivated cluster dubbed Roaming Mantis (aka Shaoye).

Typical attack chains commence with package delivery-themed SMS messages bearing fraudulent links that, when clicked from Android devices, lead to the deployment of the malware but redirect victims to credential harvesting pages impersonating Apple’s iCloud login page when visited from an iPhone.

In July 2022, Sekoia detailed a campaign that compromised at least 70,000 Android devices in France. As of early last year, updated versions of MoqHao have been found to infiltrate Wi-Fi routers and undertake Domain Name System (DNS) hijacking, revealing the adversary’s commitment to innovating its arsenal.

The latest iteration of MoqHao continues to be distributed via smishing techniques, but what has changed is that the malicious payload is run automatically upon installation and prompts the victim to grant it risky permissions without launching the app, a behavior previously spotted with bogus apps containing the HiddenAds malware.

What’s also received a facelift is that the links shared in the SMS messages themselves are hidden using URL shorteners to increase the likelihood of the attack’s success. The content for these messages is extracted from the bio (or description) field from fraudulent Pinterest profiles set up for this purpose.

MoqHao is equipped with several features that allow it to stealthily harvest sensitive information like device metadata, contacts, SMS messages, and photos, call specific numbers with silent mode, and enable/disable Wi-Fi, among others.

McAfee said it has reported the findings to Google, which is said to be “already working on the implementation of mitigations to prevent this type of auto-execution in a future Android version.”

The development comes as Chinese cybersecurity firm QiAnXin revealed that a previously unknown cybercrime syndicate named Bigpanzi has been linked to the compromise of Android-based smart TVs and set-top boxes (STBs) in order to corral them into a botnet for conducting distributed denial-of-service (DDoS) attacks.

The operation, active since at least 2015, is estimated to control a botnet comprising 170,000 daily active bots, most of which are located in Brazil. However, 1.3 million distinct Brazilian IP addresses have been associated with Bigpanzi since August 2023.

The infections are made possible by tricking users into installing booby-trapped apps for streaming pirated movies and TV shows through sketchy websites. The campaign was first disclosed by Russian antivirus vendor Doctor Web in September 2023.

“Once installed, these devices transform into operational nodes within their illicit streaming media platform, catering to services like traffic proxying, DDoS attacks, OTT content provision, and pirate traffic,” QiAnXin researchers said.

“The potential for Bigpanzi-controlled TVs and STBs to broadcast violent, terroristic, or pornographic content, or to employ increasingly convincing AI-generated videos for political propaganda, poses a significant threat to social order and stability.”

Jan 25, 2024NewsroomFileless Malware / Endpoint Security

Cybersecurity researchers have uncovered an updated version of a backdoor called LODEINFO that’s distributed via spear-phishing attacks.

The findings come from Japanese company ITOCHU Cyber & Intelligence, which said the malware “has been updated with new features, as well as changes to the anti-analysis (analysis avoidance) techniques.”

LODEINFO (versions 0.6.6 and 0.6.7) was first documented by Kaspersky in November 2022, detailing its capabilities to execute arbitrary shellcode, take screenshots, and exfiltrate files back to an actor-controlled server.

A month later, ESET disclosed attacks targeting Japanese political establishments that led to the deployment of LODEINFO.

The backdoor is the work of a Chinese nation-state actor known as Stone Panda (aka APT10, Bronze Riverside, Cicada, Earth Tengshe, MirrorFace, and Potassium), which has a history of orchestrating attacks targeting Japan since 2021.

Attack chains commence with phishing emails bearing malicious Microsoft Word documents that, when opened, execute VBA macros to launch downloader shellcode capable of ultimately executing the LODEINFO implant.

LODEINFO infection paths in 2023 have also been observed making use of remote template injection methods to retrieve and execute malicious macros hosted on the adversary’s infrastructure every time the victim opens a lure Word document containing the template.

What’s more, checks are said to have been added sometime around June 2023 to verify the language settings of Microsoft Office to determine if it’s Japanese, only for it to be removed a month later in attacks leveraging LODEINFO version 0.7.1.

“In addition, the filename of the maldoc itself has been changed from Japanese to English,” ITOCHU noted. “From this, we believe that v0.7.1 was likely used to attack environments in languages other than Japanese.”

Another notable change in attacks delivering LODEINFO version 0.7.1 is the introduction of a new intermediate stage that involves the shellcode downloader fetching a file that masquerades as a Privacy-Enhanced Mail (PEM) from a C2 server, which, in turn, loads the backdoor directly in memory.

The downloader shares similarities with a known fileless downloader dubbed DOWNIISSA based on the self-patching mechanism to conceal malicious code, encoding method for command-and-control (C2) server information, and the structure of the data decrypted from the fake PEM file.

“LODEINFO backdoor shellcode is a fileless malware that allows attackers to remotely access and operate infected hosts,” the company said, with samples found in 2023 and 2024 incorporating extra commands. The latest version of LODEINFO is 0.7.3.

“As a countermeasure, since both the downloader shellcode and the backdoor shellcode of LODEINFO are fileless malware, it is essential to introduce a product that can scan and detect malware in memory in order to detect it,” it added.