Feb 19, 2024NewsroomMalware / Mobile Security

The Android banking trojan known as Anatsa has expanded its focus to include Slovakia, Slovenia, and Czechia as part of a new campaign observed in November 2023.

“Some of the droppers in the campaign successfully exploited the accessibility service, despite Google Play’s enhanced detection and protection mechanisms,” ThreatFabric said in a report shared with The Hacker News.

“All droppers in this campaign have demonstrated the capability to bypass the restricted settings for accessibility service in Android 13.” The campaign, in total, involves five droppers with more than 100,000 total installations.

Also known by the name TeaBot and Toddler, Anatsa is known to be distributed under the guise of seemingly innocuous apps on the Google Play Store. These apps, called droppers, facilitate the installation of the malware by circumventing security measures imposed by Google that seek to grant sensitive permissions.

In June 2023, the Dutch mobile security firm disclosed an Anatsa campaign that targeted banking customers in the U.S., the U.K., Germany, Austria, and Switzerland at least since March 2023 using dropper apps that were collectively downloaded over 30,000 times on the Play Store.

Anatsa comes fitted with capabilities to gain full control over infected devices and execute actions on a victim’s behalf. It can also steal credentials to initiate fraudulent transactions.

The latest iteration observed in November 2023 is no different in that one of the droppers masqueraded as a phone cleaner app named “Phone Cleaner – File Explorer” (package name “com.volabs.androidcleaner”) and leveraged a technique called versioning to introduce its malicious behavior.

While the app is no longer available for download from the official storefront for Android, it can still be downloaded via other sketchy third-party sources.

According to statistics available on app intelligence platform AppBrain, the app is estimated to have been downloaded about 12,000 times during the time it was available on the Google Play Store between November 13 and November 27, when it was unpublished.

“Initially, the app appeared harmless, with no malicious code and its accessibility service not engaging in any harmful activities,” ThreatFabric researchers said.

“However, a week after its release, an update introduced malicious code. This update altered the AccessibilityService functionality, enabling it to execute malicious actions such as automatically clicking buttons once it received a configuration from the [command-and-control] server.”

What makes the dropper notable is that its abuse of the accessibility service is tailored to Samsung devices, suggesting that it was designed to exclusively target the company-made handsets at some point, although other droppers used in the campaign have been found to be manufacturer agnostic.

The droppers are also capable of circumventing Android 13’s restricted settings by mimicking the process used by marketplaces to install new applications without having their access to the accessibility service functionalities disabled, as previously observed in the case of dropper services like SecuriDropper.

“These actors prefer concentrated attacks on specific regions rather than a global spread, periodically shifting their focus,” ThreatFabric said. “This targeted approach enables them to concentrate on a limited number of financial organizations, leading to a high number of fraud cases in a short time.”

The development comes as Fortinet FortiGuard Labs detailed another campaign that distributes the SpyNote remote access trojan by imitating a legitimate Singapore-based cryptocurrency wallet service known as imToken to replace destination wallet addresses and with actor-controlled ones and conduct illicit asset transfers.

“Like much Android malware today, this malware abuses the accessibility API,” security researcher Axelle Apvrille said. “This SpyNote sample uses the Accessibility API to target famous crypto wallets.”

Dec 19, 2023NewsroomRansomware / Threat Intelligence

The threat actors behind the Play ransomware are estimated to have impacted approximately 300 entities as of October 2023, according to a new joint cybersecurity advisory from Australia and the U.S.

“Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data and have impacted a wide range of businesses and critical infrastructure organizations in North America, South America, Europe, and Australia,” authorities said.

Also called Balloonfly and PlayCrypt, Play emerged in 2022, exploiting security flaws in Microsoft Exchange servers (CVE-2022-41040 and CVE-2022-41082) and Fortinet appliances (CVE-2018-13379 and CVE-2020-12812) to breach enterprises and deploy file-encrypting malware.

It’s worth pointing out that ransomware attacks are increasingly exploiting vulnerabilities rather than using phishing emails as initial infection vectors, jumping from nearly zero in the second half of 2022 to almost a third in the first half of 2023, per data from Corvus.

Cybersecurity firm Adlumin, in a report published last month, revealed that Play is being offered to other threat actors “as a service,” completing its transformation into a ransomware-as-a-service (RaaS) operation.

Ransomware attacks orchestrated by the group are characterized by the use of public and bespoke tools like AdFind to run Active Directory queries, GMER, IOBit, and PowerTool to disable antivirus software, and Grixba to enumerate network information and for collecting information about backup software and remote administration tools installed on a machine.

The threat actors have also been observed to carry out lateral movement and data exfiltration and encryption steps, banking on Cobalt Strike, SystemBC, and Mimikatz for post-exploitation.

“The Play ransomware group uses a double-extortion model, encrypting systems after exfiltrating data,” the agencies said. “Ransom notes do not include an initial ransom demand or payment instructions, rather, victims are instructed to contact the threat actors via email.”

According to statistics compiled by Malwarebytes, Play is said to have claimed nearly 40 victims in November 2023 alone, but significantly trailing behind its peers LockBit and BlackCat (aka ALPHV and Noberus).

The alert comes days after U.S. government agencies released an updated bulletin about the Karakurt group, which is known to eschew encryption-based attacks in favor of pure extortion after obtaining initial access to networks via purchasing stolen login credentials, intrusion brokers (aka initial access brokers), phishing, and known security flaws.

“Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom,” the government said.

The developments also come amid speculations that the BlackCat ransomware may have been a target of a law enforcement operation after its dark web leak portals went offline for five days. However, the e-crime collective pinned the outage on a hardware failure.

What’s more, another nascent ransomware group known as NoEscape is alleged to have pulled an exit scam, effectively “stealing the ransom payments and closing down the group’s web panels and data leak sites,” prompting other gangs like LockBit to recruit their former affiliates.

That the ransomware landscape is constantly evolving and shifting, whether be it due to external pressure from law enforcement, is hardly surprising. This is further evidenced by the collaboration between the BianLian, White Rabbit, and Mario ransomware gangs in a joint extortion campaign targeting publicly traded financial services firms.

“These cooperative ransom campaigns are rare, but are possibly becoming more common due to the involvement of initial access brokers (IABs) collaborating with multiple groups on the dark web,” Resecurity said in a report published last week.

“Another factor that may be leading to greater collaboration are law enforcement interventions that create cybercriminal diaspora networks. Displaced participants of these threat actor networks may be more willing to collaborate with rivals.”