Apr 15, 2024NewsroomSpyware / Mobile Security

Cybersecurity researchers have discovered a “renewed” cyber espionage campaign targeting users in South Asia with the aim of delivering an Apple iOS spyware implant called LightSpy.

“The latest iteration of LightSpy, dubbed ‘F_Warehouse,’ boasts a modular framework with extensive spying features,” the BlackBerry Threat Research and Intelligence Team said in a report published last week.

There is evidence to suggest that the campaign may have targeted India based on VirusTotal submissions from within its borders.

First documented in 2020 by Trend Micro and Kaspersky, LightSpy refers to an advanced iOS backdoor that’s distributed via watering hole attacks through compromised news sites.

A subsequent analysis from ThreatFabric in October 2023 uncovered infrastructure and functionality overlaps between the malware and an Android spyware known as DragonEgg, which is attributed to the Chinese nation-state group APT41 (aka Winnti).

The initial intrusion vector is presently not known, although it’s suspected to be via news websites that have been breached and are known to be visited by the targets on a regular basis.

The starting point is a first-stage loader that acts as a launchpad for the core LightSpy backdoor and its assorted plugins that are retrieved from a remote server to pull off the data-gathering functions.

LightSpy is both fully-featured and modular, allowing threat actors to harvest sensitive information, including contacts, SMS messages, precise location data and sound recordings during VoIP calls.

The latest version discovered by the Canadian cybersecurity firm further expands on its capabilities to steal files as well as data from popular apps like Telegram, QQ, and WeChat, iCloud Keychain data, and web browser history from Safari and Google Chrome.

The complex espionage framework also features capabilities to gather a list of connected Wi-Fi networks, details about installed apps, take pictures using the device’s camera, record audio, and execute shell commands received from the server, likely enabling it to hijack control of the infected devices.

“LightSpy employs certificate pinning to prevent detection and interception of communication with its command-and-control (C2) server,” Blackberry said. “Thus, if the victim is on a network where traffic is being analyzed, no connection to the C2 server will be established.”

A further examination of the implant’s source code suggests the involvement of native Chinese speakers, raising the possibility of state-sponsored activity. What’s more, LightSpy communicates with a server located at 103.27[.]109[.]217, which also hosts an administrator panel that displays an error message in Chinese when entering incorrect login credentials.

The development comes as Apple said it sent out threat notifications to users in 92 countries, counting India, that they may have been targeted by mercenary spyware attacks.

“The return of LightSpy, now equipped with the versatile ‘F_Warehouse’ framework, signals an escalation in mobile espionage threats,” BlackBerry said.

“The expanded capabilities of the malware, including extensive data exfiltration, audio surveillance, and potential full device control, pose a severe risk to targeted individuals and organizations in Southern Asia.”

Apr 10, 2024NewsroomMobile Security / Spyware

An active Android malware campaign dubbed eXotic Visit has been primarily targeting users in South Asia, particularly those in India and Pakistan, with malware distributed via dedicated websites and Google Play Store.

Slovak cybersecurity firm said the activity, ongoing since November 2021, is not linked to any known threat actor or group. It’s tracking the group behind the operation under the name Virtual Invaders.

“Downloaded apps provide legitimate functionality, but also include code from the open-source Android XploitSPY RAT,” ESET security researcher Lukáš Štefanko said in a technical report released today.

The campaign is said to be highly targeted in nature, with the apps available on Google Play having negligible number of installs ranging from zero to 45. The apps have since been taken down.

The fake-but-functional apps primarily masquerade as messaging services like Alpha Chat, ChitChat, Defcom, Dink Messenger, Signal Lite, TalkU, WeTalk, Wicker Messenger, and Zaangi Chat. Approximately 380 victims are said to have downloaded the apps and created accounts to use them for messaging purposes.

Also employed as part of eXotic Visit are apps such as Sim Info and Telco DB, both of which claim to provide details about SIM owners simply by entering a Pakistan-based phone number. Other applications pass off as a food ordering service in Pakistan as well as a legitimate Indian hospital called Specialist Hospital (now rebranded as Trilife Hospital).

XploitSPY, uploaded to GitHub as early as April 2020 by a user named RaoMK, is associated with an Indian cyber security solutions company called XploitWizer. It has also been described as a fork of another open-source Android trojan called L3MON, which, in turn, draws inspiration from AhMyth.

It comes with a wide gamut of features that allows it to gather sensitive data from infected devices, such as GPS locations, microphone recordings, contacts, SMS messages, call logs, and clipboard content; extract notification details from apps like WhatsApp, Facebook, Instagram, and Gmail; download and upload files; view installed apps; and queue commands.

On top of that, the malicious apps are designed to take pictures and enumerate files in several directories related to screenshots, WhatApp, WhatsApp Business, Telegram, and an unofficial WhatsApp mod known as GBWhatsApp.

“Throughout the years, these threat actors have customized their malicious code by adding obfuscation, emulator detection, hiding of [command-and-control] addresses, and use of a native library,” Štefanko said.

The main purpose of the native library (“defcome-lib.so”) is to keep the C2 server information encoded and hidden from static analysis tools. If an emulator is detected, the app makes use of a fake C2 server to evade detection.

Some of the apps have been propagated through websites specifically created for this purpose (“chitchat.ngrok[.]io”) that provide a link to an Android package file (“ChitChat.apk”) hosted on GitHub. It’s presently not clear how victims are directed to these apps.

“Distribution started on dedicated websites and then even moved to the official Google Play store,” Štefanko concluded. “The purpose of the campaign is espionage and probably is targeting victims in Pakistan and India.”

Mar 30, 2024NewsroomMalware / Cryptocurrency

Malicious ads and bogus websites are acting as a conduit to deliver two different stealer malware, including Atomic Stealer, targeting Apple macOS users.

The ongoing infostealer attacks targeting macOS users may have adopted different methods to compromise victims’ Macs, but operate with the end goal of stealing sensitive data, Jamf Threat Labs said in a report published Friday.

One such attack chain targets users searching for Arc Browser on search engines like Google to serve bogus ads that redirect users to look-alike sites (“airci[.]net”) that serve the malware.

“Interestingly, the malicious website cannot be accessed directly, as it returns an error,” security researchers Jaron Bradley, Ferdous Saljooki, and Maggie Zirnhelt said. “It can only be accessed through a generated sponsored link, presumably to evade detection.”

The disk image file downloaded from the counterfeit website (“ArcSetup.dmg”) delivers Atomic Stealer, which is known to request users to enter their system passwords via a fake prompt and ultimately facilitate information theft.

Jamf said it also discovered a phony website called meethub[.]gg that claims to offer a free group meeting scheduling software, but actually installs another stealer malware capable of harvesting users’ keychain data, stored credentials in web browsers, and information from cryptocurrency wallets.

Much like Atomic stealer, the malware – which is said to overlap with a Rust-based stealer family known as Realst – also prompts the user for their macOS login password using an AppleScript call to carry out its malicious actions.

Attacks leveraging this malware are said to have approached victims under the pretext of discussing job opportunities and interviewing them for a podcast, subsequently asking them to download an app from meethub[.]gg to join a video conference provided in the meeting invites.

“These attacks are often focused on those in the crypto industry as such efforts can lead to large payouts for attackers,” the researchers said. “Those in the industry should be hyper-aware that it’s often easy to find public information that they are asset holders or can easily be tied to a company that puts them in this industry.”

The development comes as MacPaw’s cybersecurity division Moonlock Lab disclosed that malicious DMG files (“App_v1.0.4.dmg”) are being used by threat actors to deploy a stealer malware designed to extract credentials and data from various applications.

This is accomplished by means of an obfuscated AppleScript and bash payload that’s retrieved from a Russian IP address, the former of which is used to launch a deceptive prompt (as mentioned above) to trick users into providing the system passwords.

“Disguised as a harmless DMG file, it tricks the user into installation via a phishing image, persuading the user to bypass macOS’s Gatekeeper security feature,” security researcher Mykhailo Hrebeniuk said.

The development is an indication that macOS environments are increasingly under threat from stealer attacks, with some strains even boasting of sophisticated anti-virtualization techniques by activating a self-destructing kill switch to evade detection.

In recent weeks, malvertising campaigns have also been observed pushing the FakeBat loader (aka EugenLoader) and other information stealers like Rhadamanthys via a Go-based loader through decoy sites for popular software such as Notion and PuTTY.

A new elaborate attack campaign has been observed employing PowerShell and VBScript malware to infect Windows systems and harvest sensitive information.

Cybersecurity company Securonix, which dubbed the campaign DEEP#GOSU, said it’s likely associated with the North Korean state-sponsored group tracked as Kimsuky.

“The malware payloads used in the DEEP#GOSU represent a sophisticated, multi-stage threat designed to operate stealthily on Windows systems especially from a network-monitoring standpoint,” security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a technical analysis shared with The Hacker News.

“Its capabilities included keylogging, clipboard monitoring, dynamic payload execution, and data exfiltration, and persistence using both RAT software for full remote access, scheduled tasks as well as self-executing PowerShell scripts using jobs.”

A notable aspect of the infection procedure is that it leverages legitimate services such as Dropbox or Google Docs for command-and-control (C2), thus allowing the threat actor to blend undetected into regular network traffic.

On top of that, the use of such cloud services to stage the payloads allows for updating the functionality of the malware or delivering additional modules.

The starting point is said to be a malicious email attachment containing a ZIP archive with a rogue shortcut file (.LNK) that masquerades as a PDF file (“IMG_20240214_0001.pdf.lnk”).

The .LNK file comes embedded with a PowerShell script as well as a decoy PDF document, with the former also reaching out to an actor-controlled Dropbox infrastructure to retrieve and execute another PowerShell script (“ps.bin”).

The second-stage PowerShell script, for its part, fetches a new file from Dropbox (“r_enc.bin”), a .NET assembly file in binary form that’s actually an open-source remote access trojan known as TruRat (aka TutRat or C# RAT) with capabilities to record keystrokes, manage files, and facilitate remote control.

It’s worth noting that Kimsuky has employed TruRat in at least two campaigns uncovered by the AhnLab Security Intelligence Center (ASEC) last year.

Also retrieved by the PowerShell script from Dropbox is a VBScript (“info_sc.txt”), which, in turn, is designed to run arbitrary VBScript code retrieved from the cloud storage service, including a PowerShell script (“w568232.ps12x”).

The VBScript is also designed to use Windows Management Instrumentation (WMI) to execute commands on the system, and set up scheduled tasks on the system for persistence.

Another noteworthy aspect of the VBScript is the use of Google Docs to dynamically retrieve configuration data for the Dropbox connection, allowing the threat actor to change the account information without having to alter the script itself.

The PowerShell script downloaded as a result is equipped to gather extensive information about the system and exfiltrate the details via a POST request to Dropbox.

“The purpose of this script appears to be designed to serve as a tool for periodic communication with a command-and-control (C2) server via Dropbox,” the researchers said. “Its main purposes include encrypting and exfiltrating or downloading data.”

In other words, it acts as a backdoor to control the compromised hosts and continuously keep a log of user activity, including keystrokes, clipboard content, and the foreground window.

The development comes as security researcher Ovi Liber detailed North Korea-linked ScarCruft’s embedding of malicious code within Hangul Word Processor (HWP) lure documents present in phishing emails to distribute malware like RokRAT.

“The email contains a HWP Doc which has an embedded OLE object in the form of a BAT script,” Liber said. “Once the user clicks on the OLE object, the BAT script executes which in turn creates a PowerShell-based reflective DLL injection attack on the victims machine.”

It also follows Andariel’s exploitation of a legitimate remote desktop solution called MeshAgent to install malware like AndarLoader and ModeLoader, a JavaScript malware meant for command execution.

“This is the first confirmed use of a MeshAgent by the Andariel group,” ASEC said. “The Andariel Group has been continuously abusing the asset management solutions of domestic companies to distribute malware in the process of lateral movement, starting with Innorix Agent in the past.”

Andariel, also known by the names Nicket Hyatt or Silent Chollima, is a sub-cluster of the notorious Lazarus Group, actively orchestrating attacks for both cyber espionage and financial gain.

The prolific state-sponsored threat actor has since been observed laundering a chunk of the crypto assets stolen from the hack of crypto exchange HTX and its cross-chain bridge (aka HECO Bridge) through Tornado Cash. The breach led to the theft of $112.5 million in cryptocurrency in November 2023.

“Following common crypto-laundering patterns, the stolen tokens were immediately swapped for ETH, using decentralized exchanges,” Elliptic said. “The stolen funds then lay dormant until March 13, 2024, when the stolen crypto assets began to be sent through Tornado Cash.”

The blockchain analytics firm said that Tornado Cash’s continuation of its operations despite sanctions have likely made it an attractive proposition for the Lazarus Group to conceal its transaction trail following the shutdown of Sinbad in November 2023.

“The mixer operates through smart contracts running on decentralized blockchains, so it cannot be seized and shut down in the same way that centralized mixers such as Sinbad.io have been,” it noted.

Mar 15, 2024NewsroomBrowser Security / Phishing Attack

Google on Thursday announced an enhanced version of Safe Browsing to provide real-time, privacy-preserving URL protection and safeguard users from visiting potentially malicious sites.

“The Standard protection mode for Chrome on desktop and iOS will check sites against Google’s server-side list of known bad sites in real-time,” Google’s Jonathan Li and Jasika Bawa said.

“If we suspect a site poses a risk to you or your device, you’ll see a warning with more information. By checking sites in real time, we expect to block 25% more phishing attempts.”

Up until now, the Chrome browser used a locally-stored list of known unsafe sites that’s updated every 30 to 60 minutes, and then leveraging a hash-based approach to compare every site visited against the database.

Google first revealed its plans to switch to real-time server-side checks without sharing users’ browsing history with the company in September 2023.

The reason for the change, the search giant said, is motivated by the fact that the list of harmful websites is growing at a rapid pace and that 60% of the phishing domains exist for less than 10 minutes, making it difficult to block.

“Not all devices have the resources necessary to maintain this growing list, nor are they always able to receive and apply updates to the list at the frequency necessary to benefit from full protection,” it added.

Thus, with the new architecture, every time a user attempts to visit a website, the URL is checked against the browser’s global and local caches containing known safe URLs and the results of previous Safe Browsing checks in order to determine the site’s status.

Should the visited URL be absent from the caches, a real-time check is performed by obfuscating the URL into 32-byte full hashes, which are then truncated into 4-byte long hash prefixes, encrypted, and sent to a privacy server.

“The privacy server removes potential user identifiers and forwards the encrypted hash prefixes to the Safe Browsing server via a TLS connection that mixes requests with many other Chrome users,” Google explained.

The Safe Browsing server subsequently decrypts the hash prefixes and matches them against the server-side database to return full hashes of all unsafe URLs that match one of the hash prefixes sent by the browser.

Finally, on the client side, the full hashes are compared against the full hashes of the visited URL, and a warning message is displayed if a match is found.

Google also confirmed that the privacy server is nothing but an Oblivious HTTP (OHTTP) relay operated by Fastly that sits between Chrome and the Safe Browsing server to prevent the latter from access users’ IP addresses, thereby preventing it from correlating the URL checks with a user’s internet browsing history.

“Ultimately, Safe Browsing sees the hash prefixes of your URL but not your IP address, and the privacy server sees your IP address but not the hash prefixes,” the company emphasized. “No single party has access to both your identity and the hash prefixes. As such, your browsing activity remains private.”

Mar 15, 2024NewsroomMalvertising / Threat Intelligence

Chinese users looking for legitimate software such as Notepad++ and VNote on search engines like Baidu are being targeted with malicious ads and bogus links to distribute trojanized versions of the software and ultimately deploy Geacon, a Golang-based implementation of Cobalt Strike.

“The malicious site found in the notepad++ search is distributed through an advertisement block,” Kaspersky researcher Sergey Puzan said.

“Opening it, an attentive user will immediately notice an amusing inconsistency: the website address contains the line vnote, the title offers a download of Notepad‐‐ (an analog of Notepad++, also distributed as open-source software), while the image proudly shows Notepad++. In fact, the packages downloaded from here contain Notepad‐‐.”

The website, named vnote.fuwenkeji[.]cn, contains download links to Windows, Linux, and macOS versions of the software, with the link to the Windows variant pointing to the official Gitee repository containing the Notepad– installer (“Notepad–v2.10.0-plugin-Installer.exe”).

The Linux and macOS versions, on the other hand, lead to malicious installation packages hosted on vnote-1321786806.cos.ap-hongkong.myqcloud[.]com.

In a similar fashion, the fake look-alike websites for VNote (“vnote[.]info” and “vnotepad[.]com”) lead to the same set of myqcloud[.]com links, in this case, also pointing to a Windows installer hosted on the domain. That said, the links to the potentially malicious versions of VNote are no longer active.

An analysis of the modified Notepad– installers reveals that they are designed to retrieve a next-stage payload from a remote server, a backdoor that exhibits similarities with Geacon.

It’s capable of creating SSH connections, performing file operations, enumerating processes, accessing clipboard content, executing files, uploading and downloading files, taking screenshots, and even entering into sleep mode. Command-and-control (C2) is facilitated by means of HTTPS protocol.

The development comes as malvertising campaigns have also acted as a conduit for other malware such as FakeBat (aka EugenLoader) malware with the help of MSIX installer files masquerading as Microsoft OneNote, Notion, and Trello.

Mar 13, 2024The Hacker NewsFinancial Fraud / Mobile Security

The threat actors behind the PixPirate Android banking trojan are leveraging a new trick to evade detection on compromised devices and harvest sensitive information from users in Brazil.

The approach allows it to hide the malicious app’s icon from the home screen of the victim’s device, IBM said in a technical report published today.

“Thanks to this new technique, during PixPirate reconnaissance and attack phases, the victim remains oblivious to the malicious operations that this malware performs in the background,” security researcher Nir Somech said.

PixPirate, which was first documented by Cleafy in February 2023, is known for its abuse of Android’s accessibility services to covertly perform unauthorized fund transfers using the PIX instant payment platform when a targeted banking app is opened.

The constantly mutating malware is also capable of stealing victims’ online banking credentials and credit card information, as well as capturing keystrokes and intercepting SMS messages to access two-factor authentication codes.

Typically distributed via SMS and WhatsApp, the attack flow entails the use of a dropper (aka downloader) app that’s engineered to deploy the main payload (aka droppee) to pull off the financial fraud.

“Usually, the downloader is used to download and install the droppee, and from this point on, the droppee is the main actor conducting all fraudulent operations and the downloader is irrelevant,” Somech explained.

“In the case of PixPirate, the downloader is responsible not only for downloading and installing the droppee but also for running and executing it. The downloader plays an active part in the malicious activities of the droppee as they communicate with each other and send commands to execute.”

The downloader APK app, once launched, prompts the victim to update the app to either retrieve the PixPirate component from an actor-controlled server or install it if it’s embedded within itself.

What’s changed in the latest version of the droppee is the absence of activity with the action “android.intent.action.Main” and the category “android.intent.category.LAUNCHER” that allows a user to launch an app from the home screen by tapping its icon.

Put differently, the infection chain requires both the downloader and the droppee to work in tandem, with the former responsible for running the PixPirate APK by binding to a service exported by the droppee.

“Later, to maintain persistence, the droppee is also triggered to run by the different receivers that it registered,” Somech said. “The receivers are set to be activated based on different events that occur in the system and not necessarily by the downloader that initially triggered the droppee to run.”

“This technique allows the PixPirate droppee to run and hide its existence even if the victim removes the PixPirate downloader from their device.”

The development comes as Latin American (LATAM) banks have become the target of a new malware called Fakext that employs a rogue Microsoft Edge extension named SATiD to carry out man-in-the-browser and web injection attacks with the goal of grabbing credentials entered in the targeted bank site.

It’s worth noting that SAT ID is a service offered by Mexico’s Tax Administration Service (SAT) to generate and update electronic signatures for filing taxes online.

In select cases, Fakext is engineered to display an overlay that urges the victim to download a legitimate remote access tool by purporting to be the bank’s IT support team, ultimately enabling the threat actors to conduct financial fraud.

The campaign – active since at least November 2023 – singles out 14 banks operating in the region, a majority of which are located in Mexico. The extension has since been taken down from the Edge Add-ons store.

Users in Brazil are the target of a new banking trojan known as CHAVECLOAK that’s propagated via phishing emails bearing PDF attachments.

“This intricate attack involves the PDF downloading a ZIP file and subsequently utilizing DLL side-loading techniques to execute the final malware,” Fortinet FortiGuard Labs researcher Cara Lin said.

The attack chain involves the use of contract-themed DocuSign lures to trick users into opening PDF files containing a button to read and sign the documents.

In reality, clicking the button leads to the retrieval of an installer file from a remote link that’s shortened using the Goo.su URL shortening service.

Present within the installer is an executable named “Lightshot.exe” that leverages DLL side-loading to load “Lightshot.dll,” which is the CHAVECLOAK malware that facilitates the theft of sensitive information.

This includes gathering system metadata and running checks to determine whether the compromised machine is located in Brazil and, if so, periodically monitoring the foreground window to compare it against a predefined list of bank-related strings.

If it matches, a connection is established with a command-and-control (C2) server and proceeds to harvest various kinds of information and exfiltrate them to distinct endpoints on the server depending on the financial institution.

“The malware facilitates various actions to steal a victim’s credentials, such as allowing the operator to block the victim’s screen, log keystrokes, and display deceptive pop-up windows,” Lin said.

“The malware actively monitors the victim’s access to specific financial portals, including several banks and Mercado Bitcoin, which encompasses both traditional banking and cryptocurrency platforms.”

Fortinet said it also uncovered a Delphi variant of CHAVECLOAK, once again highlighting the prevalence of Delphi-based malware targeting Latin America.

“The emergence of the CHAVECLOAK banking Trojan underscores the evolving landscape of cyberthreats targeting the financial sector, specifically focusing on users in Brazil,” Lin concluded.

The findings come amid an ongoing mobile banking fraud campaign against the U.K., Spain, and Italy that entails using smishing and vishing (i.e., SMS and voice phishing) tactics to deploy an Android malware called Copybara with the goal of performing unauthorized banking transfers to a network of bank accounts operated by money mules.

“TAs [Threat actors] have been caught using a structured way of managing all the ongoing phishing campaigns via a centralized web panel known as ‘Mr. Robot,'” Cleafy said in a report published last week.

“With this panel, TAs can enable and manage multiple phishing campaigns (against different financial institutions) based on their needs.”

The C2 framework also allows attackers to orchestrate tailored attacks on distinct financial institutions using phishing kits that are engineered to mimic the user interface of the targeted entity, while also adopting anti-detection methods via geofencing and device fingerprinting to limit connections only from mobile devices.

The phishing kit – which serves as a fake login page – is responsible for capturing retail banking customer credentials and phone numbers and sending the details to a Telegram group.

Some of the malicious infrastructure used for the campaign is designed to deliver Copybara, which is managed using a C2 panel named JOKER RAT that displays all the infected devices and their geographical distribution over a live map.

It also allows the threat actors to remotely interact in real-time with an infected device using a VNC module, in addition to injecting fake overlays on top of banking apps to siphon credentials, logging keystrokes by abusing Android’s accessibility services, and intercepting SMS messages.

On top of that, JOKER RAT comes with an APK builder that makes it possible to customize the rogue app’s name, package name, and icons.

“Another feature available inside the panel is the ‘Push Notification,’ probably used to send to the infected devices fake push notifications that look like a bank notification to entice the user to open the bank’s app in such a way that the malware can steal credentials,” Cleafy researchers Francesco Iubatti and Federico Valentini said.

The growing sophistication of on-device fraud (ODF) schemes is further evidenced by a recently disclosed TeaBot (aka Anatsa) campaign that managed to infiltrate the Google Play Store under the guise of PDF reader apps.

“This application serves as a dropper, facilitating the download of a banking trojan of the TeaBot family through multiple stages,” Iubatti said. “Before downloading the banking trojan, the dropper performs advanced evasion techniques, including obfuscation and file deletion, alongside multiple checks about the victim countries.”

Mar 01, 2024NewsroomPhishing Kit / Cryptocurrency

A novel phishing kit has been observed impersonating the login pages of well-known cryptocurrency services as part of an attack cluster designed to primarily target mobile devices.

“This kit enables attackers to build carbon copies of single sign-on (SSO) pages, then use a combination of email, SMS, and voice phishing to trick the target into sharing usernames, passwords, password reset URLs, and even photo IDs from hundreds of victims, mostly in the United States,” Lookout said in a report.

Targets of the phishing kit include employees of the Federal Communications Commission (FCC), Binance, Coinbase, and cryptocurrency users of various platforms like Binance, Coinbase, Gemini, Kraken, ShakePay, Caleb & Brown, and Trezor. More than 100 victims have been successfully phished to date.

The phishing pages are designed such that the fake login screen is displayed only after the victim completes a CAPTCHA test using hCaptcha, thus preventing automated analysis tools from flagging the sites.

In some cases, these pages are distributed via unsolicited phone calls and text messages by spoofing a company’s customer support team under the pretext of securing their account after a purported hack.

Once the user enters their credentials, they are either asked to provide a two-factor authentication (2FA) code or asked to “wait” while it claims to verify the provided information.

“The attacker likely attempts to log in using these credentials in real time, then redirects the victim to the appropriate page depending on what additional information is requested by the MFA service the attacker is trying to access,” Lookout said.

The phishing kit also attempts to give an illusion of credibility by allowing the operator to customize the phishing page in real-time by providing the last two digits of the victim’s actual phone number and selecting whether the victim should be asked for a six or seven digit token.

The one-time password (OTP) entered by the user is then captured by the threat actor, who uses it to sign in to the desired online service using the provided token. In the next step, the victim can be directed to any page of the attacker’s choosing, including the legitimate Okta login page or a page that displays customized messages.

Lookout said the campaign shares similarities with that of Scattered Spider, specifically in its impersonation of Okta and the use of domains that have been previously identified as affiliated with the group.

“Despite the URLs and spoofed pages looking similar to what Scattered Spider might create, there are significantly different capabilities and C2 infrastructure within the phishing kit,” the company said. “This type of copycatting is common amongst threat actor groups, especially when a series of tactics and procedures have had so much public success.”

It’s currently also not clear if this is the work of a single threat actor or a common tool being used by different groups.

“The combination of high quality phishing URLs, login pages that perfectly match the look and feel of the legitimate sites, a sense of urgency, and consistent connection through SMS and voice calls is what has given the threat actors so much success stealing high quality data,” Lookout noted.

The development comes as Fortra revealed that financial institutions in Canada have come under the target of a new phishing-as-service (PhaaS) group called LabHost, overtaking its rival Frappo in popularity in 2023.

LabHost’s phishing attacks are pulled off by means of a real-time campaign management tool named LabRat that makes it possible to stage an adversary-in-the-middle (AiTM) attack and capture credentials and 2FA codes.

Also developed by the threat actor is an SMS spamming tool dubbed LabSend that provides an automated method for sending links to LabHost phishing pages, thereby allowing its customers to mount smishing campaigns at scale.

“LabHost services allow threat actors to target a variety of financial institutions with features ranging from ready-to-use templates, real-time campaign management tools, and SMS lures,” the company said.

Feb 28, 2024NewsroomPhishing Attack / Malware

Mexican users have been targeted with tax-themed phishing lures at least since November 2023 to distribute a previously undocumented Windows malware called TimbreStealer.

Cisco Talos, which discovered the activity, described the authors as skilled and that the “threat actor has previously used similar tactics, techniques and procedures (TTPs) to distribute a banking trojan known as Mispadu in September 2023.

Besides employing sophisticated obfuscation techniques to sidestep detection and ensure persistence, the phishing campaign makes use of geofencing to single out users in Mexico, returning an innocuous blank PDF file instead of the malicious one if the payload sites are contacted from other locations.

Some of the notable evasive maneuvers include leveraging custom loaders and direct system calls to bypass conventional API monitoring, in addition to utilizing Heaven’s Gate to execute 64-bit code within a 32-bit process, an approach that was also recently adopted by HijackLoader.

The malware comes with several embedded modules for orchestration, decryption, and protection of the main binary, while also running a series of checks to determine if it’s running a sandbox environment, the system language is not Russian, and the timezone is within a Latin American region.

The orchestrator module also looks for files and registry keys to double-check that the machine hasn’t been previously infected, before launching a payload installer component that displays a benign decoy file to the user, as it ultimately triggers the execution of TimbreStealer’s primary payload.

The payload is designed to harvest a wide range of data, including credential information from different folders, system metadata, and the URLs accessed, look for files matching specific extensions, and verify the presence of remote desktop software.

Cisco Talos said it identified overlaps with a Mispadu spam campaign observed in September 2023, although the target industries of TimbreStealer are varied and with a focus on manufacturing and transportation sectors.

The disclosure comes amid the emergence of a new version of another information stealer called Atomic (aka AMOS), which is capable of gathering data from Apple macOS systems such as local user account passwords, credentials from Mozilla Firefox and Chromium-based browsers, crypto wallet information, and files of interest, using an unusual combination of Python and Apple Script code.

“The new variant drops and uses a Python script to stay covert,” Bitdefender researcher Andrei Lapusneanu said, noting the Apple Script block for collecting sensitive files from the victim’s computer exhibits a “significantly high level of similarity” with the RustDoor backdoor.

It also follows the emergence of new stealer malware families such as XSSLite, which was released as part of a malware development competition hosted by the XSS forum, even as existing strains like Agent Tesla and Pony (aka Fareit or Siplog) continued to be used for information theft and subsequent sale on stealer logs marketplaces like Exodus.