Let me remind you that we wrote that About 8% of apps in the Google Play Store are vulnerable to a bug in the Play Core library, and also that Mandrake malware was hiding on Google Play for more than four years.

The researchers say the apps followed the classic tactic of luring users in by pretending to perform some specialized function, then changing their name and icon after installation, making them harder to find and remove later. As a rule, the malware changes the icon to a gear and renames itself into Settings, but sometimes it looks like Motorola, Oppo and Samsung system applications.

After infiltrating the victim’s device, applications begin to display intrusive ads, abusing the WebView, and thereby generating ad revenue for their operators. Also, since these apps use their own ad loading framework, it is likely that additional malicious payloads could be delivered to the compromised device.

The detected malware uses several methods of disguise, including trying to receive updates as late as possible in order to more reliably disguise itself on the device. In addition, if the victim does find suspicious Settings and opens them, a malicious application with a size of 0 is launched to hide from human eyes. The malware then opens the actual settings menu to make the user think they are running a real app.

Analysts also note that the malware uses complex obfuscation and encryption to make reverse engineering difficult and hide the main payload in two encrypted DEX files.

The list of the most popular malicious applications (over 100,000 downloads) can be seen below. At the same time, it must be said that most of them have already been removed from the official Google store, but are still available in third-party app stores, including APKSOS, APKAIO, APKCombo, APKPure and APKsfull.

1. Walls light – Wallpapers Pack (gb.packlivewalls.fournatewren);
2. Big Emoji – Keyboard 5.0 (gb.blindthirty.funkeyfour);
3. Grand Wallpapers – 3D Backdrops 2.0 (gb.convenientsoftfiftyreal.threeborder);
4. Engine Wallpapers (gb.helectronsoftforty.comlivefour);
5. Stock Wallpapers (gb.fiftysubstantiated.wallsfour);
6. EffectMania – Photo Editor 2.0 (gb.actualfifty.sevenelegantvideo);
7. Art Filter – Deep Photoeffect 2.0 (gb.crediblefifty.editconvincingeight);
8. Fast Emoji Keyboard APK (de.eightylamocenko.editioneights);
9. Create Sticker for Whatsapp 2.0 (gb.convincingmomentumeightyverified.realgamequicksix);
10. Math Solver – Camera Helper 2.0 (gb.labcamerathirty.mathcamera);
11. Photopix Effects – Art Filter 2.0 (gb.mega.sixtyeffectcameravideo);
12. Led Theme – Colorful Keyboard 2.0 (gb.theme.twentythreetheme);
13. Animated Sticker Master 1.0 (am.asm.master);
14. Sleep Sounds 1.0 (com.voice.sleep.sounds);
15. Personality Charging Show 1.0 (com.charging.show);
16. Image Warp Camera;
17. GPS Location Finder (smart.ggps.lockakt).

The post Researchers Found 35 Malware on Google Play, Overall Installed 2,000,000 Times appeared first on Gridinsoft Blog.

The new malware is spreading all over the world: in Australia, Egypt, Germany, India, Indonesia, Japan, Malaysia, Norway, Singapore, South Africa, Spain and the USA. The exact mechanism for delivering malware to users’ machines is still unclear, but experts suspect that hacked installers of various software are used for this.

If you’re interested, check out: Malware vs. virus difference explained.

The use of cracks as a source of infection is not a new trend, for example, earlier in such campaigns, tools such as KMSPico were used to deploy malware.

The main component of BHUNT is mscrlib.exe, which extracts additional modules that run on the infected system to perform various malicious actions.

Each of these modules is designed for a specific purpose, from stealing cryptocurrencies to stealing passwords. The following modules are currently included in the BHUNT executable:

• blackjack: steals the contents of the wallet file, encrypts with base 64 and uploads to the server of criminals;
• chaos_crew: loads additional payloads;
• golden7: steals passwords from the clipboard and uploads files to the hacker’s server;
• sweet_Bonanza: steals information from browsers (Chrome, IE, Firefox, Opera, Safari);
• mrpropper: cleans up traces left in the system.

The company emphasized that the most effective way to protect against such threats is to avoid installing software from untrusted sources and install updates in a timely manner (including for security products).

Let me remind you that we also wrote that Scammers spread malware under the mask of the Brave browser.

The post New BHUNT malware hunts for cryptocurrency wallets appeared first on Gridinsoft Blog.

The tool works for any data encrypted before July 13, 2021.

However, the company has so far refused to provide any details, citing an ongoing investigation.

Let me remind you that on July 13 of this year the entire REvil infrastructure went offline without explanation. Then it was a question of shutting down an entire network of regular and darknet sites that were used to negotiate a ransom, drain data stolen from victims, as well as the internal infrastructure of the ransomware.

Not long before that, in early July 2021, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. As a result, the cybercriminals deployed the ransomware in thousands of corporate networks. In addition, shortly before the attack on customers, Kaseya REvil hit the front pages of many publications as it attacked JBS, the world’s largest supplier of beef and poultry, as well as the second largest producer of pork. The company operates in the USA, Australia, Canada, Great Britain and so on, serving clients from 190 countries around the world.

As a result, US President Joe Biden in a telephone conversation called on Russian President Vladimir Putin to stop the attacks of ransomware hackers operating from the territory of the Russian Federation. Biden said that if Russia does not take action after that, the United States will be forced to take it on its own.

Shortly thereafter, REvil went offline for several months, and only returned to service on September 7, 2021. According to information security companies, REvil operators re-activated their old sites, created new profiles on the forums.

At the same time, Kaseya somehow obtained a universal key to decrypt its customers’ data. Then some experts suggested that Russian law enforcement officers received the decryption key from the attackers and handed it over to the FBI as a gesture of goodwill.

Now Bleeping Computer writes that until September 9 there was no evidence of new attacks and that REvil has fully resumed its activity. However, late last week, someone uploaded a new REvil sample to VirusTotal, dated September 4th. And shortly thereafter, the hackers published screenshots of the data stolen from the new victim on their website on the darknet.

The post Added utility for decrypting data after REvil attacks appeared first on Gridinsoft Blog.

According to researchers, the botnet includes more than 9,000 hosts (according to other sources, the number of infected devices exceeds 13,500), the vast majority of which are running Android, and about one percent are running Linux and Darwin.

“These are various routers, NAS, UHD receivers, multifunctional boards (for example, Raspberry Pi) and other IoT devices. Most of the infected devices are located in Hong Kong, South Korea and Taiwan”, – said the researchers.

The researchers write that the purpose of the botnet can be guessed by the specialized nodes that are part of the malware’s control infrastructure:

• a proxy server that pings other nodes to confirm their availability;
• proxy checking program that connects to the bot’s proxy server;
• a manager who gives commands for scanning and brute-force;
• backend interface responsible for hosting Web API;
• a node that uses cryptographic keys to authenticate other devices and sign authorized messages;
• node used for development.

Overall, this infrastructure guarantees checking the availability of nodes, connecting to a proxy, hosting a Web API, signing authorized messages, and even testing malware at the development stage, say the researchers.

“This all suggests that the botnet is being used as a proxy network, probably offered as an anonymization service”, — the Bitdefender report says.

Interplanetary Storm is infected through SSH scanning and weak password guessing. The malware itself is written in the Go language, and the report emphasizes that its main functions were written from scratch, and not borrowed from other botnets, as it often happends. In total, the researchers found more than 100 changes in the malware code, therefore, the development of Interplanetary Storm is gaining momentum.

The malware code integrates the implementation of the open source protocols NTP, UPnP and SOCKS5, as well as the lib2p library for implementing peer-to-peer functionality. The malware also uses a lib2p-based networking stack to interact with IPFS.

“Compared to other Go malware we’ve analyzed in the past, IPStorm is notable for its complex design of module interactions and the way it uses libp2p constructs. It is clear that the attacker behind this botnet has a good command of Go”, — the experts summarize.

The post P2P botnet Interplanetary Storm accounts more than 9000 devices appeared first on Gridinsoft Blog.

On August 10, 2020, 3Ds Max developer Autodesk posted a warning about the PhysXPluginMfx malicious module that abuses MAXScript, a scripting utility that comes with 3Ds Max.

“The PhysXPluginMfx plugin is capable of performing malicious operations through MAXScript, corrupting 3Ds Max settings, executing malicious code, and infecting other .max files on Windows and spreading them to other users who receive and open such files”, – warned Autodesk developers.

Bitdefender experts have studied this malicious plugin in details and now report that its real purpose was to deploy a backdoor Trojan that attackers used to search for confidential files on infected machines and then steal important documents. According to experts, the control servers of this hack group are located in South Korea.

Researchers have found at least one victim of the attackers: it turned out to be an unnamed international company, which is currently conducting several architectural projects on four continents, together with developers of luxury real estate, totaling more than a billion US dollars.

“After examining our own telemetry, we found other [malware] samples that also interacted with this C&C server. This means that this group was not limited to developing malware only for the victim in respect of whom we conducted an investigation”, — write Bitdefender analysts.

These malware samples connected to the C&C server from countries such as South Korea, the United States, Japan, and South Africa. Based on this, the researchers suggest that there are other victims of the hack group in these countries. Although the malware has contacted C&C servers only within the last month, experts write that this does not mean that the group has been active for such a short time. Most likely, earlier the attackers simply used a different C&C server.

“They seem to have a good understanding of what they are doing and may have been unnoticed by security experts for a while”, — say the researchers.

Bitdefender analysts believe that this group can be an example of mercenary hackers that sell their services and engage in industrial espionage for other criminals.

Interestingly, this is not the first time that cybercriminals have exploited Autodesk products for their own needs. For example, in 2018, Forcepoint analysts published a report on an industrial espionage hack and attacking firm that using AutoCAD in their work.

In addition, this year cybersecurity experts discovered Valak malware, that steals corporate data using Microsoft Exchange servers.

The post Hackers use in attacks malicious plugin for 3Ds Max appeared first on Gridinsoft Blog.

The malware established full control over infected devices, collected credentials, GPS from infected devices, made screen recordings, and so on.

At the same time, the malware carefully avoided infections in countries such as Ukraine, Belarus, Kyrgyzstan and Uzbekistan, Africa and the Middle East.

Mandrake has a three-stage structure, which allowed its operators to avoid detection by Google Play security mechanisms for a long time. It all started with a harmless dropper placed in the official application catalog and disguised as a legitimate application, such as a horoscope or cryptocurrency converter.

When such an application was downloaded on the victim’s device, the dropper downloaded the bootloader from the remote server. At the same time, the dropper himself was able to remotely turn on Wi-Fi, collect information about the device, hide its presence about the victim and automatically install new applications.

In turn, the bootloader was already responsible for direct downloading and installing Mandrake malware.

“The malware completely compromised the target device, gave itself administrator privileges (the request for rights was masked as a license agreement), after which it gained wide opportunities: forwarding all incoming SMS messages to the attackers’ server; sending messages; making calls; stealing information from the contact list; activating and tracking of the user’s location via GPS; stealing Facebook credentials and financial information and screen recording”, – report Bitdefender specialists.

Additionally, the malware carried out phishing attacks on Coinbase, Amazon, Gmail, Google Chrome, applications of various banks in Australia and Germany, the currency conversion service XE and PayPal.

Worse, Mandrake is able to reset the infected device to the factory settings in order to erase user data, as well as all traces of the malware’s activity. When the attackers received from the victim all the information they needed, Mandrake went into the “destruction mode” and erased himself from the device.

“We believe that the number of victims of Mandrake is tens or even hundreds of thousands, but we don’t know the exact number”, — writes Bitdefender expert Bogdan Botezatu.

The company’s researchers believe that for four years, all spyware attacks were coordinated by its operators manually and were not fully automated, as is usually the case. They also note that Mandrake was not spread by spam, and it seems that the attackers carefully selected all their victims.

Specialists were able to trace the Mandrake developer account on Google Play to a certain Russian-speaking freelancer hiding behind a network of fake company websites, stolen IDs and email addresses, as well as fake job ads in North America.

As for Friday, I remind you that For eight years, the Cereals botnet existed for only one purpose: it downloaded anime.

The post Mandrake malware was hiding on Google Play for more than four years appeared first on Gridinsoft Blog.