Malicious ads for restricted messaging applications target Chinese users

0
[ad_1]

An ongoing campaign of malicious ads has been targeting Chinese-speaking users with lures for popular messaging applications such as Telegram or LINE with the intent of dropping malware. Interestingly, software like Telegram is heavily restricted and was previously banned in China.

Many Google services, including Google search, are also either restricted or heavily censored in mainland China. Having said that, many users will try to circumvent those restrictions by using various tools such as VPNs.

The threat actor is abusing Google advertiser accounts to create malicious ads and pointing them to pages where unsuspecting users will download Remote Administration Trojan (RATs) instead. Such programs gives an attacker full control of a victim’s machine and the ability to drop additional malware.

It may not be a coincidence that the malvertising campaigns are primarily focused on restricted or banned applications. While we don’t know the threat actor’s true intentions, data collection and spying may be one of their motives. In this blog post, we share more information about the malicious ads and payloads we have been able to collect.

Malicious ads

Visitors to google.cn are redirected to google.com.hk where searches are said to be uncensored. Doing a lookup for ‘telegram’ we see a sponsored search result.

The following description is associated with this ad:

TeIegram official application – TeIegram Chinese version download docs.google.com https://docs.google.com › 2024 › Official download Latest Telegram Understand your users Androd needs and engage them with relevant personalized solutions in real time. One of the top 5 most downloaded apps in the world with over 700 million active users.

Here is an ad for ‘LINE’

Description:

LINE is the largest communication platform that provides an end-to-end encrypted experience, allowing cross-platform communication across mobile phones, computers, tablets, etc. Simple, reliable, and free* private messages and calls can be used around the world.

We identified two advertiser accounts behind those ads, both of them being associated with a user profile in Nigeria:

Due to the number of ads for each of these accounts (including many unrelated to these campaigns), we believe they may have been taken over by the threat actors.

Infrastructure

This threat actor seems to rely on Google infrastructure in the form of Google Docs or Google sites. This allows them to insert links for the download or even redirect to other sites they control.

Malware payloads

We collected a number of payloads from this campaign, all in MSI format. Several of those used a technique known as DLL side-loading, which consists of combining a legitimate application with a malicious DLL that gets loaded automatically.

In the example above, the DLL is signed with a now revoked certificate from Sharp Brilliance Communication Technology Co., Ltd. which was also recently used to sign a PlugX RAT sample. (PlugX is a RAT from China that also performs DLL side-loading).

Not all dropped malware is new, in fact some were previously used in other campaigns and are variants of Gh0st RAT.

Active threat

A website and forum (bbs[.]kafan[.]cn) dedicated to security frequented by Chinese users keeps up with malware from these campaigns that they refer to as FakeAPP.

It also appears that the threat actor privileges quantity over quality by constantly pushing new payloads and infrastructure as command and control.

Online ads are an effective way to reach a certain audience, and of course they can be misused as well. People (such as activists) that live in countries where encrypted communication tools are banned or restricted will attempt to bypass these measures. It appears that a threat actor is luring potential victims with such ads.

The payloads are consistent with threats observed in the South Asia region, and we see similar techniques such as DLL side-loading that is quite popular with many RATs. This type of malware is ideal to gather information about someone and silently dropping additional components if and when necessary.

We have notified Google regarding the malicious ads and have reported the supporting infrastructure to the relevant parties.

Malwarebytes detects the malicious payloads upon execution.

Indicators of Compromise

Fake domains

telagsmn[.]com
teleglren[.]com
teleglarm[.]com

Redirectors

5443654[.]site
5443654[.]world

Payloads

CS-HY-A8-bei.msi
63b89ca863d22a0f88ead1e18576a7504740b2771c1c32d15e2c04141795d79a

w-p-p64.msi
a83b93ec2a5602d102803cd02aecf5ac6e7de998632afe6ed255d6808465468e

mGtgsotp_zhx64.msi
acf6c75533ef9ed95f76bf10a48d56c75ce5bbb4d4d9262be9631c51f949c084

cgzn-tesup.msi
ec2781ae9af54881ecbbbfc82b34ea4009c0037c54ab4b8bd91f3f32ab1cf52a

tpseu-tcnz.msi
c08be9a01b3465f10299a461bbf3a2054fdff76da67e7d8ab33ad917b516ebdc

C2s

47.75.116[.]234:19858
216.83.56[.]247:36061
45.195.148[.]73:15628

[ad_2]
Source link

New, useful feature for the Google Photos app is rolling out now

0
[ad_1]
Android and iOS users of the Google Photos app are receiving a new feature called Photo Stacks. According to a tweet from Artem Russakovski (via Forbes), you’ll know when Photo Stacks has been added to your phone. That’s because you will receive a pop-up message explaining that Photo Stacks has been automatically enabled on your handset. You can disable the feature directly from the pop-up or you can go into the app’s settings to disable the feature; we will explain how to do this later in this article.
Photo Stacks are collections of photos that were taken around the same time and are stacked under one thumbnail image. The only visible photo in the stack is the one on top which is the thumbnail for the entire stack. That photo is called the “top pick.” With Photo Stacks, you can avoid the typical scenario of scrolling through images and seeing similar photos one after one after one. That is the sort of thing that occurs if you take several shots in search of the perfect selfie or group photo.

Since you only see the “top pick” of a stack, users might find it harder to see a particular version of a photograph that they want to view. Doing this with Photo Stacks enabled will require a user to tap on the stack and go through each photo in the stack. One way to make this a bit easier is to look for a stack with a photo on top that is similar to the one that you’re looking for. Tap the stack to open it, and go through each photograph.

If having the Photo Stack enabled becomes too much of a pain in the butt, you can disable the feature by opening the Google Photos app and tapping the profile icon on the upper right corner of the screen. Press Google Photos settings and then Preferences. If you have the feature, you’ll see a listing that reads, “Stack similar photos.” It should be toggled on by default and you can disable it by pressing the toggle for “Stack similar photos.”


[ad_2]
Source link

Recent updates for YouTube Android app may cause crashing for some users

0
[ad_1]

Recent updates to the YouTube app for Android have reportedly caused a number of users to experience crashes. While not affecting everyone, reports of issues began to surface approximately a week ago on different different social media platforms, citing an unreliable experience when trying to use the app.The problem presents itself as videos loading, however no descriptions, comments, or linked videos will appear. After a few seconds, the app crashes and closing the app and restarting it simply repeats the process.
Meanwhile, posts on the YouTube subreddit, Google forums, and X/Twitter point to this being an issue that is being addressed on a newer version of the app, which has not yet rolled out to all. It is unknown which is the specific version that fixes the bug, but it appears to be the version currently being served to beta users. It is also unclear which specific version triggered the issue.
As mentioned by 9to5Google, at this point the only two options available to immediately correct the situation, include going back to an older version of the app or installing the beta version. Although it sounds simple enough, going back to an older version of the app doesn’t necessarily guarantee that you will end up on a version prior to when the issue began, and installing the beta version could prove difficult considering the Android beta program for the YouTube app is always full. Another option could be to sideload the beta version of the app, but that is a practice that is usually not recommended for inexperienced users.

Hopefully, a working version of the Android YouTube app rolls out soon to all the affected users. YouTube is a widely used app and not being able to use it on your Android device could severely impact your smartphone experience.


[ad_2]
Source link

198% Surge in Browser Based zero-hour Phishing Attacks

0
[ad_1]

The digital landscape is under siege. Surging browser-based phishing attacks, a 198% increase in just the second half of 2023, paint a chilling picture of cyber threats outsmarting traditional security. 

Menlo Security’s 2023 State of Browser Security Report unveils this alarming trend, sounding the alarm for organizations and individuals alike.

Document
Run Free ThreatScan on Your Mailbox

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

The Rise of Evasive Attacks

Gone are the days of easily identifiable phishing scams. 

Cybercriminals are now armed with highly evasive techniques, bypassing conventional defenses like network filters and email scanners. 

These HEATs (Highly Evasive Adaptive Threats), making up 30% of all browser-based attacks, employ tactics like:

  • SMS Phishing (Smishing): Luring victims with seemingly legitimate text messages.
  • Adversary in the Middle (AITM): Intercepting and manipulating web traffic on the fly.
  • Image-Based Phishing: Embedding malicious code within seemingly harmless images.
  • Brand Impersonation: Mimicking trusted websites to steal login credentials.
  • Multi-Factor Authentication (MFA) Bypass: Finding ways to circumvent even two-factor security.

Traditional security, built for known threats, stumbles against the lightning speed of zero-hour attacks. 

These novel phishing campaigns, observed at over 11,000 in just 30 days, exploit the vast and vulnerable attack surface of modern browsers. 

Worryingly, 75% of these attacks hide on trusted websites, cloaked in a veneer of legitimacy.

Despite technological advancements, the human element remains the weakest link. 

Phishing preys on our inherent trust and cognitive biases, tricking us into divulging sensitive information. 

This makes browser security the ultimate line of defense, protecting users at the point of interaction with the web.

Menlo Security: Shining a Light on the Dark Web

The report paints a stark picture, but not a hopeless one. Menlo Security offers a beacon of hope with its advanced browser security solutions

Leveraging cutting-edge AI and machine learning, Menlo’s technology detects and thwarts even the most sophisticated evasive attacks.

Key Takeaways for a Safer Web:

  • Evasive threats demand a new approach: Traditional security falls short. Look to advanced browser security solutions powered by AI.
  • Zero-hour attacks lurk everywhere: Don’t let trusted websites lull you into a false sense of security. Remain vigilant and practice safe browsing habits.
  • Your browser is the frontline: Prioritize comprehensive browser security to shield yourself from evolving cyber threats

David Miller, Policy Advocate: “This report calls for increased collaboration between cybersecurity researchers, technology companies, and policymakers. We need to share threat intelligence, develop best practices, and create regulatory frameworks that incentivize stronger browser security measures.”

Organizations should adopt efficient incident response plans, regularly monitor email traffic for anomalies, and stay updated on emerging threats to stay ahead of the evolving email threat landscape with Trustifi AI-powered Email security solutions.


[ad_2]
Source link

Pure Malware Tools Masquerade As Legitimate Software to Bypass Detections

0
[ad_1]

An extensive examination of the growing danger posed by the Pure malware family has been released, providing the industry with more insightful information about PureCrypter, PureLogs, and PureMiner.

ANY. RUN has disclosed that Pure tools are disguised as legitimate software designed for “educational purposes.” However, a close examination of the code reveals that it is a powerful malicious tool.

ANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams. Every day, 300,000 professionals use ANY.RUN platform to investigate incidents and streamline threat analysis.  If you’re a security researcher or an analyst, you can request 14 days of free access to the ANY.RUN Enterprise plan.    

Specific information on the Pure Malware Family

PureCoder products were first distributed in March 2021, as per the information given by the developer’s old website. There’s a message on Pure’s current website saying that the software is used for penetration testing and educational reasons on the home page.

Website lies about educational and pentesting nature of the software
Website lies about educational and pentesting nature of the software

It’s important to note, though, that there seems to be a pattern where the code that is sold is being used for malicious purposes.

Document
Analyse Shopisticated Malware with ANY.RUN

More than 300,000 analysts use ANY.RUN is a malware analysis sandbox worldwide. Join the community to conduct in-depth investigations into the top threats and collect detailed reports on their behavior..

The Telegram bot sales have been noted in Pure updates since March 2023. Telegram bots automate and anonymize the malware purchase process. The use of bots indicates that the author is growing, expanding, and refining the service.

Products the group distributes under the guise of “educational purposes”
Products the group distributes under the guise of “educational purposes”

These products are given to educate users; however, it appears strange that they include hidden HVNC, botnets, and silent miners. Pure’s online comments and evaluations indicate a strong level of demand, with at least a few transactions made each month.

Users must make cryptocurrency payments In Bitcoin. More than one Bitcoin wallet is available on the payment page. These wallets are probably a component of a Bitcoin mixer.

Recently, in Q4, ANY.RUN discovered the use of T1036.005 in over 98,500 malicious samples. You can see what the top malware families, Types, Tactics, Techniques, and Procedures (TTPs) used by attackers in 2023 can tell us about what to expect in 2024.

PureCrypter is a crypter (or obfuscator) with encryption and data obfuscation algorithms. Combined, they prevent antivirus software from detecting malware, making analysis more challenging for researchers.

Behavior flow of PureCrypter
Behavior flow of PureCrypter

There are two payload stages on the loader: staged and stage-less. Costura and Protobuf-net libraries are among the decrypted resources. 

Data is deserialized and combined with the compressed malware to generate a configuration using Protobuf-net. When the malware has finished decompressing, it is finally launched in a new process with configuration parameters.

We can see that the entrance points of PureCrypter, both staged and stage-less, are the same. Hence, they are nearly identical.

PureCrypter can deliver two different kinds of payloads: 3rd party malware or its own proprietary product, PureLogs.

Like the stage-less process, third-party malware starts by decrypting and loading the.NET Assembly resource. This also occurs with AES (Rijndael) encryption in the same way.

The NET Reactor protector usually uses a loader to spread the PureLogs malware. A small library called PureLogs is engaged in data theft. The loader typically loads the library from a C2 server.

PureLogs Loader
PureLogs Loader

An encrypted message is transmitted and an encrypted response is received in the initial connection, according to an analysis of the loading traffic. All of this takes place inside the loader.

The response includes an extra serialization layer and is re-encrypted via byte reversal, but the two messages in the initial connection are encrypted similarly. The program forwards this message to the server after encrypting it. Four bytes indicating the message’s size come first, then the message itself.

A multifunctional stealer is PureLogs. Obfuscation and obfuscation techniques complicate PureLogs’ analysis, just like they do PureCrypter’s. This is sometimes confused with ZGRat, which is commonly found in the samples of the Pure family.

The library gathers information from the system by looping through many functions, such as browser data including extensions, data about crypto wallets, complete information about the user and full information about the PC configuration.

Experts discovered distinct samples with PureCrypter and PureLogs-like signatures. These signatures had the same traffic patterns, a structure similar to PureCrypter and PureLogs, same code behavior (proto-buf module), and 3DES encryption (key encrypted using MD5Crypto).

PureMiner
PureMiner

PureMiner gathers information on the system and sends it to C2. Following that, it gets a response along with mining guidelines.

Final Words

The code analysis clearly shows that it is a potent malicious tool. Its developers have just started spreading it using a Telegram bot, suggesting that they are expanding their business.

It is very likely that shortly, its popularity will begin to rise.

Perform in-depth malware analysis in ANY.RUN. Try all features for 14 days for free.


[ad_2]
Source link

Powerloom to Hold First Ever Node Mint on Polygon Network

0
[ad_1]

Powerloom, the composable data network, has just announced a partnership with Polygon Network. In a first-of-its-kind event on Polygon, Powerloom is set to launch a node mint, marking a significant evolution towards their vision of the decentralization of on-chain data markets.

To democratize web3 data accessibility, Powerloom aims to establish 10,000 independently run nodes. This will be facilitated by a node mint scheduled on Feb 7th. Participants who mint a Soul-Bound Token (SBT) will be awarded the right to operate a Powerloom Snapshotter Lite node.

This will provide a fair way for community members to obtain a node and support network operations on Powerloom. After acquiring an SBT, the holder will earn the right to operate a Powerloom Snapshotter Lite node.

Node operators will be able to contribute to Powerloom composable data markets while earning rewards. They will also be able to provide feedback and help test critical infrastructure to help enhance Powerloom’s composable data network. 

After significant participation of over 20,000 onboarded members on its Incentivized Testnet with Coinlist, this new node initiative is a lighter version of Powerloom’s existing Snapshotter node, tailored to be user-friendly and requiring minimal technical experience. This allows participants to contribute to the Powerloom network actively, fostering composable data accessibility and opening pathways to future incentives.

Powerloom Founder Swaroop Hegde said: “By making our node initiative more accessible, we’re inviting broader participation while fostering a culture of learning. This approach allows participants to directly engage with and understand the architecture of a protocol that has been decentralized from the start. These new nodes testify to our commitment to creating a composable and accessible data network that empowers users and developers alike.”

Polygon Co-Founder Sandeep Nailwal added: “Partnering with Powerloom represents a significant step forward for Polygon. I am excited to see Powerloom set as the first infrastructure launch on Polygon. Their approach to creating a composable data network aligns perfectly with our vision for a more interconnected and efficient web3 ecosystem.”

About Powerloom

Powerloom Protocol is a composable data network primarily aimed at serving the on-chain data needs of smart contract-based applications like DeFi, GameFi, NFTs, and more.

Powerloom incentivizes participating peers to reach a consensus on state transitions and event emissions observations across many smart contracts. By utilizing data compositions on smaller, consensus-reached data units, Powerloom stands as a peer-validated and accurate information source, empowering rich data applications like dashboards, bots, aggregators, and insights trackers. 

  • Learn more: powerloom.io
  • Mint site: mint.powerloom.network
  1. Particle Network to Simplify and Secure Web3
  2. GAM3S.GG Raises $2M to Grow Web3 Gaming Superapp
  3. Web3 Requires Decentralized Infrastructure Beyond IPFS
  4. Finclusive, Verida, and cheqd Launch Reusable KYC/KYB Solution
  5. “READYgg Transforms 15M Web2 Players to Web3 with Aptos Labs

[ad_2]
Source link

Google Meet update brings closed captions for over 30 languages

0
[ad_1]

Captions and translated captions are very useful features for Google Meet users. Thanks to the ability to view subtitles as everyone speaks while in a meeting removes all language barriers and makes communications more accessible.

Google Meet features closed captions on the web, Android, and iOS, but the feature must be enabled to work after joining a meeting. Starting today, support for closed captioning expands to no less than 31 additional languages.

Some of the newly supported languages will initially appear with a “beta” tag, which denotes the fact that Google continues to optimize support for specific languages available for closed captioning.

If you’re heavily relying on this feature in Google Meet, here is the full list of languages that support closed captioning: Afrikaans, Albanian, Amharic, Armenian, Australian English, Basque, Burmese, Catalan, English (India), English (Philippines), Estonian, Farsi, Filipino, Galician, Georgian, Hungarian, Javanese, Latvian, Macedonian, Mongolian, Nepali, Norwegian, Sinhala, Slovak, Slovenian, Sundanese, Tamil (India), Telugu (India), Urdu, Uzbek, and Zulu.

The new update should already be available to all Google Workspace customers and users with personal Google Accounts. Keep in mind that you don’t need to do anything to get support for these languages except making sure that closed captions are enabled after joining a meeting.

[ad_2]
Source link

Patch now! Fortra GoAnywhere MFT vulnerability exploit available

0
[ad_1]

On January 22, 2024, software company Fortra warned customers about a new authentication bypass vulnerability impacting GoAnywhere MFT (Managed File Transfer) that allows an attacker to create a new admin user.

Fortra GoAnywhere MFT is a file transfer solution that organizations use to exchange their data. Some of the organizations that use GoAnywhere MFT are considered vital infrastructure such as local governments, financial companies, healthcare organizations, energy firms, and technology manufacturers.

The flaw impacts Fortra GoAnywhere MFT 6.x from 6.0.1 and Fortra GoAnywhere MFT 7.4.0 and earlier.

Customers should either install the latest update (now at 7.4.1) to fix the vulnerability, or eliminate the vulnerability in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart. For additional information, see this advisory for customers (registration required).

By handing out these specific instructions it was to be expected that exploit code would come sooner rather than later. And, indeed, researchers were quick to analyze the flawed file and come up with an exploit and Proof-of-Concept (PoC) code.

Fortra told BleepingComputer earlier that there have been no reports of attacks exploiting this vulnerability. This might change quickly now that exploit code is readily available. To find out if your instance was compromised you should look for any new additions to the Admin Users group in the GoAnywhere administrator portal Users -> Admin Users section. Any new and unknown administrative users indicate a compromise and the login date will give you an idea about the time of compromise.

You can also look at the logs for the database which are stored at \GoAnywhere\userdata\database\goanywhere\log\*.log. These files contain a transactional history of the database, adding users will create entries in that log.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. This vulnerability is listed as:

CVE-2024-0204: Authentication bypass in Fortra’s GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.

Basically it’s a path traversal flaw that allow attackers to read, and write to, restricted files by inputting path traversal sequences like ../ or /..;/ into file or directory paths.

If the mention of the name of Fortra GoAnywhere sent shivers down your security sensors, you may have been reminded of the exploitation by the Clop ransomware gang of a vulnerability in the same software last year.

Despite several warnings about last year’s vulnerability, a great many victims were made even after the patch was available.

Let’s hope we are capable of learning from the mistakes we made in the past.


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.


[ad_2]
Source link

Galaxy S24 Ultra scratch test is here, both display & frame tested

0
[ad_1]

The Samsung Galaxy S24 Ultra durability test appeared on YouTube recently, courtesy of PBKReviews. That very same source just shared yet another test with the public, the Galaxy S24 Ultra scratch test.

The Galaxy S24 Ultra gets submitted to a scratch test, both its display and frame

The phone gets tested in a YouTube video which is embedded below the article. Both its display and frame get tested in the video. As a reminder, the Galaxy S24 Ultra comes with a titanium frame, and all-new Gorilla Armor screen protection.

In the video, the tester used the Mohs hardness test kit, like the one JerryRigEverything is usually using. The display started scratching at level 7, but the tester says that the marks are so faint that he doesn’t even consider them scratches. So you’ll get visible scratches at a level 8, it seems. The phone seems to be doing better than the Galaxy S23 Ultra with the Gorilla Glass Victus 2.

Corning’s Gorilla Armor is making a difference

Just to give you some clarification, Corning did say that the Gorilla Armor protection is more resistant to micro scratches. It also tackles reflections like a champ.

Having said that, the scratch resistance of the titanium frame was also tested in this video. Scratches start showing up at level 5. We don’t see many scratch tests of smartphone frames, so there you go.

As many of you know, this is the first time Samsung is using a titanium frame on one of its phones. It’s also the very first time any phone is using Gorilla Armor screen protection.

It’s safe to say that the phone did well in this test. The display resisted scratches really well, while we don’t really have a lot of comparison frame scratches on offer, but this only proves that titanium can be scratched, so using a case may be your best bet.


[ad_2]
Source link