CapraRAT Mimics As Popular Android Apps Attacking Android Users

andreasc
-
0
CapraRAT Mimics As Popular Android Apps Attacking Android Users
[ad_1]

Transparent Tribe (aka APT36) has been active since 2016, focusing on social engineering strategies to target Indian government and military personnel.

The CapraTube campaign of Transparent Tribe (aka APT36) was revealed in September 2023, in which threat actors employed weaponized Android apps posing as YouTube, mostly in dating scenarios.

Cybersecurity researchers at SentinelLabs recently discovered that the CapraRAT has been mimicking popular Android apps by attacking Android users.

These latest actions imply complex but relatively increased spyware conformity with older and modern versions of Android, revealing the group’s adaptability and continuous drive to widen its attack surface against Indian targets.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

CapraRAT As Android Apps

The code of this malware contains obfuscated URLs and utilizes WebView to launch YouTube and CrazyGames[.]com. The “Sexy Videos” app still uses social engineering tactics centered on romance.

“TikTok” is a preloaded query on one app that launches YouTube with a search “Tik Toks.” Another, labeled as “Weapons”, opens the Forgotten Weapons YouTube channel while the third one called “Crazy Games” loads CrazyGames[.]com.

New CapraRAT APKs (Source – Sentinel Labs)

SentinelLabs researchers said this change in CapraRAT’s modus operandi demonstrates its flexibility and employment of genuine platforms as smokescreens for malicious activities, consequently maintaining its core function of accessing sensitive device permissions.

The latest CapraTube campaign continues with the same old romance-themed social engineering using such apps. These apps open YouTube and run theme-related searches.

Although some previously requested permissions have been removed, this malware asks for a lot of dangerous permissions during monitoring.

Android 8.0 (Oreo) and above versions are now being targeted compared to the September 2023 campaign to make them more compatible with modern devices.

Still, they ask for suspicious permissions despite operating well on new Android versions. Consequently, a new WebView class has been added to retain compatibility with older Android versions.

Even after updating these aspects, malware’s core functionality remains largely unchanged as they focus on surveillance capabilities.

The spyware application CapraRAT is initiated through MainActivity and exploits the TCHPClient class for malicious activities. It includes functions for audio streaming, call recording, contact logging, file browsing, and SMS sniffing.

These kinds of malware use particular hostnames and IP addresses to communicate with their C2 servers, some of which are connected to other malware like CrimsonRAT.

The latest updates aim to enhance the software’s reliability and ensure its compatibility with newer Android versions.

The social engineering tactics employed by this malware target specific groups, such as mobile gamers or people who love guns.

Users should pay attention to app permissions they give during installations and be cautious about unnecessary requests for access.

Incident responders must keep an eye on specific network indicators and method names related to CapraRAT.

IoCs

IoCs  (Source – Sentinel Labs)

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files


[ad_2]
Source link

HONOR Magic V3 launch date has just been announced

andreasc
-
0
HONOR Magic V3 launch date has just been announced
[ad_1]

The HONOR Magic V3 launch date has been announced by the company. The device will become official on July 12, so in 10 days. It will launch in China, and it won’t be the only device to arrive.

The HONOR Magic V3 launch date has been announced, and it’s not coming alone

HONOR will also announce the Magic Vs3, MagicPad 2, and MagicBook Art 14. It will be a packed event, it seems. Two foldable phones, a tablet, and a laptop will all arrive. The HONOR Magic V3 is definitely in focus, though.

HONOR Magic V3 launch event announcement

That smartphone will become the company’s new foldable flagship. The HONOR Magic V2 managed to leave quite an impression on us due to its thin profile. That was the first device that actually felt like a regular smartphone during use, and it was a book-style foldable.

The HONOR Magic V3, based on rumors, will push things even further. It’s said to be even thinner than its predecessor, and even lighter too. HONOR is looking to push the boundaries yet again.

The phone’s camera setup is a mystery, and we’re expecting to see an improvement

Let’s hope that HONOR will also improve its camera setup. That’s a bit ask considering that the phone is expected to be even more compact than it way, but let’s see what HONOR can do in that regard.

The company didn’t really want to overdo the camera hardware in the Magic V2, probably due to the thickness and heft. And even though it had a really good camera setup, HONOR can certainly do better based on the company’s flagship smartphone (the regular one).

The HONOR Magic Vs3 will likely be a cheaper variant of the HONOR Magic V3. It’s a bit surprising those two devices are coming at the same time, but there you have it. The HONOR Magic V2 did launch globally, though it arrived 6 months after the initial launch. Let’s hope that HONOR will move a bit more quickly this time around.


[ad_2]
Source link

Google Tensor G5 design is ready, coming with Pixel 10

andreasc
-
0
Google Tensor G5 design is ready, coming with Pixel 10
[ad_1]

Google has completed the design of the Tensor G5 SoC, a chip that will fuel the Pixel 10 next year. That chip is now ready to be sent to the foundry for fabrication. This one will be manufactured by TSMC, by the way.

The Google Tensor G5 design is ready, coming next year

The information regarding the finished design process comes from Taiwan. The Pixel 10 series will be the first to utilize this processor. Other Pixel products are expected to include it after that, though, of course.

This chip will be made using TSMC’s second-gen 3nm node aka N3E. This chip is expected to be a considerable jump compared to everything else Google made thus far. Google designed it itself, and TSMC’s second-gen 3nm node is the right way to manufacture it.

The Google Tensor G5 is probably the chip Google hopes will compete with the best processors out there. It is expected to be immensely powerful, in addition to be designed specifically for Pixel products.

Pixel users had to deal with some questionable SoCs in the past, Google is looking to change that

Pixel users had to deal with some really questionable chips in the past. The Exynos 5123 model inside the Pixel 6 series definitely comes to mind, and it was a part of the Tensor chip. The Exynos 5300 was an improvement, but still not the best solution. That one was included in the Pixel 7 and Pixel 8 series smartphones.

What happens now? Well, while the chip is ready for manufacturing, Google still has to test it out after the fact. We’re still a long way from seeing that chip in action, as the Tensor G4 hasn’t launched just yet.

The Tensor G4 will arrive alongside the Pixel 9 series next month. Google announced that the new Pixel smartphones will become official on August 13. That is a big change for Google, as everyone expected the devices to arrive in early October.


[ad_2]
Source link

YouTube will let you flag AI-generated content for removal if it includes someone that looks or sounds like you

andreasc
-
0
YouTube will let you flag AI-generated content for removal if it includes someone that looks or sounds like you
[ad_1]

Generative AI is everywhere, it’s fun and useful and can save you hours. But it’s not really “making things up”, or at least, not entirely. It is “generating” stuff, but it’s basing it on things that are already existing, including… well, real people. And now, YouTube has quietly added a policy that lets you request the removal of AI-generated content that features ‘your likeness’. The new policy allows you to flag videos that use AI if the AI has created something that looks or sounds like you. That’s actually great if YouTube is able to enforce this, depending on how it’s going to determine if the generated content looks like you.

YouTube says it will use factors such as whether the content is altered or synthetic (and if it’s been disclosed as such), and whether it is easily identifiable as the person in question.

Additionally, YouTube will take into account whether the content is parody or satire, if it includes a public figure or a well-known person, also, if there is ‘sensitive behavior’ like crime, violence, endorsing a product or a political candidate.  

The new policy falls under YouTube’s privacy violations, and first-party claims are required. The exception is only if the individual is a minor, doesn’t have access to a computer, or is deceased.

Izzy, a tech enthusiast and a key part of the PhoneArena team, specializes in delivering the latest mobile tech news and finding the best tech deals. Her interests extend to cybersecurity, phone design innovations, and camera capabilities. Outside her professional life, Izzy, a literature master’s degree holder, enjoys reading, painting, and learning languages. She’s also a personal growth advocate, believing in the power of experience and gratitude. Whether it’s walking her Chihuahua or singing her heart out, Izzy embraces life with passion and curiosity.


[ad_2]
Source link

Water Sigbin Exploiting Oracle WebLogic Server Flaw

andreasc
-
0
Water Sigbin Exploiting Oracle WebLogic Server Flaw
[ad_1]

Water Sigbin (8220 Gang) exploits vulnerabilities (CVE-2017-3506, CVE-2023-21839) in Oracle WebLogic servers to deliver cryptocurrency miners using PowerShell scripts. 

They use a multi-stage loading technique with a .Net Reactor protecting the payload to deploy the PureCrypter loader and XMRig miner, which makes it hard to analyze the code and implement defensive measures. 

Water Sigbin Attack diagram
Water Sigbin Attack diagram

Water Sigbin exploits CVE-2017-3506 to deploy a PowerShell script that decodes a Base64-encoded payload and then drops a malicious file named wireguard2-3.exe, which impersonates a legitimate VPN application

This dropper is a trojan loader that retrieves, decrypts, maps, and executes a second-stage payload (Zxpus.dll) in memory using reflective DLL injection, allowing the malware to evade detection and carry out malicious activities. 

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Zxpus.dll, a second-stage loader, retrieves a binary named Vewijfiv from its resources, decrypts it using AES with a specified key and IV, and decompresses it using GZip. 

The decompressed payload is then deserialized using protobuf-net, revealing the loader’s configuration, including the process name to be created and the next stage payload in an encrypted format. 

Zxpus.dll creating the cvtres.exe process
Zxpus.dll creating the cvtres.exe process

It then creates a new process named cvtres.exe, injects the decrypted next-stage payload into memory using process injection, and passes the execution to the cvtres.exe process.  

The malware, cvtres.exe, decompresses a DLL file with Gzip and loads it for execution, which is identified as PureCrypter loader version V6.0.7D, which establishes a connection with a command-and-control server and downloads the final malicious payload, which is likely a cryptocurrency miner.  

The PureCrypter loader is a malicious DLL that uses a mutex to ensure only one instance runs by retrieving configuration from its C&C server, including persistence mechanisms and exclusion rules for antivirus

PureCrypter generates a victim ID from system information
PureCrypter generates a victim ID from system information

For persistence, it creates a scheduled task disguised as a synchronized file and another task with a random name to add specific files, and processes to the exclusion list, and then generates a unique identifier for the victim machine based on system information and communicates with the C&C server.  

PureCrypter, a .NET obfuscated loader, downloads and executes various malware, like information stealers and RATs, by using process hollowing to inject the payload into a legitimate process. To evade detection, PureCrypter collects system information using WMI 

queries encrypt it with TripleDES and send it to the C&C server. 

XMRig login request
XMRig login request

According to Trend Micro, the C&C server responds with an encrypted XMRig mining configuration, which is stored in the registry. 

PureCrypter then downloads the XMRig payload (plugin3.dll), decrypts it, injects it into a newly created process (AddinProcess.exe), and starts mining for the XMRig mining pool at the address 217.182.205.238:8080 using the wallet address ZEPHYR2xf9vMHptpxP6VY4hHwTe94b2L5SGyp9Czg57U8DwRT3RQvDd37eyKxoFJUYJvP5ivBbiFCAMyaKWUe9aPZzuNoDXYTtj2Z.c4k.  

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files


[ad_2]
Source link

WhatsApp users will soon choose between two different models for AI generated images

andreasc
-
0
WhatsApp users will soon choose between two different models for AI generated images
[ad_1]

We’re inching closer to the day when WhatsApp users will be able to AI-generate their own images right in the popular messaging app!

What’s more, WhatsApp users will be able to choose between two distinct models from Meta’s AI Llama models:

  • 3-70B (simpler, faster tasks)
  • 3-405B (more complex queries)

These are the latest findings of the always informative WABetaInfo and the report is focused on the 2.24.14.13 beta version of WhatsApp.In a previous update, version 2.24.14.7, WhatsApp revealed its work on integrating the Meta AI Llama model, offering users a choice between different AI models for varied interaction complexity.

Users could opt for the Llama 3-70B model for simpler tasks or the more advanced Llama 3-405B model for more complex queries. The current update just goes to show that WhatsApp isn’t an exception when it comes to the rule: in 2024, everything is AI-oriented. Personally, I find the whole thing overwhelming at moments, but I’ll wait and see how this new feature will behave in WhatsApp. It could turn out to be useful!

The new feature, detailed in the latest beta, enables users to create AI-generated images of themselves by taking a set of setup photos. Then, Meta AI will analyze and use these to generate images that accurately reflect the user’s appearance. Users maintain full control over this feature, with the ability to delete their setup photos at any time through the Meta AI settings.

To generate an AI image, users can type “Imagine me” in a Meta AI conversation. This feature can also be used in other chats by typing “@Meta AI imagine me”. Notably, Meta AI processes this command separately from other messages, ensuring user privacy. The generated image will automatically be shared in the conversation by the app.

This feature is optional and requires users to opt-in by enabling it in their settings and taking their setup photos. The development of this feature is ongoing, with plans for availability in a future update.


[ad_2]
Source link

Rapid7 to Acquire Noetic Cyber to Enhance Attack Surface Visibility

andreasc
-
0
Rapid7 to Acquire Noetic Cyber to Enhance Attack Surface Visibility
[ad_1]

Rapid7, Inc., a leader in extended risk and threat detection, has announced a definitive agreement to acquire Noetic Cyber, a pioneering company in cyber asset surface management (CAASM).

This strategic move aims to bolster Rapid7’s existing cybersecurity solutions by integrating Noetic’s advanced CAASM capabilities, providing customers with a more comprehensive view of their digital environments.

Enhanced Visibility and Risk Management

Integrating Noetic Cyber’s CAASM solution into Rapid7’s platform will offer unparalleled visibility into internal and external assets spanning on-premise and cloud environments.

This enhanced visibility will empower customers to:

  • Gain a high-context, inside-out view and an adversary-aware, outside-in perspective to better anticipate threats and manage risks.
  • Prioritize risks with threat-aware context, identifying the most critical exposures.
  • Improve signal-to-noise ratios across security teams, enhancing asset inventory and reducing risks through pragmatic remediation guidance and automation.
  • Boost efficiency and productivity by providing highly correlated asset and resource views with searchable risk context.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Corey Thomas, CEO of Rapid7, emphasized the importance of this acquisition, stating, “Fragmented attack surfaces stifle security productivity, efficiency, collaboration, and credibility.

Adding Noetic’s solution to our platform positions Rapid7 to deliver the most productive security operations experience while making it more accessible to the teams who need it most.”

Addressing a Critical Industry Challenge

According to the 2024 Gartner® Innovation Insight: Attack Surface Management report, only 17% of organizations can identify and inventory a majority (95% or more) of their assets.

This statistic underscores the critical need for improved asset visibility and management in the cybersecurity landscape.

Paul Ayers, CEO and co-founder of Noetic Cyber highlighted the acquisition’s benefits, stating, “The addition of Noetic Cyber to Rapid7’s portfolio ensures even more security teams can be confident they have the right visibility of their security data.

Rapid7 customers will now be able to better prioritize exposures based on the meaningful insights from Noetic and take action to identify security gaps and reduce cyber risk.”

Noetic Cyber, founded in 2019 by Paul Ayers, Allen Hadden, and Allen Rogers, has been dedicated to empowering security teams to command their attack surface.

The company’s proactive approach to cyber asset and exposure management aims to enhance security tools and control efficacy by breaking down existing data silos.

The acquisition is expected to close during Rapid7’s fiscal third quarter and is not anticipated to have a material impact on the company’s 2024 Annualized Recurring Revenue (ARR).

Rapid7 plans to make Noetic Cyber’s capabilities available to its customers this summer after the transaction’s completion.

The company’s comprehensive security solutions help over 11,000 global customers manage cloud risk and detect threats quickly and precisely.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files


[ad_2]
Source link

Meta changes how it labels AI-generated content after complaints from photographers

andreasc
-
0
Meta changes how it labels AI-generated content after complaints from photographers
[ad_1]
Meta introduced new policies regarding all AI-generated content posted on Facebook and Instagram back in April. One of the new rules rolled out a few months ago was the labeling of AI-generated content and manipulated media with a “Made with AI” watermark.

However, photographers all around the world noticed that their images were labeled with “Made with AI” watermarks even though they only suffered minor modifications.

Meta acknowledged the issue and admitted that its labels weren’t always aligned with people’s expectations. Moreover, the “Made with AI” watermark didn’t provide enough context.

To avoid content that includes minor modifications using AI, such as retouching tools, to be labeled “Made with AI,” the social giant announced that it’s updating the label to “AI info” across its apps.

We agree with the Oversight Board’s recommendation that providing transparency and additional context is now the better way to address manipulated media and avoid the risk of unnecessarily restricting freedom of speech, so we’ll keep this content on our platforms so we can add labels and context.

– Meta, July 2024

On top of that, people can now click on the “AI info” label to get more information about the image they’re looking at. Hopefully, Meta will provide more context on the content labeled “AI info,” so that users can figure out if they’re looking at AI-generated content or original content that’s been slightly modified using AI tools.
Meta changes how it labels AI-generated content after complaints from photographers

Meta’s new “AI info” label | Image credit: Meta

Obviously, this means that Meta will start adding “AI info” labels to a wider range of video, audio and image when it detects industry standard AI image indicators or when users disclose that they’re uploading AI-generated content.

Meta amended its policy regarding AI-generated content a few times since launch, and it’s probably going to fine-tune it further as AI tech continues to evolve and more people start using it for various purposes.


[ad_2]
Source link

regreSSHion RCE Flaw Impacts 700K Linux Systems

andreasc
-
0
regreSSHion RCE Flaw Impacts 700K Linux Systems
[ad_1]

The Qualys Threat Research Unit has identified a newly discovered vulnerability in OpenSSH, dubbed “regreSSHion” (CVE-2024-6387).

This critical flaw, which allows unauthenticated remote code execution (RCE) as root, affects over 700,000 Linux systems exposed to the internet.

The regreSSHion vulnerability is a signal handler race condition in OpenSSH’s server (sshd) that can be exploited to execute arbitrary code with the highest privileges.

This flaw is particularly concerning because it does not require user interaction and affects OpenSSH’s default configuration.

This vulnerability is a regression of a previously patched issue (CVE-2006-5051) reintroduced in October 2020 with the release of OpenSSH 8.5p1.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

If exploited, regreSSHion could lead to a complete system takeover, allowing attackers to install malware, manipulate data, and create backdoors for persistent access.

This could facilitate network propagation, enabling attackers to compromise other vulnerable systems within an organization.

The vulnerability poses a significant risk as it allows attackers to bypass critical security mechanisms such as firewalls and intrusion detection systems, potentially leading to significant data breaches and leakage.

Exposed OpenSSH Instances

Qualys researchers used internet scanning services like Censys and Shodan to identify over 14 million potentially vulnerable OpenSSH server instances exposed to the internet.

Anonymized data from Qualys customer data revealed that approximately 700,000 external internet-facing instances are vulnerable, accounting for 31% of all internet-facing instances with OpenSSH in the Qualys global customer base.

The vulnerability arises from sshd’s SIGALRM handler calling various sensitive functions such as syslog() in an asynchronous way when an attempted connection fails to pass authentication within the LoginGraceTime period.

This can lead to heap corruption, which can be exploited to execute arbitrary code with root privileges. The flaw is particularly challenging to exploit due to its remote race condition nature, requiring multiple attempts for a successful attack.

Mitigation Steps

To mitigate the risk posed by regreSSHion, organizations are advised to:

While no active exploits have been seen in the wild, the potential impact of this flaw necessitates urgent action from system administrators to protect their systems.

How to Scan for regreSSHion Vulnerability

Organizations can use several tools to scan for the regreSSHion vulnerability (CVE-2024-6387) in their systems. Here are some of the most effective tools available:

1. CVE-2024-6387_Check Script

This is a lightweight and efficient tool designed specifically to identify servers running vulnerable versions of OpenSSH.

It supports rapid scanning of multiple IP addresses, domain names, and CIDR network ranges.

The script retrieves SSH banners without authentication and uses multi-threading for concurrent checks, significantly reducing scan times. The output provides a clear summary of the scanned targets, indicating which servers are vulnerable, not vulnerable, or have closed ports.

2. Qualys Vulnerability Management

Qualys offers a comprehensive vulnerability management tool that can scan for a wide range of vulnerabilities, including CVE-2024-6387. It provides extensive protection and is capable of aggregating and prioritizing cyber risks across all assets and attack vectors.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files


[ad_2]
Source link

This One Mistake Could Brick Your Phone!

andreasc
-
0
This One Mistake Could Brick Your Phone!
[ad_1]

Google Pixel 6 series devices risk getting bricked if users perform a “factory reset”. Although sporadic, reports about Pixel 6, 6 Pro, and 6A turning into a dead paperweight have suddenly surged in the last few days.

A software update isn’t bricking Pixel 6 series smartphones

Google Pixel 6 series smartphone owners should avoid resetting their devices to factory settings for the next few days. This is because attempting a “factory reset” could brick their smartphones.

Reports about Google Pixel 6, Pixel 6 Pro, and Pixel 6a “bricking” after owners tried to perform a full reset have appeared on Reddit and the Google Pixel support community.

According to Tech-Issues Today, the issue isn’t limited to any specific model in the Pixel 6 series. In other words, any Android smartphone from the Pixel 6 series could fail to boot up after a factory reset.

Similarly, the Android version doesn’t matter either. Hence, some users have observed that a recent software update or an Android firmware update might not be the root cause. This means a Pixel 6 series smartphone could be bricked primarily due to a factory reset.

Most of the Pixel 6 owners who managed to brick their devices observed a similar pattern. The affected smartphone would refuse to boot normally. Instead, it would throw the following error:

“Cannot load Android system. Your data may be corrupt. If you continue to get this message, you may need to perform a factory data reset and erase all user data stored on this device.”

If users attempt to perform a “wipe”, a separate error mentions the phone is missing a file called tune2fs. According to The Verge, this file is a Unix command line tool used to set file system parameters.

Is Google aware performing a factory reset may brick Pixel 6 devices?

The Pixel 6 series launched in 2021. What this means is that the majority of Pixel 6 smartphones would be out of standard warranty.

This strongly implies Google would offer paid service or replacements, presumably citing motherboard issues. In other words, Pixel 6 owners who brick their smartphones could be looking at an expensive resolution to their troubles.

All hope, however, isn’t lost. A person who identifies as Detlef M., and claims to be a “Platinum Product Expert” on the Google Pixel support community, has implied Google is aware of the issue.

He added that Google is investigating the issue and advised affected users to watch the thread for any updates.


[ad_2]
Source link
1...646566...1,452Page 65 of 1,452