Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious links within seemingly legitimate payment requests.
This tactic aims to deceive recipients into opening the invoice, leading to:-
Potential data breaches
Financial fraud
Unauthorized access to sensitive information
Cybersecurity researchers at Perception Point recently discovered and analyzed a sophisticated malware dubbed “LUMMA” malware.
Perception Point’s cutting-edge sandboxing technology was able to identify and isolate malicious software with precision and accuracy, thereby protecting the system from potentially harmful malware.
DocumentProtect Your Storage With SafeGuard
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
Invoice to Deliver LUMMA Malware
Cybersecurity analysts identified that the attacker, posing as a financial services company in this campaign, tricks the target with a fake invoice email.
Fake Invoice (Source – Perception Point)
The user is urged to click “View & Download Invoice,” but the provided website is unavailable. To maintain legitimacy, a valid website link is included that redirects users after the failed button click.
The attacker dodges detection using a fake page and a real link. Security scans miss malicious payload hidden behind error pages and innocent URLs.
Clicking the link redirects to harmful URLs triggering automatic download of malicious files. The attacker breached a legitimate site to host a redirect.
Besides this, the website code reveals multiple redirects to dangerous URLs, like hxxps://robertoscaia[.]com/eco, downloading malware through the “.exe” file generator.
Website code (Source – Perception Point)
LUMMA is an InfoStealer malware that is written in C language and spreads through Malware-as-a-Service.
The attack features three processes, and here below, we have mentioned those processes: –
1741[.]exe
RegSvcs[.]exe
wmpnscfg[.]exe
Notably, the “1741[.]exe” process runs from the user’s temp folder, raising suspicions due to legitimate programs not using this location.
Processes ‘RegSvcs[.]exe’ and ‘wmpnscfg.exe’ from unusual folders suggest suspicious behavior linked to malware.
Parent processes with PIDs 1388, 3428, and 1388 add complexity, aiming to hide malicious activities.
Increasingly sophisticated threats demand constant security system evaluation.
This incident highlights the need for advanced prevention, continuous monitoring, and a multi-layered approach to detecting and countering evolving cyber threats.
ScamClub is a threat actor who’s been involved in malvertising activities since 2018. Chances are you probably ran into one of their online scams on your mobile device.
Confiant, the firm that has tracked ScamClub for years, released a comprehensive report in September while also disrupting their activities. However, ScamClub has been back for several weeks, and more recently they were behind some very high profile malicious redirects.
The list of affected publishers includes the Associated Press, ESPN and CBS, where unsuspecting readers are automatically redirected to a fake security alert connected to a malicious McAfee affiliate.
ScamClub is resourceful and continues to have a deep impact on the ad ecosystem. While we could not identify precisely which entity served the ad, we have reported the website used to run the fake scanner to Cloudflare which immediately took action and flagged it as phishing.
Forced redirects
Mastodon user Blair Strater (@r000t@fosstodon.org) was simply browsing the Associated Press website on his phone when he was suddenly redirected to a fake security scan page:
Malicious redirect from APnews.com (credit Blair Strater)
This fake scanner is not run by McAfee, but the domain name systemmeasures[.]life that we see in the address bar is the landing page that redirects to one of its affiliates. That affiliate was previously reported but continues unabated.
Web traffic between malicious page and McAfee site
Based on public data, several ad exchanges were abused to deliver this fake antivirus campaign via real-time bidding (RTB) in the past few weeks Most of the telemetry we saw from our Malwarebytes user base was related to smaller websites with ‘risky’ advertisers. However, a different campaign was targeting mobile users with malicious ads slipping by on top publishers (note: this data comes from VirusTotal):
Most of the public reports ([1], [2], [3]) indicate this campaign was at its peak around November 19. To be clear, AP, ESPN, CBS and other sites were not hacked, but rather showed malicious ads. It appears that this high profile campaign stopped shortly after, as we haven’t seen new telemetry data coming from these publishers. However, the other campaign we are also monitoring that is affecting smaller sites is still ongoing (via eu[.]vulnerabilityassessments.life and us.vulnerabilityassessments[.]life).
Connection with ScamClub
We were able to connect this campaign to the ScamClub infrastructure because of another domain (trackmaster[.]cc) that was previously mentioned as belonging to the threat actor. We can see the relationship between systemmeasures[.]life (the landing page) and trackmaster[.]cc (the intermediary domain) in the urlscanio submission below:
urlscanio scan showing the relationship between two domains
Fingerprinting
Like other malvertising threat actors, ScamClub dabbles in obfuscation and evasion techniques. However, as previously detailed by Confiant, they are using much more advanced tricks. Their JavaScript uses obfuscation with changing variable names, making identification harder.
Previously, the malicious JavaScripts were hosted on Google’s cloud but they have now moved to Azure’s CDN.
ScamClub’s malicious JavaScript
Malvertising and mobile users
On this blog, we have covered a number of malvertising campaigns targeting Desktop, both consumer and enterprise. This is in part because we hunt for Windows malware and the occasional Mac ones too.
ScamClub is a good example of targeting a big market segment, Mobile Web, where security software is often an afterthought, in particular on iOS, in part due to restrictions imposed by Apple. Clearly, malvertising is flourishing on Mobile and users are just as likely, if not more, to get tricked into downloading malware or get scammed.
Meta’s Threads was one of the biggest Twitter competitors after the company was acquired by Elon Musk. Unfortunately, the microblogging service was missing so many critical features that it lost more than half of its initial users just a few weeks after launch.
Speaking of launch, Threads is still not available in Europe due to the EU’s stiff regulations. One compromise that may allow Meta to launch Threads in Europe is to provide customers with the option to use it without needing a profile.
According to people familiar with Meta’s plans, the company plans to launch Threads in Europe as early as December, The Wall Street Journal reports. If that information proves to be accurate, it would be Threads’ biggest expansion since its initial release this summer.
Meta has been working hard to make Threads as appealing as possible in comparison with the competition, but the app was still missing important features not long ago.
It has taken Meta a few months to actually allow those who created Threads accounts to delete them without losing their Instagram accounts too.
That being said, it looks like Threads still has a lot fans. According to Mark Zukerberg, Threads had “just under 100 million monthly active” users as of October 2023, an impressive number considering the app has been hemorrhaging users since July.
However, with the new shift in the advertising industry, Threads expansion to Europe makes perfect sense. As some of you probably know already, Twitter lost most of its biggest advertisers after Elon Musk’s antisemitic posts, including Apple, Disney and IBM. Meta hopes to redirect their money to Threads and what better way to do that than tapping in a new, very important market: EU.
On November 30, 2023, YouTube Music began to roll out its annual Year in Review feature called “2023 Recap”. It’s not as straightforward as some of the other streaming music services, which brings it front-and-center, so we’re here to help you find out where it is, as well as what is included in the 2023 recap.
What is YouTube Music Recap?
YouTube Music’s recap feature is exactly what it sounds like. It’s a recap of the music, artists, and genres that you listened to over the past year. Technically, it’s just January through November. Since the recap comes out right at the beginning of December, So obviously, December is not included in the Recap.
The recap starts by showing you how many minutes you spent listening to music and the different artists that you listened to the most in 2023. Your recap will show you the top 5 artists and some more details about them. This includes how many hours you listened, songs, and the “longest listening streak.” This will also tell you if you’re one of the top listeners for that particular artist.
One of the new features for 2023 includes “Your Album Cover” which YouTube Music will pull colors from your top tracks, making it look a bit like dynamic color theming. And it’s matched with a font and image to inform the creation.
The auto-generated playlist of the top songs for 2023 is not live just yet, but it should be in the coming days. As this is starting to roll out pretty slowly.
How to find your Year in Review Recap on YouTube Music
In the YouTube Music app. You can find the YouTube Music Recap pretty easily. Here’s how to do it:
Tap on your profile picture in the upper-right corner.
Next, tap on “Your Recap.”
Or you can search “2023 Recap.”
From here, you should see your 2023 Recap. If you see “Nothing to hear here,” then it’s not yet available for your account.
And that’s it. You can check out your Recap as many times as you’d like and even add these playlists to your library.
Elon Musk doesn’t seem to care about the ongoing advertiser boycott on X, triggered by his public endorsement of an antisemitic conspiracy theory. While he apologized for the post, the multi-billionaire lashed out at advertisers using profanity-laced words. He accused the firms of blackmailing him by pulling ads from the social media app.
“I hope they stop. Don’t advertise,” Musk told interviewer Andrew Ross Sorkin at the DealBook conference on Wednesday evening. “If somebody is going to try to blackmail me with advertising, blackmail me with money, go f**k yourself. Go. F**k. Yourself. Is that clear? I hope it is.” The X owner singled out Disney CEO Bob Iger as he said that. Iger was on the stage earlier in the day and said Disney doesn’t want to associate itself with Musk.
Elon Musk lashes out at advertisers amid a widespread boycott
The latest advertiser boycott on X/Twitter began about two weeks ago when Musk called a post attacking Jewish people the “actual truth.” More than 100 brands have pulled out their ads from the platform since his comments. This brand exodus is estimated to cause the company a loss of $75 million by the end of the year. However, Musk seemingly doesn’t care a bit.
For a moment, he appeared to have realized his mistake. “I should in retrospect not have replied to that one person,” Musk said. He even tried clarifying what he actually meant by that post—his belief that Jewish people are funding causes meant to “annihilate” them. He blamed the media for not covering his clarifications, though the clarification seemed to be supporting the antisemitic conspiracy theory.
“Essentially I handed a loaded gun to those who hate me, and arguably to those who are antisemitic,” Musk said about media backlash and advertiser boycott triggered by his comments. “For that, I’m quite sorry. That was not my intention.” However, despite occasionally sounding apologetic, Musk made it clear that he doesn’t care about advertisers fleeing X.
“What this advertising boycott is gonna do is it’s gonna kill the company,” the Tesla CEO said. “That is what everybody on Earth will know. We’ll be gone, and it’ll be gone because of an advertiser boycott.” As The Verge noted, “Musk seemed alternatingly apologetic and defiant” over the matter. He gave the most nonchalant answers to questions about the advertiser issue on X.
X CEO said it was a temporary pause from advertisers
Musk’s comments came a couple of weeks after X CEO Linda Yaccarino said that this advertiser exodus was temporary. She suggested that companies paused investments because of the misleading and manipulated report published by Media Matters earlier this month. X has already sued Media Matters, but advertisers haven’t returned to the platform yet. It remains to be seen how the scenario changes following Musk’s interview. Yaccarino was in the audience as Musk launched a profane attack on advertisers.
Even older, non-premium Samsung phones are getting the popular Galaxy Enhance-X app!
The image editor app that relies on AI to deliver some stunning results in the retouching art can now be played with on the Galaxy A53 and Galaxy A34 (via SamMobile). Of course, it’s a must that the phones have already installed the recently released Android 14 and One UI 6.
A few weeks ago, Samsung announced that Galaxy Enhance-X would be coming to some Galaxy A series devices with One UI 6, and the Galaxy A54 was the first to get support for it. The addition of the aforementioned two models is a welcomed one.
The Galaxy A34 (which gets access to Android 14 in some markets) was also listed as an eligible device, so users can now download the AI image editor app from the Galaxy Store.
The report states that even the Galaxy A53 can download and use Galaxy Enhance-X, even though Samsung didn’t officially say that 2022’s Galaxy A smartphones would be eligible.
All of this brings us to the logical assumption that the Galaxy A33 will also support Galaxy Enhance-X once it gets One UI 6, though it’s not confirmed right now as it is still running Android 13/One UI 5. Overall, Samsung could gift Galaxy Enhance-X to other A series phones, but that’s for users to check in the Galaxy Store once their Galaxy A series device has received Android 14.
What’s Galaxy Enhance-X?
As the Samsung team puts it, Galaxy Enhance-X is powered by AI and offers “comprehensive one-tap image enhancement” as well as the flexibility to adjust specific features, including HDR.
There’s a broad range of tools available for photo customization. HDR, for example, analyzes highlights, shading, brightness and contrast, expanding the dynamic range of the image and making its lighting richer without sacrificing quality. Like many of Galaxy Enhance-X’s features, it also offers different levels of intensity — from 0 to 4 in HDR’s case.
Furthermore, the images we receive via social media or other messaging apps often come to us compressed after having been uploaded online. For such cases, the Upscale tool boosts the resolution of images under 1MP by up to four times for consistent, sharp detail.
You’re inundated with yearly recaps from all of the services you love. Either you’re tired of the constant banners in the apps… or you just don’t want to come to terms with your obsession with Taylor Swift. Either way you slice it, YouTube Music has its 2023 recap for you. You’ll be able to see what music made your 2023 one to remember (via 9To5Google).
If you want to look at your 2023 recap for Spotify, you can do so. This company is also telling people about their listening habits over 2023. It’s pretty easy to do that, so if you want some help, you can read How To Find Your Spotify Wrapped For 2023. You might find similarities between your listening habits in YouTube Music.
Check out your 2023 YouTube recap now
You should see the prompt to check out your recap when you open the app. It will fill the screen when you open the app. Tap on the Get your Recap button at the bottom of the screen, and you’ll see the Recap screen. The first tile you see will take you to your recap.
You’ll see it in a Story style with a succession of pages. It will show you information like how many minutes throughout the year you listened to music on the platform, how many different songs and artists you listened to, and so on. It will give you a recap of the top track you listened to and how many times you listened to it.
It’s all standard yearly recap stuff, but YouTube Music added a neat twist to its recap. The app platform uses the music you listened to to construct an album cover for you. It will take the color scheme from your top track’s album cover, choose a style of text, and an image from the mood of music you listened to the most, and create a unique album cover.
It’s always fun to see what music brought you joy, tears, good vibes, and so on this year, so you should definitely give it a look.
In the ever-evolving competition among tech giants, the recent unveiling of the Google Play Store and Apple App Store’s best apps and games for 2023 showcased the industry’s ongoing strive for excellence. Google and Apple both stepped into the spotlight on the same day to present their respective winners, providing users with a glimpse into the most innovative and impactful apps of the year.Apple, acknowledging 14 outstanding apps and games, celebrated those that “empowered users to unleash their creativity, discover a world of new adventures, and have fun with family and friends.” Developers from around the globe were recognized for delivering meaningful experiences that inspire cultural change, with the App Store’s Editorial team carefully selecting winners from nearly 40 finalists.Tim Cook, Apple’s CEO, expressed admiration for the developers, noting, “It’s inspiring to see the ways developers continue to build incredible apps and games that are redefining the world around us.”
AllTrails (Image Credit–Apple)
Taking center stage, the iPhone App of the Year for 2023 is AllTrails, fostering “community through comprehensive trail guides and outdoor exploration.” Meanwhile, Prêt-à-Makeup claimed the title of the best app for iPad, providing a true-to-life makeup sketchpad for professional artists and casual users, promoting “inclusivity and self-expression.”
Prêt-à-Makeup (Image Credit–Apple)
The Apple Watch App of the Year, SmartGym by Mateus Abras, stood out with its extensive library of exercises, routines, and robust fitness reporting.
SmartGym (Image Credit–Apple)
In the realm of games, Honkai: Star Rail, from COGNOSPHERE PTE. LTD. earned the prestigious title of the best game for iPhone, a recognition also shared with Google. The iPad Game of the Year, Lost in Play, invites players into a charming, childlike imagination during an epic point-and-click adventure.
Honkai: Star Rail (Image Credit–Apple)
Beyond individual categories, Apple’s App Store Editors highlighted five Cultural Impact winners, lauded for driving positive change through apps and games. Noteworthy recipients include Pok Pok, Proloquo, Too Good To Go, Unpacking, and Finding Hannah.
Reflecting broader trends, generative AI emerged as a dominant force in this year’s App Store Awards. Alongside the official winners, App Store Editors worldwide showcased a collection of generative AI apps exemplifying the Trend of the Year, with ChatGPT leading the way.
Hackers often use weaponized documents to exploit vulnerabilities in software, which enables the execution of malicious code.
All these documents contain malicious code or macros, often disguised as familiar files, which help hackers gain unauthorized access and deliver malware to their targets.
Recently, the cybersecurity researchers at SentinelOne reported that North Korean hackers are actively attacking the macOS using weaponized documents.
DocumentProtect Your Storage With SafeGuard
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
Hackers Attacking macOS
North Korean threat actors focused on macOS in 2023 with two major campaigns, and here below, we have mentioned those major campaigns:-
RustBucket employed ‘SwiftLoader,’ disguising itself as a PDF Viewer, to deliver a Rust-written second-stage malware.
While in the KandyKorn campaign, Python scripts targeted blockchain engineers, delivering a C++ backdoor RAT named ‘KandyKorn’ after hijacking the Discord app on hosts.
A five-stage attack targeted users through Discord, using social engineering to trick them into downloading a malicious Python app.
This Python app is disguised as a crypto arbitrage bot that is distributed as Cross-Platform “Bridges.zip,” and the app contains several harmless Python scripts.
Bridges.zip contents (Source – SentinelOne)
Here below, we have mentioned all the stages:-
Stage 0: In this stage, the Discord user is tricked into downloading a malicious Python app, Cross-Platform Bridges.zip. Then, the malware links are sent via direct message and hosted on Google Drive. Then, as a module, the app’s Main.py script imports Watcher.py.
Stage 1: In this stage, Watcher.py verifies the Python version and runs testSpeed.py, which downloads and executes FinderTools. After execution, testSpeed.py is removed, and then the “FinderTools” is saved at /Users/Shared/FinderTools.
Stage 2: In this stage, the FinderTools runs SUGARLOADER from /Users/Shared/.sld, copying it as .log and appname in /Applications/Discord.app/Contents/MacOS/. SUGARLOADER, coded in C++, looks for a config file at /Library/Caches/com.apple.safari.ck, downloading from C2 if absent. After that, the FinderTools links C2 tp.globa.xyz in the intrusion observed by the cybersecurity researchers.
Stage 3: In this stage, the SUGARLOADER downloads HLOADER, replaces genuine Discord, and sets up a stealthy persistence mechanism in /Applications/Discord.app/Contents/MacOS/Discord. HLOADER cleverly disguises itself as MacOS.tmp, ensuring continuous undetected execution alongside Discord. Apple’s login item monitoring remains unaware to this smart renaming/reloading strategy, enhancing persistence.
Stage 4: In this stage, from the com.apple.safari.ck the SUGARLOADER grabs the C2 URL to fetch and run the KANDYKORN via NSCreateObjectFileImageFromMemory and NSLinkModule. It’s a North Korean macOS malware technique seen in UnionCryptoTrader (2019).
North Korean threat actors have an evolving campaign named RustBucket, using the Swift-based app SecurePDF Viewer.app. It’s signed by “BBQ BAZAAR PRIVATE LIMITED” and reaches out to docs-send.online.
Another variant, Crypto-assets app.zip, signed by “Northwest Tech-Con Systems Ltd,” connects to on-global.xyz, dropping an executable at /Users/Shared/.pw.
This .pw file, associated with KandyKorn, references /Users/Shared/.pld, matching KandyKorn RAT, indicating shared infrastructure, objectives, and TTPs.
IOCs
SUGARLOADER
d28830d87fc71091f003818ef08ff0b723b3f358
HLOADER
43f987c15ae67b1183c4c442dc3b784faf2df090
KANDYKORN RAT
26ec4630b4d1116e131c8e2002e9a3ec7494a5cf
46ac6dc34fc164525e6f7886c8ed5a79654f3fd3
62267b88fa6393bc1f1eeb778e4da6b564b7011e
8d5d214c490eae8f61325839fcc17277e514301e
8f6c52d7e82fbfdead3d66ad8c52b372cc9e8b18
9f97edbc1454ef66d6095f979502d17067215a9d
ac336c5082c2606ab8c3fb023949dfc0db2064d5
c45f514a252632cb3851fe45bed34b175370d594
ce3705baf097cd95f8f696f330372dd00996d29a
e244ff1d8e66558a443610200476f98f653b8519
e68bfa72a4b4289a4cc688e81f9282b1f78ebc1f
e77270ac0ea05496dd5a2fbccba3e24eb9b863d9
ObjCShell
79337ccda23c67f8cfd9f43a6d3cf05fd01d1588
SecurePDF Viewer
a1a8a855f64a6b530f5116a3785a693d78ec09c0
e275deb68cdff336cb4175819a09dbaf0e1b68f6
Crypto-assets and their risks for financial stability.app
Following the rollout to the OnePlus 11, the OnePlus 10 Pro is now getting Android 14 with OxygenOS 14 as well. The OnePlus 10 Pro, for those of you who are out of the loop, is the company’s flagship smartphone for 2022. It is the OnePlus 11’s predecessor.
Android 14 starts rolling out to the OnePlus 10 Pro
That device launched back in January 2022, and the firmware version of this update is NE2211_14.0.0.202(EX01). The update weighs around 790MB, and the rollout is starting in India. Open Beta testers are the first to get the update.
The rollout is expected to spread to other markets soon, though, if major problems don’t rear their head during the initial rollout. The update in other regions will be basically the same, without a couple of India-specific changes, of course.
The update delivers Fluid Cloud, File Dock, Content Extraction & more
This update brings a number of changes, of course. A full changelog has been shared by people who have received the update. Android 14 and OxygenOS 14 bring Fluid Cloud, File Dock, Content Extraction, and Smart Cutout to the phone.
On top of that, an improved Shelf experience is also being added, with more widget recommendations. Security and privacy get a boost too, and the same goes for overall performance improvements.
The company’s Aquamorphic Design has been upgraded too
OnePlus has also upgraded the Aquamorphic Design with “a natural, gentle, and clearer color style for a more comfortable color experience”. Aquamorphic-themed ringtones have been added too, and revamped system notifications sounds as well.
On top of all that, the OnePlus 10 Pro gets improved system animations, and also a carbon tracking AOD which visualizes the carbon emissions you avoid by walking, instead of driving.
As per usual, the update is rolling out OTA (Over-The-Air). Once again, it’s limited to Open Beta testers in India for now, even though it’s a stable update. It will spread very soon, though, both in India and globally.