The Context: Owners of almost every Android smartphone and iPhones are detected to have vulnerable security breaches to worry about. Hackers claimed to beat any fingerprint scanner in just 20mins. Using the fingerprint to unlock… Smartphone Fingerprint Claimed to be Broken in 20 minutes! – Hackers
Scammers are targeting Cash App users with fake ‘free-money’ giveaway campaigns The scammers who are targeting the Cash App are using the same hashtags that are used by Cash App’s legitimate campaigns. If we… Cash App targeted by Scammers !
A Brief Look at the Citadel Banking Trojan: The banking trojan, citadel was initially discovered in 2012. Citadel is based on Zeus trojan’s source code. Such type of trojan is designed to steal sensitive… Citadel Trojan: Threat to public Organizations !
Millions of Indian Credit and Debit Cards up for Sale on Dark Web on Joker’s Stash. Here’s what the fuss is all about. The Context: Banking trojans are at work again. Cybercriminals have this time… Joker’s Stash: Millions of Indian Credit & Debit Card Details Up For Sale on Dark Web
The Context: New malware is making headlines globally- The Dtrack RAT. Seen this month attacking victims in India, which is bent on financial gain and high-end spying. The malware is said to be traced back… Dtrack RAT – Malware Targeting Indian Financial Institutions
A new internet protocol is making headlines globally: DNS over HTTPS. Even though this is of significant interest, especially for organizations but regular users will also be impacted by it as well. Here’s what all… Misconceptions about DNS over HTTPS
On September of 5th, 2019 a new update to the famous document scanner application CamScanner was confirmed. With over a 100 million downloads the CamScanner app is used to convert pictures in .jpg to a .pdf or .ppt format. The app was back on the Play Store with version 5.12.5. Although iOS users were not affected, the update also urged users to download or update the new version.
Also popularly known to convert photos of your physical documents into PDF files, CamScanner was recently found to have an advertising library containing a malicious module. Kaspersky researchers recently found the malware in the app CamScanner. The phone-based PDF creator includes OCR (optical character recognition) and has more than 100 million downloads in Google Play. The app is also called by many different names such as: CamScanner – Phone PDF Creator and CamScanner – Scanner to scan PDFs.
Initially official app stores such as Google Play are usually considered a safe haven for downloading software. Unfortunately, this is not turn out to be 100% safe. Also due to which from time to time malware distributors manage to sneak their apps into Google Play. The problem which arises here is that even a powerful company as Google can’t thoroughly check millions of apps from the Google Playstore. Also, we need to keep in mind that most of the apps are updated regularly, due to which many of the Google Play moderators’ jobs are never done.
Being one of the most downloaded scanning apps on the Play Store, CamScanner is popularly used in that category. Such facts didn’t matter much to Google. Although most the reviews of CamScanner on Google Play page were positive, some of the users had reported suspicious behavior of the app while using the infected version. It happened such that as soon as the researchers at Kaspersky examined one of the versions of the app at that time and found the malicious module there. These findings were further reported to Google, and the app was promptly removed from Google Play. It looks like app developers got rid of the malicious code with the latest update of CamScanner. But still we need to keep in mind, that versions of the app vary for different devices, and chances are that some of them may still contain malicious code.
So far, according to CamScanner there’s no evidence of leaked document data due to the malicious code. With realization of the malicious code, CamScanner temporarily removed all advertising SDKs for security purposes. Despite of all the actions taken, CamScanner had not provided an update on its “legal actions” against AdHub’s advertising SDK, which was the cause of malicious codes.
The malware was initially found by Kaspersky researchers. On further analysis by the researches the following is what they discovered:
After the researchers at Kaspersky got to know about the malicious code in the famous scanner app they came to a conclusion after analyzing the results. According to Kaspersky, the malicious code was spotted in several CamScanner updates that were published between June and July. Some of the Researchers at Kaspersky also identified the code as Trojan Dropper, a software which was discovered in some pre-installed apps on Chinese smartphones. `As the name suggests, the module is a Trojan Dropper, which means that it extracts and runs another malicious module from an encrypted file included in the app’s resources in APK. The “dropped” malware is a Trojan downloader, that downloads more malicious modules depending on what its creators are up to at the moment. These malicious modules show intrusive ads and sign users up for paid subscriptions to fake external services.
In one of the statements released on Twitter, CamScanner placed the blame for the malware on a third-party advertising SDK provided by AdHub. According to reports obtained by CamScanner, the SDK contained the Trojan Dropper module with the help of which it produced ‘unauthorized advertising clicks.’ Team from CamScanner also said that they would take immediate legal actions against AdHub.
Near the end of July CamScanner also released a statement, to spread awareness and urge people to update their antivirus apps and download antivirus apps directly from the Play Store. CamScanner was actually a legitimate app, with no malicious intensions whatsoever, for quite some time. It used ads for monetization and also allowed in-app purchases. But, at some point that changed, and some of the versions of the app shipped with an advertising library containing a malicious module.
What users can learn from this incident is that any app – even one with a good reputation, even one from an official store, and even one with millions of good reviews and a big, loyal user base – can turn into malware overnight. There is no certainty on when anyone can get attacked, every app is just one update away from a major change. To make sure you never find yourself in such trouble, use a reliable antivirus for Android app and scan your smartphone from time to time.
Also, to avoid unnecessary problems, if you have a version that is not updated to its latest version try to uninstall the app. Following this move would prevent and keep your data from getting compromised or misused. If you don’t want to use CamScanner at all then you can also choose from another alternative like an app named ‘CamScanner HD’ from the Play Store, but it is not trust-worthy as the authenticity of the app is doubtfull. For now, some of the best options to scan and convert PDF documents are: Adobe Scan, Microsoft Office Lens or even the in-built scanning functionality of the Google Drive app.
We appreciate the willingness to cooperate that we’ve seen from CamScanner representatives, as well as the responsible attitude to user safety they demonstrated while eliminating the threat. We’ve rephrased the line above about paid subscription services to make it clear that the paid subscriptions initiated by malicious modules are not to be mistaken with a legitimate subscription model that many users adopted by choice. The malicious modules containing the code were removed from the app immediately upon Kaspersky’s warning, and Google Play has restored the app.
A new kind of trojan malware is fast gaining currency among the cybercriminals for the capability to steal sensitive information like – credit card data, cryptocurrency wallets, and email credentials. This new trojan malware is… Raccoon Stealer – A High-risk Trojan Malware
In this article, you will be learning about a recent Ransomware- GlobeImposter, which is distributed through emails. What is GlobeImposter? GlobeImposter is a ransomware-type malicious virus that mimics Purge (Globe) ransomware. The new strain of… GlobeImposter- A Ransomware Distributed Through Emails
ARE OUR MEDICAL RECORDS SAFE ? Privacy has consistently been vital to the doctor – patient relationship, however with innovation and technology becoming a crucial part of the medicinal services industry. Research by worldwide pronounced… ARE OUR MEDICAL RECORDS SAFE ?
Love editing your photos? More than two-dozen android photo-editing apps in the Google Play Store are found to contain malware- redirecting you to the phishing sites. If you have such apps installed, it’s time to… Yellow Camera: A Malicious Google Play Store App
WHAT IS STARLINK? Starlink is a satellite constellation being developed by American organization SpaceX, to give satellite Internet access. The satellite body is worked off a custom minimal effort, elite satellite transport and ground handsets.… SpaceX’s New Launch Project – STARLINK
INTRODUCTION In a public statement, Avast has asserted that the attack on CCleaner was identified on the 23rd of September. The hackers had misused the VPN credentials of an employee in order to gain access… HACKERS TARGET CCLEANER AGAIN
INTRODUCTION The Telecommunication Industry and its specialists have accused numerous researchers for being discreet about the harmful effects of mobile phone radiation from their latest innovation of 5G. Since a lot of these explorations are… IS 5G SAFE ?
In the 21st century, modern cars are utilizing a lot of innovation and technology to stay updated with the rising demands of customers. As a result, it is constantly connected to the web that makes… 4CAN V2 – DESIGNED TO FIND VULNERABILITIES IN MODERN CARS
Proxy Server: A proxy server is a gateway between you and the Internet. An intermediary server separating end users from the websites they browse. Proxy servers also vary in levels of functionality, security, and privacy,… Hack The Proxy – A Bug Bounty Program
The malware which has spread across the world infecting ATMs to blow out all the money is “Cutlet Maker Malware”. One such incident took place at 10am on a late November morning in Freiburg,… Cutlet Maker: The ATM money blower malware !
WHO IS THE LAZARUS GROUP? Lazarus Group also known as the Guardians of Peace is a gathering of cybercriminals consisting of an obscure number of individuals. The term “Lazarus” has been derived from Hebrew word… LAZARUS GROUP ; A GATHERING OF CYBERCRIMINALS
We all leave comprehensive digital footprints whenever we transact online. The more platforms we use, the more digital traces we leave. Internet platforms process financial transactions, including Paypal, Credit card processors, direct banking, Google Wallet,… Blockchain : A Secure Digital Identity
The Winnti group of malware was first reported in 2013 by Kaspersky Lab. Since that year, threat actors leveraging Winnti malware have victimized a diverse set of targets for varied motivations. The name ‘Winnti’ in public was previously used to signify a single actor, pronounced divergence in targeting and tradecraft between campaigns. This has led industry consensus to break up the tracking of the continued use of the Winnti malware under different actor clusters.
Also known as APT 41, Axiom and Blackfly, the Winnti Group has historically been tied to a number of prominent supply chain attacks that replace companies’ legitimate software with weaponised versions in order to infect the machines that install them. Its members have often targeted game developers and their users, inserting backdoors into various games’ build environments. Malware associated with Winnti Group include CCleaner, ShadowPad, ShadowHammer and, of course, Winnti, after which the ATP group is named.
Clusters of Winnti-related activity have become a complex topic in threat intelligence circles, with activity vaguely attributed to different codenamed threat actors. The threat actors utilizing this toolset have repeatedly demonstrated their expertise in compromising Windows-based environments. The expansion injected into Linux tooling indicates iteration outside of their traditional comfort zone. This indicates the OS requirements of their intended targets but it may also be an attempt to take advantage of a security telemitry blindspot in many enterprises, as is with Penquin Turla and APT28’s Linux XAgent variant. Utilizing a passive listener as a communications channel is characteristic of the Winnti developers’ foresight in needing a failsafe secondary command and control mechanisms. Chronicle researchers maintain an active interest in clusters of Winnti activity and our research is ongoing.
Researchers determined that a VMProtected packer is used in the PortReuse backdoor. The Winnti Group has also updated the ShadowPad malware with changes that include the randomization of module identifiers. Researchers from ESET have released new details about the Winnti Group which is known for its supply chain attacks.
The white paper released by ESET provides technical analysis of new malware strains used by the Winnti group. Researchers observed that the threat group has added a new backdoor dubbed PortReuse to its malware arsenal. Researchers determined that a unique packer is used in the PortReuse backdoor. After further analysis, they discovered a VMProtected packer that decrypts position-independent code using RC5, with a key based on a static string and the volume serial number of the victim’s hard drive.
Researchers noted that this is the same algorithm that was used by the second stage malware in the attacks against video game developers in 2018. They also observed another payload ‘ShadowPad malware’ with the same VMProtected packer.
Here the PortReuse backdoor does not use a C&C server. Rather, it waits for an incoming connection that sends a “magic” packet by injecting into an existing process to “reuse” a port that is already open. The backdoor employs two techniques to parse incoming data to search for the magic packet. Researchers said “Two techniques are used: hooking of the receiving function (WSARecv or even the lower level NtDeviceIoControlFile) or registering a handler for a specific URL resource on an IIS server using HttpAddUrl with a URLPrefix, to be able to parse incoming data to search for the magic packet.”
On the other hand, the ShadowPad malware retrieves the IP address and the protocol of the C&C server to use by parsing content from the Web set up by the attackers. Researchers noted that the Winnti Group has updated the ShadowPad malware with changes that include the randomization of module identifiers. On a separate note, ESET also reported that the Winnti Group actors continue to use and update their ShadowPad malware, which is still being updated and used multiple times in 2019, while still using the same modular approach with additional obfuscation techniques. A thorough investigation into reputed Chinese APT actor Winnti Group turned up a previously undocumented backdoor that was used to compromise a popular Asian mobile hardware and software vendor perhaps as a prelude to launching a major supply chain attack against its users.
Dubbed PortReuse, the modular malware is a passive network implant that piggybacks on an active process’s open TCP port and then lays in wait for a “magic packet” before launching malicious activity, according to ESET researchers Marc-Etienne M.Léveillé and Mathieu Tartare in a newly released white paper and corresponding blog post. ESET does not specifically name the Asian tech company that was targeted by the malware, but does note that it did notify the company and has been collaborating on a remediation of the attack.
ESET researchers describe PortReuse as a listening-mode modular backdoor that injects into a running process already listening on a TCP port. In essence, it is reusing an already open port; hence, its name. It then hooks the receiving function, and waits for a magic packet to trigger the malicious behavior. Legitimate traffic is forwarded to the real application, so it is effectively not blocking any legitimate activity on the compromised server. ESET further reports that PortReuse’s initial launch file arrives in one of three formats: embedded in a .NET application the launches the Winnti packer shellcode, a VBScript that deserialises and invokes a .NET object that launches the shellcode, or as an executable with shellcode directly at the entry point.
“Only a single file is written to disk to start PortReuse,” the white paper explains. “All other components exist in memory only,” presumably to minimise the malware’s footprint. Additionally, no command-and-control server address is coded into the malware, because it uses NetAgent, a module that handles TCP hooking, to listen in on open sockets for the attacker to connect directly to the compromised host.
NetAgent is just one of the malware’s components. The first of these components to be launched is InnerLoader, which looks for a specific process in which to inject NetAgent and another payload called SK3. The latter of these two payloads decrypts and processes encrypted traffic that is forwarded by NetAgent through a named pipe. The SK3 module comes with two packed executables that are included for the purpose of executing commands in other processes and proxying communications. In some PortReuse variants of, NetAgent and SK3 are packaged together. According to ESET, PortReuse typically targets ports 53, 80, 443, 3389 and 5985.
Knowing the magic packet that triggers the malicious activity, ESET researchers, with assistance from public search engine Censys, scanned the internet for potential victims of the PortReuse campaign and found eight IP addresses that replied with an HTTP response that matched PortReuse’s signature. All of them belonged to the Asian hardware/software manufacturer that was found to be.
Check out our other blogs here:
What is Tor? Tor (The Online Router) is simply a network system that can be used to provide untraceable access to any internet services or websites. The browser is often used as an innocent precaution… Am I Fully Secure Online with TOR Browser?