Weekly Cyber Intel Feed

This thread is a weekly series that will focus on 3-5 of the most impactful threats in the environment. This series will focus on threats that affect everyday people but will still include threats that are targeting businesses if they are particularly dangerous or prevalent. If you have a business and you’d like a more detailed and tailored threat Intel report on what is likely to affect your business please go over to the contact me page and submit a form and I’ll be sure to get back to you!

Tuesday September 19th 2017

Display Widgets

What is it?

Display Widgets is plugin that has corrupted about 200,000 WordPress sites as of September 15th. It has been around for several months and has been removed on four occasions but continues to find a way to reappear.

 

What does it do?

The plugin allows the author to publish content to any website that has the plugin installed.

Recommendations

As a preventative measure ensure that your website is being properly backed up so that any alterations can quickly be removed and your previous website restored. Constantly keep track of what plugins you have running on your site, and do a little research before adding new ones such as google searching it and know who the authors are.

 

Phishing Campaign using Linkedin’s Inmail

What is it?

This phishing campaign uses compromised linkedin accounts to try and steal other users credentials. It uses the linkedin’s “InMail” feature to send out a link that redirects the user to a fake login page to Gmail, Yahoo or AOL and captures the information they enter.

What does it do?

Using the InMail feature the actors sent a shortened “Owd{.}ly” link claiming that the sender is attempting to share a document via Google Drive. Once someone clicks on the prompt they will be directed to a fake login page and any credentials that they enter will be recorded.

Recommendations

Any emails or messages that request you follow a link should be considered suspicious, especially if it’s coming from someone you do not know well and is a common indicator of a phishing attack. If you’re an employee, most workplaces offer free online courses on how to identify a phishing email/message.

 

ExpensiveWall:

What is it?

Expensive Wall is a mobile malware that has affected over 100 apps in the Google Play Store and has been downloaded between 5.9 and 21.1 million times. The purpose of it being to generate revenue.

What does it do?

ExpensiveWall generates revenue by registering users for premium services and sending premium SMS messages, without the user’s awareness. It is also capable of mimicking clicks and can hide confirmation SMS messages to remain undetected to users.

Recommendations

As of today ExpensiveWall has been removed from the google play store but to prevent getting infected with malware like this the best preventative measure is to ensure that your mobile device has all of the latest security patches. Also, it’s important to review requested permissions when downloading a new application.

Tuesday August 22nd 2017

GhostClicker

What is it?

GhostClicker is an auto clicking adware that has been in about 340 different apps in the google play store. Some apps were removed by google play but as of August 7th about 101 infected apps still remained. One app in particular had over 5 million downloads.

What does it do?

The purpose of GhostClicker is to generate advertisement revenue by generating clicks on advertisement using the device it is installed on.

Recommendations


To avoid downloading apps such as this keep your phone fully patched and use trusted antivirus software. When downloading apps pay attention to what permissions the app requests and review comments from others if it is not an app that you trust.

Soniac (SonicSpy)

What is it?

Soniac the latest app belonging to family known as “SonicSpy”. Thousands of spyware apps have been discovered in this family and is related to a threat actor suspected of being based in Iraq.

What does it do?

Soniac is a piece of spyware being marketed as a messaging app on the google play store. It looks even more legitimate because it does offer functionality as messaging app but it also gives the creator significant control over the device that the spyware is installed on. Its capabilities include covertly recording audio, taking pictures without consent, outbound calling, sending texts and acquiring information such as contacts, call logs and information about Wi-Fi access points.

 



Recommendations

In order to avoid spyware such as Soniac and all of the other spyware released by groups such as SonicSpy is to be very careful about the apps that you download to your phone. Try to stick to using apps from reputable and well established companies, also pay close attention to what access an app requires when it is being downloaded and installed on your device.  

Stealthy Mughthesec:

What is it?

This is a Mac adware discovered by a security researcher named Patrick Wardle. This adware is made to imitate an Adobe Flash installer, if it detects that its being run on a virtual machine it will install a legitimate copy of adobe flash and if it is being run on a physical machine then it will reach out to a command and control server, ask you to install fake advance mac Cleaner, an adware (Safe Finder) and browser hijacker (Booking.com).

What does it do?

 

The result of this is compromised Safari homepage that will point to the search page and an installed Safari extension called AnySearch. This Safari extension changes the engine in the address bar, injects ads and displays alerts claiming to have found issues with your computer and demanding payment to fix it.

Recommendations

if you have already been infected delete all of the installed apps and the AnySearch browser extension and delete the Mughthesec launch agent (~/Library/LaunchAgents/com.Mughthesec.plist). If you haven’t been infected be careful of what apps you download to your Mac. Apple has revoked the developer certificate used by Mughthesec’s so that the MacOS will not run the fake installer but a new version with a valid certificate can be created fairly easily.


Powered by WordPress.com.

Up ↑

%d bloggers like this: