EtherHiding: Malware Campaign Exploits Binance's Smart Chain to Serve Deceptive Browser Updates
SpyNote Android Banking Trojan Unveiled: A Stealthy Threat with Invasive Capabilities
Threat Actors Evade Detection with 'Next Level' Bulletproof Hosting Tactic
In a cyber twist that sounds like it's straight out of a thriller, a devious malware campaign dubbed "EtherHiding" has emerged, taking advantage of Binance's Smart Chain (BSC) contracts to serve malicious code. Guardio Labs discovered this campaign, and it marks a significant escalation in the ongoing battle against online threats. Initially, the attackers utilized compromised WordPress sites, tricking visitors with fake browser update warnings, ultimately leading to the deployment of information-stealing malware. But when their initial hosting method was taken down, they cleverly pivoted to the decentralized and anonymous world of blockchain, making their campaign harder than ever to detect and stop.
Security experts Nati Tal and Oleg Zaytsev commented, "This campaign is up and harder than ever to detect and take down." This devious campaign targets WordPress sites, exploiting vulnerabilities in plugins and known security flaws, giving attackers the power to hijack websites at will. The latest attacks involve injecting obfuscated JavaScript into infected sites to query Binance's Smart Chain, creating a smart contract controlled by the attacker. This contract retrieves a third-stage payload from a command-and-control server to serve deceptive browser update notices. When victims click the update button, they unknowingly download a malicious executable from legitimate file hosting services, making it an intricate and elusive operation.
What makes it even more challenging to combat is that the decentralized nature of blockchain hosting means there's currently no way to intervene and disrupt the attack chain. As the researchers pointed out, "Visitors of compromised WordPress sites have no clue as to what is going on under the hood." The malware campaign, despite being tagged as fake and malicious, continues to deliver its harmful payload, leaving users at risk.
This is part of a broader campaign called "ClearFake," which employs a JavaScript framework to deploy malware on compromised websites using drive-by download techniques. The attack chains lead to the deployment of various malware loaders and trojans, suggesting a connection between different threat groups. So, users of WordPress, beware! It's crucial to follow security best practices, keep your systems updated, remove unwanted admin users, and use strong passwords to protect your website from these stealthy attackers. Stay safe in the ever-evolving world of cyber threats.
SMS Phishing Campaigns Weaponize Spyware, Evading Detection and Data Theft
In the world of Android malware, SpyNote is a formidable adversary, and it's just been laid bare, revealing its extensive information-gathering arsenal. This cunning banking trojan is typically disseminated through SMS phishing campaigns, luring victims into installing the app via embedded links, as disclosed by cybersecurity experts at F-Secure.
SpyNote doesn't stop at seeking invasive permissions to access call logs, camera, SMS messages, and external storage. What sets it apart is its talent for remaining hidden from prying eyes, camouflaging itself on the Android home screen and the Recents screen, making it incredibly challenging to detect.
F-Secure researcher Amit Tambe explained, "The SpyNote malware app can be launched via an external trigger. Upon receiving the intent, the malware app launches the main activity." However, its real power lies in obtaining accessibility permissions, which it then exploits to grant itself even more permissions. This includes the ability to record audio and phone calls, log keystrokes, and capture screenshots using the MediaProjection API.
But there's more to this threat. A closer examination has revealed the existence of diehard services, designed to thwart any attempts at termination, whether by victims or the Android operating system. This is achieved by registering a broadcast receiver that automatically restarts the malware whenever it's on the verge of being shut down. Additionally, trying to uninstall the malicious app via the device's Settings is an exercise in frustration, as it cleverly thwarts attempts by exploiting accessibility APIs.
As Amit Tambe pointed out, "The SpyNote sample is spyware that logs and steals a variety of information, including key strokes, call logs, information on installed applications, and so on. It stays hidden on the victim's device making it challenging to notice. It also makes uninstallation extremely tricky." In fact, victims are left with no recourse but to perform a factory reset, wiping all data in the process.
This revelation coincides with the disclosure by F-Secure of a deceptive Android app posing as an operating system update. It entices victims into granting accessibility services permissions and then stealthily siphons off SMS and bank data, highlighting the ever-evolving and insidious nature of cyber threats in the Android ecosystem. Stay vigilant, Android users!
Jobs/Internships:
Ada - Intermediate Full Stack Engineer, Growth - Fully Remote
Improbable - Full Stack Senior Software Engineer – Backend Services - Fully Remote
Stripe - Software Engineering, New Grad - On-site
CrowdStrike - Sr. Software Engineer - Cloud Platform (Remote) - New York, NY
Intel - GPU Software Engineering Intern - Gdansk Metropolitan Area · On-site
Johns Hopkins University Applied Physics Laboratory - 2024 Internship -Computer Scientist / Applied Mathematician / Engineer - Scientific Applications for Intelligence, Surveillance, and Reconnaissance - Laurel, MD
MKS - 2024 Summer Undergraduate Intern/Co-op - Software Engineer - Rochester, NY
John Deere - Product Engineering Intern - Electrical/Software Design, Spring 2024 Grovetown, GA - Grovetown, GA