InfoSec Weekly

Jan 08, 2023

Table Of Contents

SpyNote Android malware infections surge after source code leak

Description

The Android malware family known as SpyNote (or SpyMax) saw a rise in detections in the fourth quarter of 2022, which has been attributed to a source code leak of one of its most recent variants, known as ‘CypherRat.‘‘CypherRat’ combined SpyNote’s spying capabilities, such as remote access, GPS tracking, and device status and activity updates, with banking trojan features that impersonate banking institutions to steal account credentials. From August 2021 to October 2022, CypherRat was sold through private Telegram channels before its author decided to publish its source code on GitHub. Threat actors quickly snatched the malware’s source code and launched their own campaigns. Almost immediately, custom variants appeared that targeted reputable banks. Other actors chose to disguise their versions of CypherRat as Google Play, WhatsApp, and Facebook to reach a larger audience. While it is not disclosed how these malicious apps are spread, they are most likely spread via phishing sites, third-party Android app sites, and social media.

Infected Technology

Android

Source

https://www.bleepingcomputer.com/news/security/spynote-android-malware-infections-surge-after-source-code-leak/

Recommendation
  • Do not download third party apps
  • Reject requests to grant access to the Accessibility Service to third party apps.

New shc-based Linux Malware Targeting Systems with Cryptocurrency Miner

Description

A new Linux malware has been discovered that deploys a cryptocurrency miner on compromised systems. The malware is developed using the shell script compiler (shc) and is used to convert shell scripts into binaries to protect against unauthorized source code modifications. This is similar to the BAT2EXE utility in Windows which converts batch files into executables. The malware can bypass detection by security software because the executables are encoded using the RC4 algorithm. After successfully compromising an SSH server, the malware installs a shc downloader and a Perl-based DDoS IRC bot. The shc downloader then fetches the XMRig miner software to mine cryptocurrency, while the IRC bot can connect to a remote server to fetch commands for DDoS attacks. The campaign appears to primarily target poorly secured Linux SSH servers in South Korea. It is recommended that users practice good password hygiene and keep their operating systems up to date to prevent such attacks.

Infected Technology

Linux SSH Servers

Source

https://thehackernews.com/2023/01/new-shc-based-linux-malware-targeting.html

Recommendation

To secure your system, practice good password hygiene and keep your operating system up to date.


Fortinet and Zoho Urge Customers to Patch Enterprise Software Vulnerabilities.

Description

Fortinet has identified a high-severity flaw in multiple versions of its FortiADC application delivery controller that could allow an authenticated attacker to execute unauthorized code or commands via crafted HTTP requests. The vulnerability, tracked as CVE-2022-39947 and internally discovered by Fortinet’s product security team, impacts versions 5.4.0 through 5.4.5, 6.0.0 through 6.0.4, 6.1.0 through 6.1.6, 6.2.0 through 6.2.3, and 7.0.0 through 7.0.2. Users are recommended to upgrade to versions 6.2.4 and 7.0.2 when they become available. The January 2023 patches also address several command injection vulnerabilities in FortiTester (CVE-2022-35845) that could allow an authenticated attacker to execute arbitrary commands. Meanwhile, enterprise software provider Zoho is urging customers to upgrade to the latest versions of Access Manager Plus, PAM360, and Password Manager Pro following the discovery of a severe SQL injection vulnerability (CVE-2022-47523).

Infected Technology

Fortinet’s FortiADC

Source

https://thehackernews.com/2023/01/fortinet-and-zoho-urge-customers-to.html

Recommendation

Password Manager Pro should upgrade to the latest available versions to protect against the identified SQL injection vulnerability. Fortinet’s FortiADC application delivery controller should be upgraded to the latest available versions to protect against the identified vulnerability.

CVE ID
  • CVE-2022-39947
  • CVE-2022-47523
  • CVE-2022-35845

DoS, Code Execution Vulnerabilities Found in Rockwell Automation Controllers

Description

The US Cybersecurity and Infrastructure Security Agency (CISA) last week published three advisories to describe a total of four high-severity vulnerabilities. Rockwell Automation has published individual advisories for each security hole.One flaw is CVE-2022-3156, which impacts the Studio 5000 Logix Emulate controller emulation software. The vulnerability is caused by a misconfiguration that results in users being granted elevated permissions on certain product services. An attacker could exploit the weakness for remote code execution.The second vulnerability is CVE-2022-3157, which affects CompactLogix, GuardLogix (including Compact), and ControlLogix controllers. An attacker can exploit the flaw to launch a denial-of-service (DoS) attack against a device by sending specially crafted CIP requests that cause a “major non-recoverable fault”.

Infected Technology

Rockwell Automation controllers

Source

https://www.securityweek.com/several-dos-code-execution-vulnerabilities-found-rockwell-automation-controllers

Recommendation
  • Update to the latest version of the system.
  • See Vendor’s guide to mitigate other risks
CVE ID
  • CVE-2022-3156
  • CVE-2022-3157
  • CVE-2022-46670
  • CVE-2022-3166

Dridex Malware Using New Entry Method to Attack macOS

Description

Dridex is a malware that steals sensitive information and executes malicious modules in targeted machines. Initially, the malware used phishing email that contained macro-enabled Microsoft Excel documents as an entry point into the user’s system. However, the analysis by Trend Micro of the Dridex samples contained a Mach-o executable file that runs Auto-Open macro upon opening a Word document. Furthermore, while the macro feature in Microsoft Word is disabled by default, the executable searches and overwrites all “.doc” files in the current user directory with malicious macro code including the clean files which further contacts a remote server to retrieve additional files. While the payload is a .EXE file, which minimizes the impact on macOS as it is not compatible with the environment, the documents can still be overwritten which now carries the Dridex’s malicious macros.

Infected Technology

macOS

Source

https://www.trendmicro.com/en_us/research/23/a/-dridex-targets-macos-using-new-entry-method.html

Recommendation

Refrain from clicking links or opening attachments and embedded documents in emails


call to action image

Ready to get started?

Don’t let the attacker get the upper hand – protect your services with our expertise. Contact us now and stay ahead of the game.

Contact Us