Martijn Lammerts
My own digital place with a little of everything

Toast Overlay Weaponized to Install Several Android Malware

9 November 2017

We uncovered new Android malware that can surreptitiously install other malware on the affected device via the Toast Overlay attack: TOASTAMIGO, detected by Trend Micro as ANDROIDOS_TOASTAMIGO. The malicious apps, one of which had over 500,000 installs as of November 6, 2017, abuses Android’s Accessibility features, enabling them—at least for now—to have ad-clicking, app-installing and self-protecting/persistence capabilities.

Overlay attacks entail drawing and superimposing Android View (i.e., images, buttons) atop other running apps, windows or processes. A typical scenario for a Toast Overlay attack is to employ it to trick the user into clicking a window or button specified by the attacker instead of the legitimate one. The technique, which was demonstrated earlier this year, leverages a vulnerability in Toast (CVE-2017-0752, patched last September), a feature in Android used to display notifications over other applications.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Toast Overlay Weaponized to Install Several Android Malware

Continue reading...

REDBALDKNIGHT/BRONZE BULTER’s Daserf Backdoor Now Using Steganography

7 November 2017

REDBALDKNIGHT, also known as BRONZE BUTLER and Tick, is a cyberespionage group known to target Japanese organizations such as government agencies (including defense) as well as those in biotechnology, electronics manufacturing, and industrial chemistry. Their campaigns employ the Daserf backdoor (detected by Trend Micro as BKDR_DASERF, otherwise known as Muirim and Nioupale) that has four main capabilities: execute shell commands, download and upload data, take screenshots, and log keystrokes.

Our recent telemetry, however, indicates that variants of Daserf were not only used to spy on and steal from Japanese and South Korean targets, but also against Russian, Singaporean, and Chinese enterprises. We also found various versions of Daserf that employ different techniques and use steganography—embedding codes in unexpected mediums or locations (i.e., images)—to conceal themselves better.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

REDBALDKNIGHT/BRONZE BULTER’s Daserf Backdoor Now Using Steganography

Continue reading...

ChessMaster’s New Strategy: Evolving Tools and Tactics

6 November 2017

A few months ago, we covered the ChessMaster cyberespionage campaign, which leveraged a variety of toolsets and malware to compromise its targets—primarily organizations in Japan. A few weeks ago, we observed new activity from ChessMaster, with notable evolutions in terms of new tools and tactics that weren't present in the initial attacks.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

ChessMaster’s New Strategy: Evolving Tools and Tactics

Continue reading...

App Stores that Formerly Coddled ZNIU Found Distributing a New iXintpwn/YJSNPI Variant

2 November 2017

We covered iXintpwn/YJSNPI in a previous blog post and looked into how it renders an iOS device unresponsive by overflowing it with icons. This threat comes in the form of an unsigned profile that crashes the standard application that manages the iOS home screen when installed. The malicious profile also exploits certain features to make iXintpwn/YJSNPI more difficult to uninstall.

We recently discovered a new variant of iXintpwn/YJSNPI (detected by Trend Micro as IOS_YJSNPI.A) that uses a signed profile to conduct different attacks compared to its predecessor. IOS_YJSNPI.A is extracted from either of the two app stores—hxxp://m[.]3454[.]com and hxxp://m[.]973[.]com. Based on our analysis, this new variant’s main purpose is not to damage users’ operating systems, but to lure users into downloading repackaged apps.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

App Stores that Formerly Coddled ZNIU Found Distributing a New iXintpwn/YJSNPI Variant

Continue reading...

Coin Miner Mobile Malware Returns, Hits Google Play

30 October 2017

The efficacy of mobile devices to actually produce cryptocurrency in any meaningful amount is still doubtful. However, the effects on users of affected devices are clear: increased device wear and tear, reduced battery life, comparably slower performance.

Recently, we found that apps with malicious cryptocurrency mining capabilities on Google Play. These apps used dynamic JavaScript loading and native code injection to avoid detection. We detect these apps as ANDROIDOS_JSMINER and ANDROIDOS_CPUMINER.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Coin Miner Mobile Malware Returns, Hits Google Play

Continue reading...

A Look at Locky Ransomware’s Recent Spam Activities

19 October 2017

Ransomware has been one of the most prevalent, prolific, and pervasive threats in the 2017 threat landscape, with financial losses among enterprises and end users now likely to have reached billions of dollars. Locky ransomware, in particular, has come a long way since first emerging in early 2016. Despite the number of times it apparently spent in hiatus, Locky remains a relevant and credible threat given its impact on end users and especially businesses. Our detections show that it's making another comeback with new campaigns.

A closer look at the file-encrypting malware’s activities reveals a constant: the use of spam. While they remain a major entry point for ransomware, Locky appears to be concentrating its distribution through large-scale spam campaigns of late, regardless of the variants released by its operators/developers.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

A Look at Locky Ransomware’s Recent Spam Activities

Continue reading...