Archive for malware

RatMilad Android Malware Targets Middle East Users In New Campaign 

Posted in Commentary with tags on October 7, 2022 by itnerd

Zimperium released a blog post on Wednesday that details a novel Android malware called RatMilad which is targeting Middle Eastern enterprise mobile devices by concealing itself as a VPN and phone number spoofing app:

The original variant of RatMilad hid behind a VPN, and phone number spoofing app called Text Me with the premise of enabling a user to verify a social media account through a phone, a common technique used by social media users in countries where access might be restricted, or that might want a second, verified account. Armed with the information about the spyware, the zLabs team has recently discovered a live sample of the RatMilad malware family hiding behind and distributed through NumRent, a renamed and graphically updated version of Text Me.

The phone spoofing app is distributed through links on social media and communication tools, encouraging them to sideload the fake toolset and enable significant permissions on the device. But in reality, after the user enables the app to access multiple services, the novel RatMilad spyware is installed by sideloading, enabling the malicious actor behind this instance to collect and control aspects of the mobile endpoint. As seen in the demo installation video below, the user is asked to allow almost complete access to the device, with requests to view contacts, phone call logs, device location, media and files, as well as send and view SMS messages and phone calls.

Clearly the threat actor or actors behind this are sophisticated. Which makes them very dangerous.

Dale Waterman, who is based in Dubai and is the Managing Director at Breakwater Solutions for the Middle East, noted:

     “The fact that this version of the RatMilad malware is targeting mobile phone users in the Middle East with Android operating systems by hiding behind a fake VPN comes as no surprise. Cybercriminals are using trusted platforms like Telegram and WhatsApp to distribute download links to the spyware because they recognize that many governments in the region do not permit the call functionality of apps like WhatsApp. Residents are able to use messaging, but not the (free) call services. If you consider the number of expats living and working across the Middle East, with many away from immediate family and loved ones, then it becomes obvious why bad actors would use a VPN scam to socially engineer access to devices. This is compounded by fact that GDPR-like privacy laws are only now being implemented across the Middle East, but not actively enforced yet by most data protection authorities. Consumers in the region are therefore completely de-sensitized to being constantly bombarded with unsolicited marketing and offers. This reduces the likelihood of consumers questioning the origin of the messages.”

This just highlights that you have to have your head on the metaphorical swivel when it comes to threats as this one is distributed via platforms that are trusted by many.

Leave a comment »

CoinStomp Malware Is Making The Rounds

Posted in Commentary with tags on February 2, 2022 by itnerd

Cado Security has uncovered a new malware family, named CoinStomp, which is targeting Asian cloud services providers to mine cryptocurrency. The firm’s researchers have found that the overall purpose of CoinStomp is to quietly compromise instances in order to harness computing power to illicit mine for cryptocurrency. Hijacking computers to mine for cryptocurrency has become a “thing” with various threat actors in recent years.

Saryu Nayyar, CEO and Founder, Gurucul had this to say:

“Unfortunately, these types of attack campaigns are most successful when spreading their efforts across multi-cloud environments as most XDR and traditional SIEM solutions, while multi-cloud enabled or supported, cannot correlate and perform advanced analytics across multi-cloud environments. In addition, and an understanding of access entitlements to specific applications, user and entity behavioral baselining combined with self-learning out-of-the-box machine learning models can be extremely effective at escalating the impact of the threat activity that may be difficult to detect otherwise. We can see as part of this attack that access privilege violations can have a major impact on its success. This is extremely challenging for most current threat detection and response solutions to automatically detect and often requires a lot of manual analyst investigation to determine. However, there are a small subset of next generation SIEM vendors that are capable of employing some of the security capabilities outlined here.”

Cryptocurrency miners can sometimes be very hard to detect. But the video below might be of assistance in at least getting an idea as to if you might have this sort of malware running around in your environment.

Leave a comment »

Bell: Throttles Your Bittorent And Serves Up Malware Too

Posted in Commentary, Security with tags , , on April 9, 2008 by itnerd

The Toronto Star has an interesting article about Bell Canada’s Internet Service (one assumes that they’re talking about Sympatico) carrying the most malicious activity in Canada. That would include things like viruses, malware, spyware, etc. A spokesman for Symantec (who authored the study) said the following:

“Since Bell is Canada’s largest Internet provider, it’s not surprising that its users were either knowingly or unknowingly responsible for 17 per cent of what’s termed “malicious” or “undesirable” activity here, said Dean Turner, Calgary-based director of Symantec’s global intelligence network.”

To absolutely nobody’s surprise, Bell rejects their findings. Jason Laszlo who is Bell’s sock puppet spokesman said the following:

“We flat-out refuse to accept these statistics as valid,” Laszlo said. “And if Symantec is not able to properly substantiate these claims, we will demand that they withdraw and amend their findings.”

Oooh… Symantec is soooo scared.

One has to wonder if part of the reason why they’re picking on Bell is due to the fact that Symantec supplies consumer security products to Rogers for their Internet offering. In any case, Bell can likely solve this problem by getting those beavers of theirs to stop throttling the DSL connections of their customers (both retail and their resellers) and have them focus on dealing with whatever issue (perceived or real) that they have with malware.

UPDATE: The Globe And Mail has a more detailed version of this story. One quote worth noting is that he believes that traffic shaping (aka: Throttling) can deal with this issue:

“The net side effect is that when traffic shaping takes place, there are things that ISPs can do to reduce levels of malicious activity but so can users,” he said.

That seems a stupid thing to say considering he also said this:

“Users have to assume responsibility for their actions. Some people will be unaware that they’re computers are behaving badly while other people will be perfectly aware that their computers are behaving badly.”

That last statement implies that education and not throttling is the answer. In any case, he needs to clarify his statement.

UPDATE #2: Here’s a link to the actual research paper that I believe the article was referring to. (Warning: PDF Attached) The weird thing is that Bell is not mentioned in this PDF, but the rest of the facts in the PDF fit.

Leave a comment »