Tag Archive for: wormable

Microsoft Faces Wormable, Critical RCE Bug & 6 Zero-Days – Threatpost


  1. Microsoft Faces Wormable, Critical RCE Bug & 6 Zero-Days  Threatpost
  2. Microsoft January 2022 Patch Tuesday: Six zero-days, over 90 vulnerabilities fixed  ZDNet
  3. Microsoft January 2022 Patch Tuesday fixes 6 zero-days, 97 flaws  BleepingComputer
  4. First Patch Tuesday of 2022 Brings Fix for a Critical ‘Wormable’ Windows Vulnerability  The Hacker News
  5. ‘Wormable’ Flaw Leads January 2022 Patch Tuesday – Krebs on Security  Krebs on Security
  6. View Full Coverage on Google News

Source…

New wormable Android malware discovered through auto-replies in WhatsApp


Check Point Research has discovered new malware on Google’s Play Store that could spread through WhatsApp messages. 

According to the cybersecurity firm, the malware was designed with the ability to automatically respond to incoming WhatsApp messages on behalf of its victims, and the content of the response was provided by a remote server. 

CPR found the malware hidden in a fake “Netflix” application on Play Store called FlixOnline, which promised “unlimited entertainment” from anywhere in the world.

If successful, the malware enables its threat actors to perform a range of malicious activities, such as:

  • Spread further malware via malicious links
  • Steal credentials and data from users’ WhatsApp accounts
  • Spread fake or malicious messages to users’ WhatsApp contacts and groups – for example, work-related groups

 

The malware was designed to be wormable, meaning it can spread from one Android device to another after the Android user clicks on the link in the message and downloads the malware. 

How the Malware Works

1.      Victim installs the malware from Google’s Play Store

2.      The malware starts to “listen” for new notifications on WhatsApp

3.      Malware responds to every WhatsApp message the victim receives with a response crafted by the threat actors

4.      In this campaign, the response was a fake Netflix site that phished for credentials and credit card information

The Scripted WhatsApp Message

The malware sent the following automatic response to its victims incoming WhatsApp messages, attempting to lure others with the offer of a free Netflix service:  

“2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE https://bit[.]ly/3bDmzUw”.

Disguised in a Fake “Netflix” Application

CPR found the malware hidden within an application on Google Play called ’FlixOnline.’” The app turned out to be a fake service that claims to allow users to view Netflix content from around the world on their mobiles. However, instead of allowing the mobile user to view Netflix content, the application is…

Source…

Beware — A New Wormable Android Malware Spreading Through WhatsApp


Wormable Android Malware

A newly discovered Android malware has been found to propagate itself through WhatsApp messages to other contacts in order to expand what appears to be an adware campaign.

“This malware spreads via victim’s WhatsApp by automatically replying to any received WhatsApp message notification with a link to [a] malicious Huawei Mobile app,” ESET researcher Lukas Stefanko said.

The link to the fake Huawei Mobile app, upon clicking, redirects users to a lookalike Google Play Store website.

Once installed, the wormable app prompts victims to grant it notification access, which is then abused to carry out the wormable attack.

password auditor

Specifically, it leverages WhatApp’s quick reply feature — which is used to respond to incoming messages directly from the notifications — to send out a reply to a received message automatically.

Besides requesting permissions to read notifications, the app also requests intrusive access to run in the background as well as to draw over other apps, meaning the app can overlay any other application running on the device with its own window that can be used to steal credentials and additional sensitive information.

The functionality, according to Stefanko, is to trick users into falling for an adware or subscription scam.

Furthermore, in its current version, the malware code is capable of sending automatic replies only to WhatsApp contacts — a feature that could be potentially extended in a future update to other messaging apps that support Android’s quick reply functionality.

While the message is sent only once per hour to the same contact, the contents of the message and the link to the app are fetched from a remote server, raising the possibility that the malware could be used to distribute other malicious websites and apps.

“I don’t remember reading and analyzing any Android malware having such functionality to spread itself via whatsapp messages,” Stefanko told The Hacker News.

Stefanko said the exact mechanism behind how it finds its way to the initial set of directly infected victims is not clear; however, it’s to be noted the wormable malware can potentially expand from a few devices to many…

Source…

Wormable Gitpaste-12 Botnet Returns to Target Linux Servers, IoT Devices


linux botnet malware

A new wormable botnet that spreads via GitHub and Pastebin to install cryptocurrency miners and backdoors on target systems has returned with expanded capabilities to compromise web applications, IP cameras, and routers.

Early last month, researchers from Juniper Threat Labs documented a crypto-mining campaign called “Gitpaste-12,” which used GitHub to host malicious code containing as many as 12 known attack modules that are executed via commands downloaded from a Pastebin URL.

The attacks occurred during a 12-day period starting from October 15, 2020, before both the Pastebin URL and repository were shut down on October 30, 2020.

Now according to Juniper, the second wave of attacks began on November 10 using payloads from a different GitHub repository, which, among others, contains a Linux crypto-miner (“ls”), a file with a list of passwords for brute-force attempts (“pass”), and a local privilege escalation exploit for x86_64 Linux systems.

The initial infection happens via X10-unix, a binary written in Go programming language, that proceeds to download the next-stage payloads from GitHub.

“The worm conducts a wide-ranging series of attacks targeting web applications, IP cameras, routers and more, comprising at least 31 known vulnerabilities — seven of which were also seen in the previous Gitpaste-12 sample — as well as attempts to compromise open Android Debug Bridge connections and existing malware backdoors,” Juniper researcher Asher Langton noted in a Monday analysis.

Included in the list of 31 vulnerabilities are remote code flaws in F5 BIG-IP Traffic Management User Interface (CVE-2020-5902), Pi-hole Web (CVE-2020-8816), Tenda AC15 AC1900 (CVE-2020-10987), and vBulletin (CVE-2020-17496), and an SQL injection bug in FUEL CMS (CVE-2020-17463), all of which came to light this year.

It’s worth noting that Ttint, a new variant of the Mirai botnet, was observed in October using two Tenda router zero-day vulnerabilities, including CVE-2020-10987, to spread a Remote Access Trojan (RAT) capable of carrying out denial-of-service attacks, execute malicious commands, and implement a reverse shell for remote access.

Aside from installing X10-unix and the Monero crypto mining…

Source…