Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which we bring attention to the latest cybersecurity and malware attacks in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:


Neu Cyber Threats

Malware exploiting Microsoft’s E-Signature verification

Cyber criminals are exploiting Microsoft’s digital signature verification to steal user credentials and other sensitive information by delivering the ZLoader malware – this has previously been used to distribute Ryuk and Conti ransomware, researchers found.

Researchers discovered the cyber criminal group, Malsmoke, delivering the campaign, which they traced back to November 2021. Researchers said: “What we found was a new ZLoader campaign exploiting Microsoft’s digital signature verification to steal sensitive information of users – people need to know that they can’t immediately trust a file’s digital signature.”

Attackers have already claimed 2,170 unique victims in 111 countries. The bigger detail is that attackers are updating their attack methods on a weekly basis in an evolving campaign that remains very active. ZLoader is a banking trojan that uses web injection to steal cookies, passwords and other sensitive information from victims’ machines.

Attackers also use ZLoader as the payload in multiple spear-phishing campaigns.  This included one in March 2020 that aimed to take advantage of the outbreak of the COVID-19 pandemic. Other methods of attack have seen the criminals spread ZLoader via Google AdWords in a campaign that used a mechanism to disable all Windows Defender modules on victim machines.

This particular campaign leverages Java in its attack vector. This begins by installing a legitimate remote management program that impersonates a Java installation. Once this occurs, the attacker has full access to the system and is able to upload/download files and run scripts. Eventually, attackers run a file called “mshta.exe” with the file “appContast.dll” as the parameter – which appears to be a Microsoft trusted file – to deliver the payload.

Microsoft advises its users to apply the company’s update for strict Authenticode verification immediately to avoid falling victim to the campaign – especially since it is not applied by default. Users should follow typical common-sense security practices to avoid installing programmes from unknown sources or sites, clicking on unfamiliar links or opening unfamiliar attachments received in emails.

Fake iPhone shutdowns enable spying

Neu Cyber Threats

A new iPhone technique, known as ‘NoReboot’, can hijack and prevent any shutdown process that a user initiates, simulating a real power-off while allowing malware to remain active in the background. This helps cyber criminals to prevent victims of mobile malware from shutting down their device – which often wipes out any bad code.

Researchers have described “NoReboot” as “the ultimate persistence bug”. The tactic provides a perfect cover for malicious activity, since an infected user might think “that the phone has been powered off, but in fact, it’s still running,” researchers explained. “The NoReboot approach simulates a real shutdown. The user cannot feel a difference between a real shutdown and a fake shutdown. There is no user-interface or button feedback until the user turns the phone back ‘on’…we cannot, and should not, trust a normal reboot.”

Typically, users turn off their iPhones by holding down the volume down and power button at the same time, then sliding the “power off” slider on the touchscreen. After that, the only real indication that the phone is off is the fact that the screen is unresponsive and doesn’t “wake up” when tapped or when the side button is clicked – and calls, text and app notifications cease.

To simulate this state, NoReboot starts by injecting code into three daemons responsible for controlling the shutdown event. The code forces SpringBoard to exit, also blocking it from launching again. Researchers explained: “SpringBoard is responsible for responding to user behavior and interaction, without it, the device looks and feels as if it is not powered on.”

At this point, there’s no physical indication that the iPhone is on, but it remains fully awake and connected to the internet. That allows nefarious types to do what they wish on the device without fear of discovery. Researchers were able to eavesdrop on test users via both the camera and the microphone, all while the phone appeared to be turned off.

From a practical perspective, researchers pointed out that the technique could be built into malware designed to detect when a user is trying to turn off the phone; or the malware could simulate a “low battery” state to use as an excuse for a “shutdown.” When a user goes to turn the phone back on, the normal routine is that the Apple logo appears as the phone wakes up.

NoReboot can simulate this as well, which maintains the illusion to convince the user that the iPhone has been successfully powered off and restarted. Once again, this is accomplished by hijacking the process through code injection. Researchers noted that even though they call the issue a “persistence bug,” it can’t actually be patched because it’s not exploiting any bugs – they’re playing tricks with the human mind.” The technique works on every version of iPhone, and to prevent it, Apple would need to build in a hardware-based indicator for iPhone sleep/wake/off status.

To protect themselves, iPhone users should run standard checks for malware and trojanised apps, and take the usual vetting precautions when downloading and installing new apps.

Google Voice authentication scam leaving victims in the lurch

Police are seeing lots of malicious Google Voice activity, where victims are associated with fraudulent virtual phone numbers.

A common scam is as follows: you get a text or email from somebody who thinks they’ve found your lost post – or somebody who wants to buy your sofa posted for sale online. The sender tells you that they don’t want to get scammed. They’ve heard about fake online listings and want to verify that you’re a real person and not a bot.

They send you a Google authentication code in the form of a voice call or a text message, and then ask you to repeat the number back to them to prove you’re real. In reality, they’re setting up a Google Voice account in your name, using your phone number, and the “authentication” code is actually the multi-factor verification code needed to complete the set-up process.

The Google Voice service offers virtual phone numbers that can be used to make domestic and international calls, or send and receive text messages from a browser. That account can be used to launch any number of scams, all without the ability to be traced directly back to the scammer. Additionally, the code can be used to gain access to, and hijack, Gmail accounts.

The scammers often use the Google Voice number in fraudulent ads on marketplace websites for other criminal activity, as they can hide their true identity and leave the victim looking like the guilty party. Sometimes scammers look for other information about the target that they can use to access online accounts or open new accounts in the victim’s name.

The message Google sends out warns recipients not to share the number with anyone, although the scammers disguised the message by having it sent in a foreign language. Unfortunately for users, this is a tough scam to detect. Targets aren’t asked for personal data or account numbers.

Several ways for consumers to protect themselves from such scams include:

  • Never share a Google verification code of any kind with other parties.
  • Only deal with online buyers and sellers in person or via legitimate websites – such as eBay. If money is to exchange hands, make sure you are using legitimate payment processors.
  • Don’t give out your email address to buyers/sellers conducting business via phone.
  • Don’t let someone rush you into a sale. If they are pressuring you to respond, they are likely trying to manipulate you into acting without thinking.

Flaw in Google Docs’ comments feature exploited by scammers

Cyber criminals are using the “Comments” feature of Google Docs to send malicious links in a phishing campaign targeted primarily at Outlook users, researchers have discovered.

Researchers first observed “a new, massive wave of hackers leveraging the comment feature in Google Docs” in December. They first identified that the Comments feature of Google Docs, Sheets and Slides could be exploited to send spam emails in October, but so far Google has not responded to the issue.

So far, more than 500 inboxes across 30 tenants from more than 100 different Gmail accounts have been hit. Attackers target users of Google Docs by adding a comment to a document that mentions the targeted user with an “@”. This sends an email to that person’s inbox automatically. The email, which comes from Google, includes text as well as the malicious links.

There are a number of reasons why it is hard for victims to recognise that the email sent to them after being tagged in “Comments” is malicious. For one, the email address of the sender isn’t shown – just the name of the attacker – which allows bad actors to impersonate legitimate entities to target victims. As well as this is also makes it harder for anti-spam filters to judge, and even harder for the end-user to recognise.

Researchers said: “For example, a hacker can create a free Gmail account, such as <bad.actor@gmail.com>. They can then create a Google Doc and send it to their intended target.”

The malicious intent of the Comments mention is difficult to detect because the end user will have no idea whether the comment came from <bad.actor@gmail.com> or <bad.actor@company.com>. The email also contains the full comment, along with links and text. This means the victim never has to go to the document – this is because the payload is in the email itself.

Typical protections won’t flag the emails because the notification comes directly from Google, which “is on most ‘Allow Lists’ and is trusted by users. The campaign looks to be a sign of an uptrend in attacks that exploit the Comments feature of Google’s collaboration apps for malicious intent.

In June 2021, researchers identified threat actors hosting phishing attacks from within Google Docs. These delivered malicious links aimed at stealing victims’ credentials. At the time, they identified it as a novel exploit of the app. Then, in October, as previously mentioned, researchers identified threat actors exploiting the Comments feature for the first time. This was then followed by December’s flurry of attacks.

We recommend that users cross-reference the email address in the comment to ensure it’s legitimate before clicking on a Google Docs comment. As well as this it is important to use standard “cyber hygiene” when reviewing comments, including scrutinising links and inspecting grammar. And, finally, if you’re still unsure, contact the legitimate sender and double check that they meant to send the email.

Administrators can guard against the cyber attacks by deploying security protection that secures the entire suite, including file-sharing and collaboration apps.

If you are concerned about any cyber security, phishing, ransomware or malware issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.