Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which, we here at Neuways, bring attention to the latest cybersecurity threats in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:


Neu Cyber Threats

Phishing Scam ALERT: The Latest HMRC Scams

A wealth of HMRC tax fraud phishing campaigns are bombarding the general public, as April sees the start of the 2021/22 tax year. Criminals are taking advantage of the timing to try and catch victims out, with a lot of phone calls, emails and SMS messages. The messages tell the recipient that they have defrauded the country’s tax service and as a result must pay a large fine or face prison time.

Of course, the message is totally incorrect and through using social engineering tactics and the use of urgent, pressing language, the recipient is tempted into responding with the threat of losing thousands of pounds or spending time in jail. For the full story and direct examples of these scams to look out for, click here.

IcedID Circulates Via Web Forms, Google URLs

Neu Cyber Threats

Website contact forms and Google URLs are being exploited to spread the IcedID trojan, according to Microsoft.

‘Contact us’ forms on websites are being targeted by cyber criminals to send emails targeting organisations with legal threats. The phishing messages mention a copyright infringement by a photographer, illustrator or designer, and contain a link to purported ‘evidence’ for these legal infractions. The link leads to a Google page that downloads IcedID (a.k.a. BokBot), an information-stealer and loader for other malware.

The message uses strong and urgent language akin to the HMRC phishing campaigns above too, with lines such as ‘Download it right now and check this out for yourself’, pressuring the recipient to act immediately and ultimately tempting recipients to open the links to avoid legal action.

The links sent victims to a sites.google.com page, which asks them to sign in. Once signed in, the page downloads a malicious .ZIP file, which when unpacked contains a .JS file. Microsoft explained that the .JS file is executed via WScript, and it creates a shell object that launches PowerShell and downloads the IcedID payload in the form of a .DAT file.

The file gives attackers remote control of the victim’s machine and analysis shows that the downloaded .DAT file loads via the rundll32 executable, which launches various information-gathering commands. This includes: obtaining antivirus info, getting IP, domain and system information, and swiping banking and other credentials stored in browser databases.

The use of contact forms on websites allow the campaign to evade email spam filters as the contact-form query appears trustworthy as it was sent from trusted email marketing systems. As the emails are originating from the recipient’s own contact form on their website, the email templates match what they would expect from an actual customer interaction or inquiry.

Further, the use of a Google page and sign-in request aids in detection-evasion – this added authentication layer means detection technologies may fail in identifying the email as malicious altogether.

It is advisable to treat contact-form emails with an attitude of ‘safety-first’. If, as in this situation, the emails contain links to websites for no strong, apparent reason, do not click them. Until email filters can crack down on some of the common language and links used in this particular attack, businesses should be wary of communications received through their contact-form enquiries.

Azure Functions Weakness Allows Privilege Escalation

A privilege-escalation vulnerability with Microsoft’s Azure Functions cloud container feature could ultimately allow a user to escape the container.

The firm found that Azure Functions containers run with the –privileged Docker flag, which means that device files in the /dev directory can be shared between the Docker host and the container guest – the vulnerability stems from the fact that these device files have read-write permissions for ‘others’.

The issue becomes a problem given that the Azure Functions environment contains 52 different partitions with file systems, which can be visible across users. This could become dangerous in the instance where the attackers have access to the victims’ environment, as a low-privileges user – attackers can take advantage of the vulnerability to escalate privileges and do things they should not do – read files from the file system, for example.

To probe for attack paths that could arise from this setup, researchers created a local test container and found that by using the Debugs utility, an unprivileged user can easily traverse the Azure Functions file system. And, it turns out that an unprivileged user can also directly edit any files found within. However, researchers were able to find a way around this limitation on making direct changes to files.

Microsoft have been made aware of the vulnerability, but an incoming patch hasn’t been announced at the time of writing. Cases such as this underscore that vulnerabilities are sometimes unknown or out of the cloud security consumer’s control. Neuways advise a two-pronged approach to cloud security, with fixing known vulnerabilities and toughening up systems to decrease the likelihood of getting attacked, as well as implementing runtime protection to detect and respond to post-vulnerability exploitation and other in-memory attacks as they occur.

Fake Netflix App on Google Play Spreads Malware Via WhatsApp

Malware disguised as a Netflix app lurking on the Google Play store has been spreading through WhatsApp messages.

According to researchers, malware masquerading as an app called, ‘FlixOnline’, which advertised via WhatsApp messages promising, ‘2 Months of Netflix Premium Free Anywhere in the World for 60 days,’ – but once installed, the malware sets about stealing data and credentials.

The malware was designed to listen for incoming WhatsApp messages and automatically respond to any that the victims receive, with the content of the response crafted by the cyber criminals. The responses attempt to lure others with the offer of a free Netflix service, and contain links to a spoofed version of the streaming service’s website that phishes for credentials and credit card information.

Researchers said: “The app turned out to be a fake service that claims to allow users to view Netflix content from around the world on their mobile devices. However, instead of allowing the mobile user to view Netflix content, the application monitors a user’s WhatsApp notifications, sending automatic replies to a user’s incoming messages using content that it receives from a remote server.”

Over the course of the two months that the app was live on Google Play, the malware racked up 500 victims. Despite the app having been removed by Google, the malware family is likely here to stay and may return hidden in a different app, according to researchers. The malware was also able to self-propagate, sending messages to users’ WhatsApp contacts and groups with links to the fake app. So, although the app cannot reach any new victims, it might be that the 500 already impacted could be sharing the malware inadvertently.

The malware’s technique is fairly new and innovative, which led to it being able to be disguised so easily and bypass the Google Play Store’s protection, raises some serious red flags. Once the application is downloaded from the Play Store and installed, it requests three specific permissions, Overlay, Battery Optimization Ignore and Notification Listener. This allowed it to carry out the nefarious activity described earlier on.

After permissions are granted, the malware displays a landing page it receives from the command-and-control server (C2), and it deletes its icon off the home screen, before periodically pinging the C2 for configuration updates. When it comes to the WhatsApp messages, the malware uses a function called OnNotificationPosted to check for the package name of the application creating a given notification. If the application is WhatsApp, the malware will ‘process’ the notification, which consists of cancelling the notification, hiding it from the user in the process, before reading the title and content of the notification received.

This isn’t the first app from the official Android app store that has contained malware or trojans. In March 2021, for instance, nine malicious apps were discovered on Google Play, harbouring a malware dropper that paves the way for attackers to remotely steal financial data from Android phones. And in January, Google removed 164 apps which were downloaded a total of 10 million times, as they were delivering disruptive ads.

Neuways advises users to be wary of any download links or attachments received via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups, as these contacts could’ve been affected by a malicious Android app. Then, if users find themselves with a fake app installed on their device, they should immediately remove the suspect application from the device and change all passwords.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.