Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which we bring attention to the latest cyber attacks and phishing threats including Trickbot, Flubot and Teabot, in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:


Neu Cyber Threats

Microsoft bug affecting non-patched systems

Following reports of Microsoft’s January Patch breaking servers, some security professionals may not have implemented it immediately. However, Neuways advises applying the patch soon, due to a new development. This is because it includes a patch for a privilege-escalation bug in Windows 10 that leaves unpatched systems open to malicious actors looking for administrative access.

Microsoft explained: “A local, authenticated attacker could gain elevated local system or administrator privileges through a vulnerability.”

Researchers described the attack: “The attacker can call the relevant GUI API at the user_mode to make the kernel call like xxxMenuWindowProc, xxxSBWndProc, xxxSwitchWndProc, xxxTooltipWndProc, etc. These kernel functions will trigger a callback xxxClientAllocWindowClassExtraBytes. An attacker can intercept this through hook xxxClientAllocWindowClassExtraBytes in KernelCallbackTable, and use the NtUserConsoleControl method to set the ConsoleWindow flag of the tagWND object, which will modify the window type.”

The bug was being exploited by sophisticated groups as a zero-day issue, Microsoft said. January’s Patch Tuesday was plagued by Windows server update issues. These could have made internal security teams pause before downloading the patches. But a PoC is now available for the bug, putting exploitation in reach of cyber criminals of all levels of expertise.

Investing in the program was the primary recommendation in research technical analysis, sent to Microsoft. There, it was noted how best to “kill the bug class”: “By improving the kernel zero-day bounty, and letting more security researchers participate in the bounty programme, and help the system to be more perfect.”

The advice to businesses is to update their systems as soon as possible to avoid falling victim to the bug.

Malware-loaded 2FA app exploits user phones

Neu Cyber Threats

After remaining available for more than two weeks, a malicious two-factor authentication (2FA) application has been removed from Google Play — but not before it was downloaded more than 10,000 times. The app, which is fully functional as a 2FA authenticator, comes loaded with the Vultur stealer malware that targets and hoovers up financial data.

Users with the malicious application, called “2FA Authenticator,” are advised by researchers to delete it from their device immediately since they still remain at risk. They are at risk of both banking-login theft and other attacks made possible by the app’s extensive “over permissions”.

The threat actors developed an operational and convincing application to disguise the malware dropper. They achieved this by using open-source Aegis authentication code injected with malicious add-ons. This is what helped it spread via Google Play undetected.

“As a result, the application is successfully disguised as an authentication tool, which ensures it maintains a low profile,” the report added.

Once downloaded, the app installs Vultur banking trojan, which steals financial and banking data on the compromised device — but can do much more. First detected by analysts last March, the Vultur remote access trojan (RAT) malware was the first of its kind found to be using keylogging and screen recording as its primary tactic for banking-data theft, enabling the group to automate the process of harvesting credentials and scale.

Researchers said: “The actors chose to steer away from the common HTML overlay strategy we usually see in other Android banking trojans: this approach usually requires more time and effort from the actors in order to steal relevant information from the user. Instead, they chose to simply record what is shown on the screen, effectively obtaining the same end result.”

The scam 2FA authenticator also asks for device permissions beyond what was disclosed in the Google Play profile. Those sneaky, elevated privileges allow the attackers to perform various functions beyond the standard banking-trojan fare. This includes: accessing user location data, so attacks can be targeted at specific regions; disabling the device lock and password security; downloading third-party applications; and taking over control of the device, even if the app is shut down.

Researchers uncovered another dirty trick the malicious 2FA pulled, by grabbing the SYSTEM_ALERT_WINDOW permission, which gives the app the ability to change other mobile apps’ interfaces. Google itself explained: “Very few apps should use this permission; these windows are intended for system-level interaction with the user.”

Once the device is fully compromised, the app installs Vultur, “an advanced and relatively new kind of malware that mostly targets online banking interface to steal users’ credentials and other critical financial information,” the report said.

Researchers reported that while they submitted their disclosure to Google Play, the malicious 2FA Authenticator app loaded with the banking trojan remained available for 15 days. Please ensure you have deleted the application from your Android device, if you had the misfortune to download it.

Shipment delivery scams spread malware

Attackers are increasingly spoofing the courier services and using socially engineered messages related to packages to trick users into downloading Trickbot and other malicious payloads.

The authentic-looking phishing emails attempt to dupe victims into downloading credential-stealing payloads. The campaigns rely upon trust in widely-used methods for shipping and employees’ comfort with receiving emailed documents related to shipments. This is designed to try and elicit further action to compromise corporate systems.

This trend has become so prevalent that it even earned courier service, DHL, the ‘distinction’ of replacing Microsoft at the top of the Check Point Software list of brands most imitated by threat actors. Scams related to the courier, accounted for 23% of all phishing emails during Q4 of 2021, which was a 14% rise on the previous quarter.

A recent Trickbot phishing campaign, discovered by the Cofense Phishing Defence Centre, uses emails that claim to be a missed-delivery notice from postal services. Instead they include a malicious link. Meanwhile, researchers discovered a new wave of hackers spoofing DHL in phishing emails that aim to spread “a dangerous Trojan virus” by notifying victims that a shipment has arrived and asking them to click on an attachment to find out more details.

Researchers attributed a couple of factors behind the increase in scams related to package delivery. They make sense during the fourth quarter of the year, due to the increase in online shopping throughout the festive season. Researchers added: “Now, hackers are taking advantage of this, by attaching malware to a DHL spoof, which will likely attract attention from a recipient in part because of its use of a trusted company.”

As a result of the pandemic, shipping delays and supply-chain issues have become commonplace. This has also seen more people working remotely from home. Attaching a malicious invoice link to a fake missed-delivery notification, would be an attractive lure for potential victims accustomed to receiving these types of emails.

An unrelated study simulated sending phishing emails to more than 82,000 corporate employees. It found that email scams aiming to share a document with, or to report a service issue to, potential victims likely will have more success when documents are tied to a trusted brand. During both of the recent delivery service-related campaigns, attackers aimed to make the scams appear as authentic as possible to convince users to commit further actions to download malicious payloads.

Neuways advises businesses to engage employees with Phishing Awareness Training. On-the-job training ensures that your company is fully committed to keeping cyber safe. Employees are the gatekeepers to your business, and, as a result, the training measures will be critical to ensure cyber criminals do not gain access to your credentials and corporate accounts.

Android devices hit by various campaigns

Researchers have discovered a raft of active campaigns delivering the Flubot and Teabot trojans through a variety of delivery methods. Threat actors are using ‘smishing’ and malicious Google Play apps to target victims with fly-by attacks in various regions across the globe.

More than 100,000 malicious SMS messages have been identified, in the attempt to distribute Flubot malware, since the beginning of December. During their observation of Flubot, the team also discovered a QR code-reader app that’s been downloaded more than 100,000 times from the Google Play store and has delivered 17 different Teabot variants.

Flubot and Teabot emerged on the scene in 2021, as straightforward banking trojans that steal banking, contact, SMS and other types of private data from infected devices. However, the operators behind them have unique methods for spreading the malware, making them particularly nasty and far-reaching.

Flubot was first discovered in April. It targeted Android users in the UK and Europe through the use of malicious SMS messages that prompted recipients to install a “missed package delivery” app. This demonstrated a feature of the malware, which lets attackers use command-and-control (C2) to send messages to victims.

The feature allows operators to switch targets and other malware features, widening their attack surface to a global scale without needing complex infrastructure. Researchers said: “These threats survive because they come in waves with different messages and in different time zones.

“While the malware remains static, the message used to carry it, the domains that host the droppers, and everything else is constantly changing.”

Among other lures, Flubot operators also used SMS messages employing fake browser updates and fake voicemail notifications in about 8% of observed campaigns, respectively. While investigating Flubot, researchers also discovered a Teabot variant being installed on devices without a malicious SMS being sent. Further investigation revealed a dropper application in Google Play Store named the “QR Code Reader – Scanner App” that’s been distributing 17 different Teabot variants for a little over a month.

As ever, be careful about what applications you download from application stores. Even official app stores will, from time-to-time, see fraudulent apps that slip through the cracks, amid checks. Usually checking reviews will help in this instance, as users may alert others to the maliciousness of the app.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.