Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which we bring attention to the latest cyber attacks and phishing threats including malware and PowerPoint trojans, in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:


Russia-Ukraine cyber attack impacting companies around the world

Russia’s bombardment of Ukraine has included a comprehensive cyber crime campaign. Central and local Ukrainian government has had its networks massively disrupted by wiper malware operated by Russian cyber criminal gangs. Critical infrastructure across the nation was also significantly weakened, leaving their defences more open to being breached.

Data was encrypted and in the hands of cyber gangs, which among the wider landscape of the conflict in the country, led to chaos. Further spin-off cyber crime campaigns have been subjected around taking advantage of those inflicted by the violence, or those interested in helping out. Topics such as the following, have been taken advantage of by cyber criminals:

  • Donating to Ukraine relief
  • Signing up to the Ukrainian relief effort
  • Joining the fight against Russia
  • Leaks of Ukrainian Gov secrets
  • Leaks of Russian Gov secrets

Researchers are hoping the activity doesn’t mimic that of the NotPetya ransomware that first hit Ukraine in 2017, before going onto leave a trail of victims across the world. Neuways are advising users who may want to help in the relief efforts to double check they are helping official sources, and not inadvertently benefitting the wallets and purses of cyber criminal gangs.

For more information, check out the latest Neuways blog on the cyber incident.

Toyota one of many companies impacting by Russian cyber activity

Toyota has been experiencing supply chain problems, as a result of the fallout of the Russia-Ukraine cyber incident. One of the Japanese car manufacturer’s suppliers has been hit by a cyber incident, which halted the car production lines for a day, freezing the progress of thousands of vehicles at a plant in Japan.

While this will have cost Toyota an untold amount in revenue, it is not the only issue experienced by companies worldwide. Chipmaker, Nvidia, has also been among the casualties, adding further complications to an area of specialism that has suffered during the global pandemic. Between slow delivery times, a global shortage of the product has impacted upon a shortage of many different technologies over the last two years.

Critically, many of the world’s largest banks have also been targeted by Russian cyber criminals. This malicious activity, allegedly linked back to the Russian state, looks set to continue, which means that organisations, of all shapes and sizes, no matter the industry, should prepare for the worst. In doing so, the full effect of a successful phishing effort will not be felt by the organisation.

Read the full story about Toyota’s problems, on the Neuways blog.

Cyber criminals using DocuSign to steal Outlook logins

A sophisticated phishing campaign has been making use of DocuSign, as well as a compromised third party’s email domain to skate past email security measures, researchers said.

The campaign spread seemingly innocuous emails around various companies, with the goal of stealing Microsoft login credentials. In one instance, around 550 members of a targeted company received the same email in their inboxes. The sender’s name was “Hannah Mcdonald,” and the subject line and the body of the email were quite simple and to the point.

Those who clicked the link in the email were presented with a preview of an electronic document through DocuSign, a common e-signature software. The preview looked like a legitimate DocuSign landing page, with a prompt to “Please review and sign this document,” and an indication that other parties had already added their signatures.

The preview was hosted on Axure, a valid, cloud-based prototyping portal. Just like the real deal, the copycat page contained a cyber security warning – advising the target to not share access with others – in fine print. This shows that cyber criminals are becoming more aware of the content they use within their scams. Those who clicked to view the document were presented with a Microsoft single sign-in login page. Any login credentials entered at this stage would’ve ended up being received by the attackers.

The phishing emails successfully evaded traditional email security measures in part because they came from a domain belonging to ‘TermBrokersInsurance’. The report noted that “a quick scan of the domain address would not have alerted the end user to fraudulent activity because of the domain’s validity. In the payment industry this domain would have passed most of the custom defined policies, further increasing end users’ chance of falling victim to this sophisticated phishing attack.”

Microsoft’s Spam Confidence Level (SCL) – a measure of the perceived legitimacy of any given email – assigned these malicious emails a score of ‘-1.’ In SCL, -1 is the lowest possible score, allowing a message to skip filtering because it “is from a safe sender, was sent to a safe recipient or is from an email source server on the IP Allow List.”

Impersonating and leveraging trusted cloud services is also an increasingly common tactic to evade email security filters. A benign link sent from a seemingly known and trusted application contains no inherent malicious content, after all.

This campaign is part of a worrying trend. Researchers found 7 million malicious emails sent from Microsoft 365 and a staggering 45 million sent from Google’s cloud services and infrastructure in a three-month period last year. This proves the point that cyber criminals have used the likes of Office 365, Azure, OneDrive, SharePoint, G-Suite and Firebase storage to send phishing emails and host attacks.

Researchers have highlighted the need for integrated email security to be able to combat the phishing threats: “Tools that leverage natural language understanding (NLU) can help stop zero-day attacks.” NLU is the ability of a computer to interpret meaning from human language.

We recommend maintaining basic security hygiene when dealing with emails. This includes not opening emails you’re not expecting, watching for targeted attacks, and using tools like password managers and multi-factor authentication. The latter points add additional layers of security to any kind of system.

Mobile cyber attacks decline but get more complex

The number of cyber attacks launched against mobile users was down last year, researchers have found. However, this decline was offset by a number of more sophisticated, more complex mobile malware.

In a recent report, researchers said that they had observed a downward trend in the number of attacks on mobile users. However, according to researchers, “attacks are becoming more sophisticated in terms of both malware functionality and vectors.”

They added: “In the reporting period, after a surge in 2020, cyber criminal activity gradually abated. There were no global newsbreaks or major campaigns, and the COVID-19 topic began to fade. At the same time, new players continue to emerge on the cyber threat market as malware becomes more sophisticated. In turn, the decline in the overall number of attacks is ‘compensated’ by the greater impact of a successful attack. The most dangerous threat vectors in this regard are banking malware and spyware.”

Researchers detected 97,661 new mobile banking trojans, along with 3,464,756 malicious installation packages and 17,372 new mobile ransomware trojans. In 2021, banking trojans learned a number of new tricks. For example, the Fakecalls banker, is now dropping outgoing calls to the victim’s bank and plays pre-recorded operator responses stored in the trojan’s body.”

Other malicious entities learning new tricks include the Sova banker, which steals cookies, “enabling attackers to access the user’s current session and personal mobile banking account without knowing the login credentials.”

As well, the Vultur backdoor was found packed into a malicious, fully functional two-factor authentication (2FA) app discovered last month on Google Play. It adopted the capability of using Virtual Network Computing (VNC) to snoop on targets by recording smartphone screens: “When the user opens an app that is of interest to attackers, they can monitor the on-screen events.”

A few other trends spotted in 2021 include: fewer pandemic/COVID-19 topics used, with pop culture lures taking their place. Researchers pointed to the Joker trojan on Google Play, which was found masquerading “as an app with a background wallpaper in the style of Netflix TV show Squid Game.”

Speaking of the malware-ridden Play Store, regardless of Google’s attempts to scrub its app store clean, it’s still infested with malicious applications. Researchers recently sniffed out 300,000 banking trojan infections in Google Play, across only four months.

Researchers noted that they also found malicious code inside ad libraries in the official client for the third-party marketplace known as APKpure, as well as in a modified WhatsApp build. One example was particularly alarming. The malicious, fully functional 2FA app that hung out in Google Play for more than two weeks, managing to cling to 10,000 downloads. It came loaded with the Vultur stealer malware that targets and swoops down on financial data.

These trojans most commonly sneak into Google Play by masquerading as a legitimate app, such as a photo editor or VPN service, to which they add a small code snippet to decrypt and launch their payload. To confound analysis, such malware often uses a command-and-control (C2) server to send unpacking commands that get carried out in multiple steps: “Each decrypted module contains the address of the next one, plus instructions for decrypting it,” they said.

At 42%, adware was the most popular attack method for cyber criminals, even though it fell by 14.83% from the previous year. Next in prevalence were potentially unwanted riskware apps at 35%. Researchers say riskware are legitimate programmes “that pose potential risks due to security vulnerability, software incompatibility or legal violations.” In third place were trojan threats at 9% percent.

The problem of mobile malware, then, is still a threat for individual users and organisations alike. Always check the legitimacy of mobile applications you are considering downloading, as it could be the difference between staying safe and catastrophe.

Malware affects Google Play users

An Android trojan has been downloaded over 50,000 times from the official app store, Google Play. Researchers have advised anyone who downloaded the “Fast Cleaner” app, to remove it ASAP.

According to researchers, the trojan, dubbed “Xenomorph”, has a target list of 56 different European banks, for which it provides convincing spoofed login pages whenever a victim attempts to log into a mobile banking app. The goal is to steal any credentials that victims enter into the faux login page.

However, the malware is also a flexible, modular banking trojan, which has code overlaps and other ties to the Alien malware. It notably contains the ability to abuse Android’s accessibility services for broad control over a device’s capabilities, which could open the door to dangerous features that go beyond hijacking mobile banking credentials.

Researchers warned: “The Accessibility engine powering this malware, together with the infrastructure and command-and-control (C2) protocol, are carefully designed to be scalable and updatable. The information stored by the logging capability of this malware is very extensive, and if sent back to the C2 server, could be used to implement keylogging, as well as collecting behavioural data on victims and on installed applications, even if they are not part of the list of targets.”

That advanced functionality is not yet implemented, so the researchers have deemed Xenomorph as still being under development. However, they noted that it’s already making a mark on the banking trojan front: “Xenomorph is already sporting effective overlays [for banking apps] and being actively distributed on official app stores.”

It also uses SMS and notification-interception to log and use potential two-factor authentication (2FA) tokens. And, they added: “It would be unsurprising to see this bot sport semi-automatic transfer system (ATS) capabilities in the very near future.”

ATS is the process of automatically initiating wire transfers from victims without needing to use credentials, bypassing 2FA and all anti-fraud measures. Researchers observed the malware being loaded by a dropper hiding in a Google Play application called “Fast Cleaner”. With over 50,000 installations, it promised to remove unused clutter and battery optimisation blocks for better device processing times.

In terms of its main overlay attack vector, Xenomorph is powered by Accessibility Services privileges, the researchers found: “Once the malware is up and running on a device, its background services receive Accessibility events whenever something new happens on the device.

“If the application opened is part of the list of targets, then Xenomorph will trigger an overlay injection and show a WebView Activity posing as the targeted package.”

More specifically, once installed, the malware sends back a list of installed packages on the infected device. Based on what targeted applications are present, it goes on to download the corresponding overlays to inject. After obtaining Accessibility Services privileges, Xenomorph will first register and verify itself with the C2, by sending a request using the legitimate, open-source project Retrofit2.

That first message contains the initial information exfiltrated about the device. After that, Xenomorph periodically polls for new commands from the C2. For now, the commands allow the malware to log SMS messages, list the web injects sent by the C2, enable or disable intercept notifications, and interfere with installed apps.

Meanwhile, the malware also performs the aforementioned logging: “All the information gathered is only displayed on the local device logs, but in the future a very minor modification would be enough to add keylogging and Accessibility logging capabilities to the malware,” researchers warned.

Even though, for now, Xenomorph is a fairly typical banking trojan, researchers added that it does have untapped potential: “Modern banking malware is evolving at a very fast rate, and criminals are starting to adopt more refined development practices to support future updates.”

Of course, as always, when downloading unrecognised applications from official application stores, Neuways advises users to be wary of engaging with them. This could be because they contain a malware as potent as Xenomorph. All it takes is one errant download and your phone could become a beacon of confidential information for cyber criminals. Worse still, if your phone doubles up as your work device, as this could lead to your organisation becoming compromised, too.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.