Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Spyware. Show all posts
zero-click
Data Breach Hackers paragon Spyware WhatsApp zero-click

WhatsApp Fixes Security Flaw Exploited by Spyware

 



WhatsApp recently fixed a major security loophole that was being used to install spyware on users' devices. The issue, known as a zero-click, zero-day vulnerability, allowed hackers to access phones without the user needing to click on anything. Security experts from the University of Toronto’s Citizen Lab uncovered this attack and linked it to Paragon’s spyware, called Graphite.  

The flaw was patched by WhatsApp in late 2023 without requiring users to update their app. The company also chose not to assign a CVE-ID to the vulnerability, as it did not meet specific reporting criteria.  

A WhatsApp spokesperson confirmed that hackers used the flaw to target certain individuals, including journalists and activists. WhatsApp directly reached out to around 90 affected users across multiple countries.  


How the Attack Worked  

Hackers used WhatsApp groups to launch their attacks. They added their targets to a group and sent a malicious PDF file. As soon as the file reached the victim’s phone, the device automatically processed it. This triggered the exploit, allowing the spyware to install itself without any user action.  

Once installed, the spyware could access sensitive data and private messages. It could also move beyond WhatsApp and infect other apps by bypassing Android’s security barriers. This gave attackers complete control over the victim’s device.  


Who Was Targeted?  

According to Citizen Lab, the attack mostly focused on individuals who challenge governments or advocate for human rights. Journalists, activists, and government critics were among the key targets. However, since only 90 people were officially notified by WhatsApp, experts believe the actual number of victims could be much higher.  

Researchers found a way to detect the spyware by analyzing Android device logs. They identified a forensic marker, nicknamed "BIGPRETZEL," that appears on infected devices. However, spotting the spyware is still difficult because Android logs do not always capture all traces of an attack.  


Spyware Linked to Government Agencies  

Citizen Lab also investigated the infrastructure used to operate the spyware. Their research uncovered multiple servers connected to Paragon’s spyware, some of which were linked to government agencies in countries like Australia, Canada, Cyprus, Denmark, Israel, and Singapore. Many of these servers were rented through cloud platforms or hosted directly by government agencies.  

Further investigation revealed that the spyware's digital certificates contained the name “Graphite” and references to installation servers. This raised concerns about whether Paragon's spyware operates similarly to Pegasus, another surveillance tool known for being used by governments to monitor individuals.  


Who Is Behind Paragon Spyware?  

Paragon Solutions Ltd., the company behind Graphite spyware, is based in Israel. It was founded in 2019 by Ehud Barak, Israel’s former Prime Minister, and Ehud Schneorson, a former commander of Unit 8200, an elite Israeli intelligence unit.  

Paragon claims that it only sells its technology to democratic governments for use by law enforcement agencies. However, reports have shown that U.S. agencies, including the Drug Enforcement Administration (DEA) and Immigration and Customs Enforcement (ICE), have purchased and used its spyware.  

In December 2024, a U.S.-based investment firm, AE Industrial Partners, bought Paragon, further raising questions about its future operations and how its surveillance tools may be used.  


Protecting Yourself from Spyware  

While WhatsApp has fixed this specific security flaw, spyware threats continue to evolve. Users can take the following steps to protect themselves:  

1. Update Your Apps: Always keep your apps updated, as companies frequently release security patches.  

2. Be Cautious of Unknown Files: Never open suspicious PDFs, links, or attachments from unknown sources.  

3. Enable Two-Factor Authentication: Adding an extra layer of security to your accounts makes it harder for hackers to break in.  

4. Check Your Device Logs: If you suspect spyware, seek professional help to analyze your phone’s activity.  

Spyware attacks are becoming more advanced, and staying informed is key to protecting your privacy. WhatsApp’s quick response to this attack highlights the ongoing battle against cyber threats and the need for stronger security measures.  


Read more »
User Privacy
AWS Credentials Mobile Security Spyware Stalkerware User Privacy

Amazon Faces Criticism For Still Hosting Stalkerware Victims' Data

 

Amazon is drawing fire for hosting data from the Cocospy, Spyic, and Spyzie apps weeks after being notified of the problem, as the spyware firms continue to upload sensitive phone data of 3.1 million users to Amazon Web Services (AWS) servers. 

Last month on February 20, threat analysts at TechCrunch, an American global news outlet, notified Amazon of the stalkerware-hosted data, including exact storage bucket information where the stolen data from victims' phones was stored. However, as of mid-March, no firm steps have been taken to disable the hosting servers. 

In response, AWS thanked TechCrunch for the tip and sent a link to its abuse report form. In response to this statement, Ryan, the AWS spokesperson stated, "AWS responded by requesting specific technical evidence through its abuse reporting form to investigate the claims. TechCrunch declined to provide this evidence or submit an abuse report.”

The Android apps Cocospy, Spyic, and Spyzie share identical source code and a security vulnerability that can be easily exploited. The flaw abuses poorly secured servers used by the apps, allowing external access to exfiltrated data. The servers employed by the apps have Chinese origins and store data on Cloudflare and AWS infrastructure.

On March 10, TechCrunch notified Amazon that the Spyzie app was also uploading stolen data to its own Amazon bucket. According to Amazon, AWS responds to complaints of abuse and has stringent acceptable usage guidelines. The company's procedural reaction, however, has come under fire for taking too long to take action regarding hosting stolen data.

Ryan clarified that AWS responded quickly and made repeated requests for the technical data required to conduct the investigation, which TechCrunch declined. He went on to say: "AWS's request to submit the findings through its publicly available abuse reporting channel was questioned by the outlet, which declined to provide the requested technical data.” 

Stalkerware thrives on direct downloads, despite being banned from major app stores like Google Play and Apple's App Store. While some sellers say that the apps are for legal purposes, their capabilities are frequently utilised in ways that breach privacy regulations.
Read more »
WhatsApp
AI Backdoor Data Encryption Pegasus Spyware Technology WhatsApp

Frances Proposes Law Requiring Tech Companies to Provide Encrypted Data


Law demanding companies to provide encrypted data

New proposals in the French Parliament will mandate tech companies to give decrypted messages, email. If businesses don’t comply, heavy fines will be imposed.

France has proposed a law requiring end-to-end encryption messaging apps like WhatsApp and Signal, and encrypted email services like Proton Mail to give law enforcement agencies access to decrypted data on demand. 

The move comes after France’s proposed “Narcotraffic” bill, asking tech companies to hand over encrypted chats of suspected criminals within 72 hours. 

The law has stirred debates in the tech community and civil society groups because it may lead to building of “backdoors” in encrypted devices that can be abused by threat actors and state-sponsored criminals.

Individuals failing to comply will face fines of €1.5m and companies may lose up to 2% of their annual world turnover in case they are not able to hand over encrypted communications to the government.

Criminals will exploit backdoors

Few experts believe it is not possible to bring backdoors into encrypted communications without weakening their security. 

According to Computer Weekly’s report, Matthias Pfau, CEO of Tuta Mail, a German encrypted mail provider, said, “A backdoor for the good guys only is a dangerous illusion. Weakening encryption for law enforcement inevitably creates vulnerabilities that can – and will – be exploited by cyber criminals and hostile foreign actors. This law would not just target criminals, it would destroy security for everyone.”

Researchers stress that the French proposals aren’t technically sound without “fundamentally weakening the security of messaging and email services.” Similar to the “Online Safety Act” in the UK, the proposed French law exposes a serious misunderstanding of the practical achievements with end-to-end encrypted systems. Experts believe “there are no safe backdoors into encrypted services.”

Use of spyware may be allowed

The law will allow using infamous spywares such as NSO Group’s Pegasus or Pragon that will enable officials to remotely surveil devices. “Tuta Mail has warned that if the proposals are passed, it would put France in conflict with European Union laws, and German IT security laws, including the IT Security Act and Germany’s Telecommunications Act (TKG) which require companies to secure their customer’s data,” reports Computer Weekly.

Read more »
zero click
Cyber Attacks Paragon Solutions Spyware WhatsApp zero click

WhatsApp Alerts Users About a Dangerous Zero-Click Spyware Attack

 


WhatsApp has warned users about a highly advanced hacking attack that infected nearly 90 people across 24 countries. Unlike traditional cyberattacks that rely on tricking victims into clicking malicious links, this attack used zero-click spyware, meaning the targets were hacked without taking any action.  


What Happened?

Hackers exploited a security vulnerability in WhatsApp to send malicious documents to the victims’ devices. These documents contained spyware that could take control of the phone without the user clicking or opening anything.  

According to reports, the attack was linked to Paragon Solutions, an Israeli company that develops spyware for government agencies. While governments claim such tools help in law enforcement and national security, they have also been misused to spy on journalists, activists, and members of civil society.  


Who Was Targeted?

The specific names of the victims have not been disclosed, but reports confirm that journalists and human rights advocates were among those affected. Many of them were based in European nations, but the attack spread across multiple regions.  

WhatsApp acted quickly to disrupt the attack and alerted the affected users. It also referred them to Citizen Lab, a cybersecurity research group that investigates digital threats.  


What is a Zero-Click Attack?  

A zero-click attack is a form of cyberattack where hackers do not need the victim to click, open, or download anything. Instead, the attack exploits weaknesses in apps or operating systems, allowing spyware to be installed silently.  

Unlike phishing attacks that trick users into clicking harmful links, zero-click attacks bypass user interaction completely, making them much harder to detect or prevent.  


How Dangerous Is This Spyware? 

Once installed, the spyware can:  

1. Access private messages, calls, and photos  

2. Monitor activities and track location  

3. Activate the microphone or camera to record conversations  

4. Steal sensitive personal data

Cybersecurity experts warn that such spyware can be used for mass surveillance, threatening privacy and security worldwide.  


Who is Behind the Attack?  

WhatsApp has linked the spyware to Paragon Solutions, but has not revealed how this conclusion was reached. Authorities and cybersecurity professionals are now investigating further.  


How to Stay Safe from Spyware Attacks

While zero-click attacks are difficult to prevent, you can reduce the risk by:  

1. Keeping Your Apps Updated – Always update WhatsApp and your phone’s operating system to patch security flaws.  

2. Enabling Two-Factor Authentication (2FA) – This adds an extra layer of security to your account.  

3. Being Cautious with Unknown Messages – While this attack required no interaction, remaining alert can help protect against similar threats.  

4. Using Encrypted and Secure Apps – Apps with end-to-end encryption, like WhatsApp and Signal, make it harder for hackers to steal data.  

5. Monitoring Unusual Phone Activity – If your phone suddenly slows down, heats up, or experiences rapid battery drain, it may be infected. Run a security scan immediately.  

This WhatsApp attack is a reflection of the growing threats posed by spyware. As hacking methods become more advanced and harder to detect, users must take steps to protect their digital privacy. WhatsApp’s quick response limited the damage, but the incident highlights the urgent need for stronger cybersecurity measures to prevent such attacks in the future.


Read more »
Spyware Attack
Cyber Attacks Hacking WhatsApp Israeli Firm Israeli spyware Malicious Software Spyware Spyware Attack

WhatsApp Uncovers Zero-Click Spyware Attack Linked to Israeli Firm Paragon

 

WhatsApp has uncovered a stealthy spyware attack attributed to Israeli firm Paragon, targeting nearly 100 users worldwide, including journalists and civil society members. This zero-click attack required no user interaction, making it particularly dangerous as it could infiltrate devices without victims clicking on links or downloading attachments. 

A WhatsApp spokesperson confirmed that the company successfully identified and blocked the exploit, directly notifying those affected. The investigation, supported by cybersecurity research group Citizen Lab, revealed that the spyware could extract private messages, access call logs, view photos, and even activate the device’s microphone and camera remotely. John Scott-Railton, a senior researcher at Citizen Lab, highlighted the broader risks associated with such surveillance tools. He stressed the need for greater accountability within the spyware industry, warning that unchecked surveillance capabilities pose serious threats to personal privacy and digital security. 

Italian media outlet Fanpage.io first reported the breach, revealing that its director, Francesco Cancellato, was among the targeted individuals. WhatsApp informed him that malicious software might have compromised his device, potentially granting unauthorized access to sensitive data. In response, Cancellato and a team of independent analysts are examining the extent of the breach and working to determine who orchestrated the espionage. Paragon, which has positioned itself as a more ethical alternative to controversial spyware vendors like NSO Group, now faces increased scrutiny. 

The company had been seeking entry into the U.S. market but encountered regulatory hurdles after concerns arose over national security risks and human rights implications. The Biden administration’s executive order on commercial spyware, designed to curb the spread of digital surveillance tools, contributed to the suspension of a key contract for Paragon. Cybersecurity experts caution that even democratic governments have misused surveillance technology when regulatory oversight is inadequate. 

The exposure of Paragon’s spyware campaign raises questions about the potential for abuse, especially in the hands of entities operating with minimal transparency. Experts argue that unless stringent policies are enforced, spyware firms will continue to develop and distribute invasive surveillance tools without accountability. Paragon has yet to respond to the allegations, but the revelations about its activities are likely to fuel ongoing debates over the ethics of commercial spyware. 

This case underscores the urgent need for stronger global regulations to prevent the misuse of surveillance technologies and protect individuals from unauthorized digital intrusions.
Read more »
WhatsApp
New Media Privacy Social Media Spyware surveillance WhatsApp

WhatsApp Says Spyware Company Paragon Hacked 90 Users

WhatsApp Says Spyware Company Paragon Hacked 90 Users

Attempts to censor opposition voices are not new. Since the advent of new media, few Governments and nations have used spyware to keep tabs on the public, and sometimes target individuals that the government considers a threat. All this is done under the guise of national security, but in a few cases, it is aimed to suppress opposition and is a breach of privacy. 

Zero-click Spyware for WhatsApp

One such interesting incident is the recent WhatsApp “zero-click” hacking incident. In a conversation with Reuters, a WhatsApp official disclosed that Israeli spyware company Paragon Solutions was targeting its users, victims include journalists and civil society members. Earlier this week, the official told Reuters that Whatsapp had sent Paragon a cease-and-desist notice after the surveillance hack. In its official statement, WhatsApp stressed it will “continue to protect people's ability to communicate privately."

Paragon refused to comment

According to Reuters, WhatsApp had noticed an attempt to hack around 90 users. The official didn’t disclose the identity of the targets but hinted that the victims belonged to more than a dozen countries, mostly from Europe. WhatsApp users were sent infected files that didn’t require any user interaction to hack their targets, the technique is called the “zero-click” hack, known for its stealth 

“The official said WhatsApp had since disrupted the hacking effort and was referring targets to Canadian internet watchdog group Citizen Lab,” Reuter reports. He didn’t discuss how it was decided that Paragon was the culprit but added that law enforcement agencies and industry partners had been notified, and didn’t give any further details.

FBI didn’t respond immediately

“The FBI did not immediately return a message seeking comment,” Reuter said. Citizen Lab researcher John Scott-Railton said the finding of Paragon spyware attacking WhatsApp is a “reminder that mercenary spyware continues to proliferate and as it does, so we continue to see familiar patterns of problematic use."

Citizen Lab researcher John Scott-Railton said the discovery of Paragon spyware targeting WhatsApp users "is a reminder that mercenary spyware continues to proliferate and as it does, so we continue to see familiar patterns of problematic use."

Ethical implications concerning spying software

Spyware businesses like Paragaon trade advanced surveillance software to government clients, and project their services as “critical to fighting crime and protecting national security,” Reuter mentions. However, history suggests that such surveillance tools have largely been used for spying, and in this case- journalists, activists, opposition politicians, and around 50 U.S officials. This raises questions about the lawless use of technology.

Paragon - which was reportedly acquired by Florida-based investment group AE Industrial Partners last month - has tried to position itself publicly as one of the industry's more responsible players. On its website, Paragon advertises the software as “ethically based tools, teams, and insights to disrupt intractable threats” On its website, and media reports mentioning people acquainted with the company “say Paragon only sells to governments in stable democratic countries,” Reuter mentions.

Read more »
Spyware
Amazon App Store Android BMI Calculator malware Spyware

Hackers are Employing Amazon Appstore to Propagate Malware

 

'BMI CalculationVsn' is a malicious Android spyware app that was identified on the Amazon Appstore. It poses as a simple health tool while covertly harvesting data from compromised devices. 

Cybersecurity researchers from McAfee Labs discovered the app and notified Amazon, which resulted in the app being taken down from the app store. To get rid of any remaining traces, those who installed the app must manually uninstall it and run an extensive scan.

Amazon Appstore is a third-party Android software store that is pre-installed on Amazon Fire tablets and Fire TV devices. It also serves as a substitute to Google Play for Android device owners who can't or don't want to use Google's platform, and it even includes exclusive Amazon Prime games and entertainment. The BMI CalculationVsn spyware program, released by 'PT Visionet Data Internasional,' is marketed as a simple body mass index (BMI) calculator. 

Modus operandi

The user is greeted by an easy-to-use interface when they launch the compromised app, which offers the advertised features, such as calculating their BMI. However, there are other malicious activities going on in the background.

When the user taps the 'Calculate' button, the app first starts a screen recording service that asks for the required approval. This can be misleading and mislead users into giving their permission without thinking. 

McAfee claims that although the footage is locally stored in an MP4 file, it was not uploaded to the command and control (C2) server. This is probably because the app is still in the early stages of testing. 

The researchers' further investigation into the app's release history revealed that it was originally made available in the wild on October 8. By the end of the month, it changed the certificate information, added new malicious functions, and modified its icon. 

In order to help the attackers plan their next move, the app's second malicious operation is to scan the device and retrieve all installed applications. Finally, the spyware intercepts and gathers SMS messages, including verification codes and one-time passwords (OTPs), that are received and stored on the device.

Given that malicious apps can still escape through code review cracks in respectable and generally trustworthy stores like the Amazon Appstore, Android users should only install apps from reputable publishers. 

It is also advisable to review requested permissions and revoke problematic ones after installation. Google Play Protect can detect and block known malware detected by App Security Alliance partners such as McAfee, thus having it enabled on Android devices is critical.
Read more »
Zero-day Flaw
Android Spyware cyber espionage Cyber Security Israeli Firm NoviSpy Spyware Zero-day Flaw

Novel Android NoviSpy Spyware Linked to Qualcomm Zero-Day Flaws

 

Amnesty International researchers discovered an Android zero-day bug that was exploited to silently disseminate custom surveillance spyware targeting Serbian journalists. The probe has traced the technology to Cellebrite, an Israeli forensics vendor.

In a technical report published earlier this week, the human rights group outlined how Serbia's Security Information Agency (BIA) and police employed Cellebrite's forensic extraction tools and a newly uncovered spyware dubbed 'NoviSpy' to infect journalists' and activists' devices. In one instance, a journalist's phone was allegedly hacked during a police traffic check, with the Cellebrite tool facilitating the infection. 

Amnesty International warned that Serbia's legal restrictions on the use of mobile forensic tools are inadequate and that "the ability to download, in effect, an individual's entire digital life using Cellebrite UFED and similar mobile forensic tools, poses enormous human rights risks, if such tools are not subject to strict control and oversight.” 

The report details the example of journalist SlaviÅ¡a Milanov, whose Xiaomi Redmi Note 10S smartphone was hacked after a police confrontation in Serbia. Forensic investigation suggested the usage of a zero-day Android exploit to overcome encryption and unlock the device, allowing NoviSpy to be installed. 

According to the group, the privilege escalation zero-day, which was patched in the Qualcomm October security update, affected Android devices with popular Qualcomm chipsets and millions of Android smartphones globally. 

In another case, Amnesty International discovered an Android smartphone belonging to an environmental activist logging a series of missed calls including invalid, seemingly random numbers that are not acceptable in Serbia.

"After these calls, [the activist said] that the battery on his device drained quickly.” The researchers inspected the device and discovered no trace of manipulation, but they warned that there is a substantial "knowledge gap" regarding zero-click assaults on Android smartphones. 

Amnesty International acknowledged Cellebrite's claim that it has strict protocols to prevent product misuse, but cautioned that this revelation "provides clear evidence of a journalist's phone being targeted without any form of due process." 

Unfortunately, Amnesty International discovered signs of the previously undisclosed NoviSpy spyware, which allows for the capture of sensitive personal data from a target's phone after infection and the ability to remotely activate the phone's microphone or camera. 

“Forensic evidence indicates that the spyware was installed while the Serbian police were in possession of SlaviÅ¡a’s device, and the infection was dependent on the use of Cellebrite to unlock the device. Two forms of highly invasive technologies were used in combination to target the device of an independent journalist, leaving almost his entire digital life open to the Serbian authorities,” the human rights group stated.
Read more »
spyware and malware
Cyber Attacks cybercriminals data security Data Theft NCC Group Ransomware attack Ransomwares Spyware spyware and malware

Ymir Ransomware: A Rising Threat in the Cybersecurity Landscape

 

The evolving threat landscape continues to present new challenges, with NCC Group’s latest Threat Pulse report uncovering the emergence of Ymir ransomware. This new ransomware strain showcases the growing collaboration among cybercriminals to execute highly sophisticated attacks.

First documented during the summer of 2024, Ymir initiates its attack cycle by deploying RustyStealer, an infostealer designed to extract credentials and serve as a spyware dropper. Ymir then enters its locker phase, executing swiftly to avoid detection. According to an analysis by Kaspersky, based on an attack in Colombia, Ymir’s ransomware locker employs a configurable, victim-tailored approach, focusing on a single-extortion model, where data is encrypted but not stolen.

Unlike many modern ransomware groups, Ymir’s operators lack a dedicated leak site for stolen data, further distinguishing them. Linguistic analysis of the code revealed Lingala language strings, suggesting a possible connection to Central Africa. However, experts remain divided on whether Ymir operates independently or collaborates with other threat actors.

Blurred Lines Between Criminal and State-Sponsored Activities

Matt Hull, NCC Group’s Head of Threat Intelligence, emphasized the challenges of attribution in modern cybercrime, noting that blurred lines between criminal groups and state-sponsored actors often complicate motivations. Geopolitical tensions are a driving factor behind these dynamic threat patterns, as highlighted by the UK’s National Cyber Security Centre (NCSC).

Ransomware Trends and Global Incidents

Recent incidents exemplify this evolving threat landscape:

  • The KillSec hacktivist group transitioned into ransomware operations.
  • Ukraine’s Cyber Anarchy Squad launched destructive attacks targeting Russian organizations.
  • North Korea’s Jumpy Pisces APT collaborated with the Play ransomware gang.
  • The Turk Hack Team attacked Philippine organizations using leaked LockBit 3.0 lockers.

NCC Group’s report indicates a 16% rise in ransomware incidents in November 2024, with 565 attacks recorded. The industrial sector remains the most targeted, followed by consumer discretionary and IT. Geographically, Europe and North America experienced the highest number of incidents. Akira ransomware overtook RansomHub as the most active group during this period.

State-Backed Threats and Infrastructure Risks

State-backed cyber groups continue to escalate their operations:

  • Sandworm, a Russian APT recently reclassified as APT44, has intensified attacks on Ukrainian and European energy infrastructure.
  • As winter deepens, threats to critical national infrastructure (CNI) heighten global concerns.

Ransomware is evolving into a multipurpose tool, used by hacktivists to fund operations or to obfuscate advanced persistent threats (APTs). With its trajectory pointing to continued growth and sophistication in 2025, heightened vigilance and proactive measures will be essential to mitigate these risks.

Read more »
Technology
iVerify Pegasus Security Tool Spyware Technology

Novel iVerify Tool Detects Widespread Use of Pegasus Spyware

 


iVerify's mobile device security tool, launched in May, has identified seven cases of Pegasus spyware in its first 2,500 scans. This milestone brings spyware detection closer to everyday users, underscoring the escalating threat of commercial spyware. 

How the Tool Works 

iVerify’s Mobile Threat Hunting uses advanced detection methods, including:
  • Malware Signature Detection: Matches known spyware patterns.
  • Heuristics: Identifies abnormal behavior indicative of infections.
  • Machine Learning: Analyzes patterns to detect potential threats.
The service is offered to paying customers, with a free version available via the iVerify Basics app for a nominal fee. Users can run monthly scans, generating diagnostic files for expert evaluation. 
  
Spyware’s Broadening Scope 
 
The detected infections reveal Pegasus spyware targets beyond traditional assumptions: Victims include business leaders, government officials, and commercial enterprise operators.

The findings suggest spyware usage is more pervasive than previously believed.

Rocky Cole, iVerify’s COO and former NSA analyst, stated, "The people who were targeted were not just journalists and activists, but business leaders, people running commercial enterprises, and people in government positions."

Detection and Challenges iVerify’s tool identifies infection indicators such as:
  • Diagnostic data anomalies.
  • Crash logs.
  • Shutdown patterns linked to spyware activity.
These methods have proven crucial in detecting Pegasus spyware on high-profile targets like political activists and campaign officials. Despite challenges such as improving mobile monitoring accuracy and reducing false positives, the tool's efficacy marks a significant advancement. 
  
Implications for Mobile Security 
 
The success of iVerify’s tool signifies a shift in mobile security perceptions: Mobile devices like iPhones and Android phones are no longer considered relatively secure from spyware attacks.

Commercial spyware’s increasing prevalence necessitates more sophisticated detection tools.

iVerify’s Mobile Threat Hunting tool exemplifies this evolution, offering a powerful resource in the fight against spyware and promoting proactive device security in an increasingly complex threat landscape.
Read more »
Trustwave SpiderLabs
Cyber Threats Cybersecurity JPHP language malware Pronsis Loader Ransomware Spyware stealth malware Threat Intelligence Trustwave SpiderLabs

New Malware ‘Pronsis Loader’ Uses Rare JPHP Language to Evade Detection and Deliver High-Risk Payloads

 

Trustwave SpiderLabs recently announced the discovery of a new form of malware named Pronsis Loader. This malware has already started to pose significant challenges for cybersecurity experts due to its unique design and operation. Pronsis Loader leverages JPHP, a lesser-known programming language, and incorporates sophisticated installation tactics, which complicates detection and mitigation efforts by standard security tools.

JPHP, a variation of the popular PHP programming language, is rarely seen in the world of malware development, especially for desktop applications. While PHP is commonly used for web applications, its adaptation into desktop malware through Pronsis Loader offers cybercriminals an advantage by making it harder to detect.

Pronsis Loader’s use of JPHP helps it bypass conventional detection systems, which often rely on identifying common programming languages in malware. This less common language adds an extra layer of “stealth,” allowing the malware to slip past many security tools. In addition, Pronsis Loader uses advanced obfuscation and encryption to hide during initial infection, silently installing itself by imitating legitimate processes. This stealth tactic hinders both automated and manual detection efforts.

Once Pronsis Loader is installed, it can download and execute other types of malware, such as ransomware, spyware, and data-theft tools. This modular approach makes it highly adaptable, allowing cybercriminals to customize payloads based on their target’s specific system or environment. As part of a broader trend in cybercrime, loaders like Pronsis are used in multi-stage attacks to introduce further malicious programs, providing attackers with a flexible foundation for varied threats.

To counter this evolving threat, security teams should consider adopting advanced behavioral monitoring and analysis techniques that identify malware based on its behavior, rather than relying solely on signature detection. Additionally, staying updated on threat intelligence helps to recognize rare languages and methods, such as those employed by Pronsis Loader.

 Shawn Kanady, Global Director at Trustwave SpiderLabs, emphasized the significance of Pronsis Loader’s stealth and adaptability, noting its potential to deliver high-risk payloads like Lumma Stealer and Latrodectus. Kanady concluded that understanding Pronsis Loader’s unique design and infrastructure offers valuable insights for strengthening cybersecurity defenses against future campaigns.







Read more »
Spyware
AI Tool ChatGPT ChatGPT Vulnerabilities ChatGPT. OpenAI Data Breach Data Hackers Data Safety User Data Data Theft OpenAI Spyware

ChatGPT Vulnerability Exploited: Hacker Demonstrates Data Theft via ‘SpAIware

 

A recent cyber vulnerability in ChatGPT’s long-term memory feature was exposed, showing how hackers could use this AI tool to steal user data. Security researcher Johann Rehberger demonstrated this issue through a concept he named “SpAIware,” which exploited a weakness in ChatGPT’s macOS app, allowing it to act as spyware. ChatGPT initially only stored memory within an active conversation session, resetting once the chat ended. This limited the potential for hackers to exploit data, as the information wasn’t saved long-term. 

However, earlier this year, OpenAI introduced a new feature allowing ChatGPT to retain memory between different conversations. This update, meant to personalize the user experience, also created an unexpected opportunity for cybercriminals to manipulate the chatbot’s memory retention. Rehberger identified that through prompt injection, hackers could insert malicious commands into ChatGPT’s memory. This allowed the chatbot to continuously send a user’s conversation history to a remote server, even across different sessions. 

Once a hacker successfully inserted this prompt into ChatGPT’s long-term memory, the user’s data would be collected each time they interacted with the AI tool. This makes the attack particularly dangerous, as most users wouldn’t notice anything suspicious while their information is being stolen in the background. What makes this attack even more alarming is that the hacker doesn’t require direct access to a user’s device to initiate the injection. The payload could be embedded within a website or image, and all it would take is for the user to interact with this media and prompt ChatGPT to engage with it. 

For instance, if a user asked ChatGPT to scan a malicious website, the hidden command would be stored in ChatGPT’s memory, enabling the hacker to exfiltrate data whenever the AI was used in the future. Interestingly, this exploit appears to be limited to the macOS app, and it doesn’t work on ChatGPT’s web version. When Rehberger first reported his discovery, OpenAI dismissed the issue as a “safety” concern rather than a security threat. However, once he built a proof-of-concept demonstrating the vulnerability, OpenAI took action, issuing a partial fix. This update prevents ChatGPT from sending data to remote servers, which mitigates some of the risks. 

However, the bot still accepts prompts from untrusted sources, meaning hackers can still manipulate the AI’s long-term memory. The implications of this exploit are significant, especially for users who rely on ChatGPT for handling sensitive data or important business tasks. It’s crucial that users remain vigilant and cautious, as these prompt injections could lead to severe privacy breaches. For example, any saved conversations containing confidential information could be accessed by cybercriminals, potentially resulting in financial loss, identity theft, or data leaks. To protect against such vulnerabilities, users should regularly review ChatGPT’s memory settings, checking for any unfamiliar entries or prompts. 

As demonstrated in Rehberger’s video, users can manually delete suspicious entries, ensuring that the AI’s long-term memory doesn’t retain harmful data. Additionally, it’s essential to be cautious about the sources from which they ask ChatGPT to retrieve information, avoiding untrusted websites or files that could contain hidden commands. While OpenAI is expected to continue addressing these security issues, this incident serves as a reminder that even advanced AI tools like ChatGPT are not immune to cyber threats. As AI technology continues to evolve, so do the tactics used by hackers to exploit these systems. Staying informed, vigilant, and cautious while using AI tools is key to minimizing potential risks.
Read more »
US Treasury Department
Cyber Security Intellexa Predator Sanctions Spyware US Treasury Department

US Steps up Pressure on Intellexa Spyware Maker with New Sanctions

 


The US Treasury Department imposed further sanctions on five individuals and one entity connected to the Intellexa Consortium, a reportedly tainted holding company behind notorious spyware known as Predator. US officials say that even though more sanctions were imposed last year and again this year, additional steps were necessary because of the complicated network of corporate entities Intellexa had established to avoid responsibility.

Most notably, the sanctions talk around the activities of the Intellexa Consortium, who, while placing money through holding companies, continued to move funds and sell its Predator spyware into multiple holding companies. The new sanctions target these loopholes that enable companies such as Intellexa to engage in such activities, thus according to one senior administration official. To that extent, the sanctions prove consistent on the part of the U.S. government in an attempt to hold accountable all those entities that threaten the nation's security and violate civil liberties.

How Predator Spyware Works

Known to steal sensitive information from devices via one-click and zero-click attacks that require little to no activity from the victim, predator spyware can trace people, monitor phone calls, and obtain access to the data of smartphones and other devices. Since 2019, this malware has spread to Android and iPhone devices globally, even affecting the U.S. government.

As recently confirmed, the Biden administration has made it a fact that over 50 US government employees have been affected by commercial spyware, like Predator, in countries counted in more than 10. Though the exact location of the attacks is not made public, such threats are under close observation by the administration.

Key Individuals and Entities Impacted By Sanctions

The new wave of sanctions hits key players in the company of Intellexa. Felix Bitzios, owner of one of the companies that sold Predator spyware to foreign governments, is among them. Another, Andrea Nicola Constantino Hermes Gambazzi, is accused of facilitating other Intellexa entities to make financial transactions. Other sentences will be handed down for Merom Harpaz, Panagiota Karaoli, and Artemis Artemiou. The organisation, Aliada Group Inc. operating in the British Virgin Islands, was sanctioned due to its provision to transfer millions of dollars to Intellexa.

In March, Tal Jonathan Dilian, a founder of Intellexa, was already sanctioned; however, the corporation was not restricted due to its action of continuing to sell spyware to governments worldwide.

Intellexa reaches quite far, with Predator spyware said to be used by state-sponsored actors and governments in a majority of countries around the world, including such ones as Egypt, Indonesia, Saudi Arabia, and the Philippines. According to recent reports, while US sanctions did seem to place a brake on its sales and adoption, they were unable to halt the spyware so entirely that it was at all times held in check. Instead, researchers found that Predator continues to rebound. New clients include government officials and representatives from Angola, Madagascar, and the Democratic Republic of Congo.

More recently, Google disclosed that the Russian government was also using the vulnerabilities created by Intellexa, sending concerns about the company's activities flying across the globe.

While there are many moves in the plan, U.S. sanctions against the government are part of it. Several companies already received the axe, while the State Department banned the visas of those individuals who have been linked to the misuse of spyware. Such is the case for Israeli firms, like the NSO Group, a manufacturer of notorious Pegasus spyware, blacklisted last 2021.

In the near future, the U.S. will, at the UN General Assembly, host a high-level meeting intended to bring more countries on board to fight misuse of commercial spyware. The officials believe that sanctions imposed so far already challenge Intellexa to move money and conduct its business.

A Warning to Spyware Vendors

According to the U.S. Treasury, sanctions represent an undoubtedly clear message of consequences not just for the likes of Intellexa spyware vendors but for the corporate structures or shell companies that may wrap up their operations no matter how deep. The efforts help comprise both the prevention of exploitative technologies and the promotion of responsible development in cybersecurity solutions that follow international standards.

As the U.S. moves to increase its restrictions on spyware, a rising call to reconsider involvement in these businesses has been made for companies operating in that area. Experts believe that skilled cyber professionals have shunned the spyware business to avoid possible legal and financial implications.




Read more »
Spyware
Cyber Security Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Malicious Attacks Spyware

Digital Dictatorship: The Dangers of Unchecked Spyware

 


The Pegasus scandal broke into the public eye three years ago and has been widely reported in the media ever since. Yet, the surveillance industry has not been fixed. On the contrary, the spyware problem seems to worsen as time passes. 

In light of these issues, civil society organizations and business organizations have written an open letter on Tuesday, September 3 encouraging European regulators to take more decisive action to combat the threats posed by the overuse of spyware to fight the dangers it brings. In the opinion of the experts, it is a non-negotiable issue - the EU Commission needs to come up with a legal framework that includes "a ban on the manufacturing, exporting, selling, importing, acquiring, transferring, servicing, and using of spyware inside the EU." 

There is a loose definition of spyware in computer science, but it is generally considered to be malicious software that enters a user's computer, gathers data about them, and relays that data to a third party without their knowledge or consent. Additionally, there are legitimate software programs, such as consumer monitoring software, that collect and use information from user's computers to provide users with advertisements that are relevant to them 

It is however worth noting that malicious spyware is specifically designed to take advantage of the theft of personal information to make money. There is no doubt that spyware can gather and collect private data, which leaves them open to data breaches and the misuse of their personal information, regardless of whether the person using their information is legitimate or not. The result of spyware campaigns is that devices and networks are slower, delaying daily user activities and resulting in increased costs. 

Understanding the way spyware works is an important part of preventing issues when using it in both business and personal settings. A crucial aspect of spyware which makes it so dangerous is the fact that it can be very difficult to detect, yet pretty easy to inject. This fact makes it one of the key strengths of spyware. 

This is an excellent example of a zero-click attack, called Pegasus since users can harvest it without leaving a trace on any device that becomes infected. There is no security software, not even the best VPN or antivirus apps, that can fully protect users against this growing threat, which makes it impossible for their use alone to be helpful. In the future, it would be reasonable to argue that spyware may one day be one of the most crucial tools available to governments for the purpose of national security. 

As of yet, however, there has been a longer list of authorities that have abused the accessibility of the service. A report claims that Mexico became the first organization to purchase the Israeli cyber-intelligence firm NSO Group's powerful technology in 2011 to support the country's fight against narco-trafficking to help the country combat the drug problem. According to the investigative team of Pegasus, more than a dozen Mexican journalists and activists had their phones found to be infected with the virus in 2017. 

It is believed that over 50,000 phones all over the world were compromised during the Pandora's box incident in 2021. The phone that belonged to the journalist Jamal Khashoggi, who was assassinated inside the Saudi Arabian consulate in Istanbul in 2018, is one of the ones included in these records. In the course of the investigation, it was revealed that over 46 countries around the world bought this very intrusive tool, including at least 14 different nations in the European Union. 

In a new investigation into the use of so-called Predator spyware a few years later, a more in-depth analysis showed that the EU spyware problem is worse than originally thought. It is most likely because the tool was not just used across the EU as a spying tool for journalists, politicians, and activists, but because it was developed, distributed, and exported by EU-based firms based in France, Ireland, and Greece, most of which operate in at least 25 countries around the world.  

Its hard to comprehend how the spy industry is still allowed to function as one of the most lucrative fields of business today. It seems that even Google is concerned that this outbreak of information warfare could pose a threat to free speech, free press, and the integrity of elections throughout the world.  As an example, many companies are turning to what is known as bossware to improve the monitoring of their remote workers in an effort to make sure they are on top of things.

Work productivity monitoring applications, though legal in many countries, raise significant concerns regarding the potential for abuse. These tools, originally designed to track employee performance, have also opened the door to misuse. While the specific regulations around such software vary depending on jurisdiction, the risk of unethical usage persists across the board.

Particularly alarming is the potential for these applications to be weaponized by malicious actors, including hackers, stalkers, and even criminals. The accessibility of these technologies, which often do not require extensive technical knowledge to operate, leaves many individuals exposed to cyber threats. In more personal contexts, such as domestic abuse, an abusive partner could use such an app to exert control, spy on communications, or track movements, further exacerbating the dangers of spyware.

This growing concern is reflected in recent statistics. A study by the security firm Avast reported a staggering 329% increase in mobile stalkerware usage since 2020. Such figures highlight the expanding threat posed by spyware, not only in corporate environments but also in everyday life.

Further complicating matters is the blurred line between the use of spyware by governments and its regulation. The New York Times recently conducted an investigation revealing that, although the Biden administration has officially banned the use of hacking tools created by the Israeli firm NSO, there remain ongoing efforts by U.S. authorities to find a legal avenue for their utilization. This suggests that while some forms of spyware are deemed unacceptable for certain uses, governments may still be inclined to leverage them under particular circumstances, thereby setting a complex precedent for how these tools should be governed.

The international community has begun addressing this issue. On February 6, 2024, the United Kingdom and France spearheaded an international agreement aimed at curbing the human rights abuses associated with spyware. This joint effort seeks to establish policies that regulate the deployment of intrusive cyber tools in a manner that is both legal and responsible. However, despite these efforts, skepticism remains about whether such regulations will be sufficient to prevent the harm caused by spyware.

In 2022, the European Data Protection Supervisor (EDPS) raised significant concerns about the impact of modern spyware on individual privacy. The EDPS emphasized that the unprecedented level of intrusiveness offered by such technology "threatens the essence of the right to privacy" due to its ability to infiltrate the most intimate aspects of daily life. In their view, the use of spyware is fundamentally incompatible with European Union (EU) law, further underscoring the challenges of regulating this highly invasive technology.

The most effective way to manage the threat of spyware is through prevention. However, avoiding spyware installation isn't always straightforward. Cybercriminals can exploit vulnerabilities in even trusted websites, allowing them to infect a user's computer without any interaction. In such scenarios, relying solely on avoiding suspicious downloads or attachments is insufficient protection.

To safeguard against spyware, individuals are advised to use robust internet security solutions that include reliable antivirus and antimalware detection features. In addition to standard protection, these solutions should offer proactive defences, such as real-time monitoring and detection of potential threats. For users whose systems have already been compromised, many security providers offer specialized spyware removal utilities, designed to identify and eliminate spyware from infected devices. It is crucial, however, to ensure that these utilities are obtained from reputable security providers, as some fraudulent software tools masquerade as spyware removal programs while actually embedding spyware themselves.

While several free antivirus options are available, it is important to recognize their limitations. A free trial can be useful for assessing a product's capabilities, but for comprehensive protection, especially against spyware, users should consider investing in a full-featured internet security suite. Features like virtual encrypted keyboards for securely entering financial information, strong anti-spam filters, and cloud-based detection systems can provide critical layers of defence, reducing the risks posed by spyware schemes.

At end, while productivity monitoring apps and spyware can serve legitimate purposes, their potential for abuse, combined with their increasing use, underscores the need for stringent regulation, heightened awareness, and proactive security measures to protect against both corporate misuse and individual harm.
Read more »
Trojan
CVE-2024-38213 Cyber Security CyberCrime DarkGate operators Microsoft security patch Ransomware SmartScreen vulnerability Spyware Trojan

Microsoft Patches Critical SmartScreen Vulnerability Exploited by Attackers

 


Microsoft's SmartScreen feature, a cornerstone of Windows security, faced a significant setback when a critical vulnerability, CVE-2024-38213, was exploited by cybercriminals. This vulnerability allowed attackers to circumvent SmartScreen's protective mechanisms and deliver malicious code to unsuspecting users.

The vulnerability exploited a weakness in SmartScreen's ability to identify and block potentially harmful files. By exploiting this flaw, attackers were able to disguise malware as legitimate software, tricking users into downloading and executing harmful files. This deceptive tactic, known as social engineering, is a common strategy employed by cybercriminals.

The consequences of this breach were severe. Cybercriminals were able to deploy various types of malware, including ransomware, spyware, and trojans. These malicious payloads could steal sensitive data, encrypt files for ransom, or even take control of infected systems. The potential impact on individuals and organizations was significant, ranging from financial loss to data breaches and disruption of critical operations.

Several threat groups were implicated in the exploitation of CVE-2024-38213. Notable among them were the DarkGate operators, who used the vulnerability to distribute malware through copy-and-paste operations. These attackers often targeted popular software, such as Apple iTunes, Notion, and NVIDIA, to lure victims into downloading malicious files.

Upon discovering the vulnerability, Microsoft's security teams worked diligently to develop a patch to address the issue. The patch was included in the June 2024 Patch Tuesday update. However, the company initially failed to provide a public advisory, leaving users unaware of the potential threat. This oversight highlighted the importance of timely communication and proactive security measures.

The exploitation of CVE-2024-38213 serves as a stark reminder of the constant threat posed by cybercriminals. It underscores the need for robust security measures, both at the individual and organizational level. Users must remain vigilant, exercise caution when downloading files, and keep their systems up-to-date with the latest security patches.

For organizations, the incident emphasizes the importance of a comprehensive security strategy that includes vulnerability management, incident response planning, and employee training. By investing in these areas, businesses can better protect themselves against cyber threats and minimize the potential damage from successful attacks.

As the cyber threat landscape continues to evolve, it is essential for both individuals and organizations to stay informed about emerging threats and best practices for cybersecurity. By working together, we can help create a safer digital environment for everyone.

Read more »
Spyware
Data Data Safety malware Safety Security Spyware

Report: Spyware Maker's Data Leak Exposes Malware Used on Windows, Mac, Android, and Chromebook Devices

A Minnesota-based spyware company has been hacked, exposing thousands of devices worldwide under its covert surveillance, TechCrunch has learned.

A source familiar with the breach provided TechCrunch with files from the company’s servers, detailing device activity logs from phones, tablets, and computers monitored by Spytech. Some files date back to early June. TechCrunch confirmed the authenticity of the data by analyzing logs, including those from the company's CEO, who installed the spyware on his own device.

The leaked data reveals that Spytech's software, including Realtime-Spy and SpyAgent, has compromised over 10,000 devices since 2013. These include Android devices, Chromebooks, Macs, and Windows PCs globally.

Spytech is the latest in a series of spyware makers hacked in recent years, being the fourth this year alone, according to TechCrunch.

When contacted, Spytech CEO Nathan Polencheck stated that TechCrunch's email was the first he had heard of the breach and that he was investigating the situation.

Spytech produces remote access applications, often labeled as "stalkerware," marketed for parental control but also advertised for spousal surveillance. Monitoring activities of children or employees is legal, but unauthorized monitoring of a device is illegal, leading to prosecutions for both spyware sellers and users.

Stalkerware apps are typically installed by someone with physical access to the device and can remain hidden and difficult to detect. These apps transmit keystrokes, browsing history, device activity, and, for Android devices, location data to a dashboard controlled by the installer.

The breached data seen by TechCrunch includes activity logs for all devices under Spytech's control, mostly Windows PCs, with fewer Android devices, Macs, and Chromebooks. The logs were not encrypted.

TechCrunch analyzed location data from compromised Android phones and mapped the coordinates offline to protect victims' privacy. The data indicates Spytech's spyware monitors devices primarily in Europe and the United States, with other clusters in Africa, Asia, Australia, and the Middle East.

One record linked to Polencheck's administrator account includes the geolocation of his residence in Red Wing, Minnesota.

While the data contains sensitive information from individuals unaware their devices are monitored, there isn't enough identifiable information for TechCrunch to notify victims of the breach. Spytech’s CEO did not comment on whether the company plans to notify its customers or authorities as required by law.

Spytech has operated since at least 1998, remaining largely unnoticed until 2009, when an Ohio man was convicted of using its spyware to infect a children's hospital's systems, targeting his ex-partner's email. The spyware collected sensitive health information, leading to the sender's guilty plea for illegal interception of communications.

Recently, Spytech is the second U.S.-based spyware company to experience a data breach. In May, Michigan-based pcTattletale was hacked, leading to its shutdown and deletion of victim data without notifying affected individuals. Data breach notification service Have I Been Pwned later listed 138,000 pcTattletale customers as having signed up for the service.
Read more »
Spyware
Apple Cyber Security data security iPhone Hacks Mobile Hacking Mobile Spyware Pegasus Pegasus Spyware Spyware

Apple Alerts Pegasus-like Attack on Indian Activists and Leaders

 

On July 10, two individuals in India received alarming notifications from Apple, Inc. on their iPhones, indicating they were targeted by a “mercenary” attack. This type of spyware allows attackers to infiltrate personal devices, granting access to messages, photos, and the ability to activate the microphone and camera in real time. Apple had previously described these as “state-backed” attacks but revised the terminology in April. 

Iltija Mufti, political adviser and daughter of former Jammu and Kashmir Chief Minister Mehbooba Mufti, and Pushparaj Deshpande, founder of the Samruddha Bharat Foundation, reported receiving these alerts. Both Mufti and Deshpande confirmed to The Hindu that they had updated their phones and planned to have them forensically examined. A spokesperson for Apple in India did not provide an immediate comment. 

Although the alert did not specifically mention state involvement, it cited Pegasus spyware as an example. Pegasus, developed by the Israeli NSO Group Technologies, is exclusively sold to governments. The Indian government has not confirmed or denied using Pegasus and declined to participate in a Supreme Court-ordered probe into its deployment. This is the first instance in months where such spyware alerts have been issued. 

The last known occurrence was in October, when Apple devices belonging to Siddharth Varadarajan of The Wire and Anand Mangnale of the Organized Crime and Corruption Report Project received similar warnings. Forensic analysis later confirmed they were targeted using vulnerabilities exploited by Pegasus clients. Both Mufti and Deshpande criticized the Union government, accusing it of using Pegasus. Mufti stated on X (formerly Twitter), “BJP shamelessly snoops on women only because we refuse to toe their line,” while Deshpande highlighted the government’s misplaced priorities, focusing on deploying Pegasus rather than addressing India’s significant challenges. 

An international investigation in 2021 by the Forbidden Stories collective exposed widespread targeting of civil society organizations, opposition politicians, and journalists with Pegasus spyware. The Indian government denied illegal activity but did not clearly confirm or deny the use of Pegasus. Alleged targets included Rahul Gandhi, former Election Commissioner Ashok Lavasa, student activist Umar Khalid, Union Minister Ashwini Vaishnaw, the Dalai Lama’s entourage, and individuals implicated in the 2018 Bhima Koregaon violence.
Read more »
surveillance
APT Cyber Crime GuardZoo Spyware surveillance

Houthi-Aligned APT Targets Mideast Militaries With ‘GuardZoo’ Spyware


Since 2019, surveillance equipment deployed by a Yemeni Shia Islamist organization's partners has been used to target troops throughout the Middle East, according to a new study.

Surveillanceware Targeting Middle Eastern Militaries

A Houthi-aligned threat actor utilized GuardZoo malware to capture images, documents, and other files from compromised devices, according to Lookout researchers in a report released Tuesday.

According to unsecured command and control server logs, the majority of the approximately 450 victims were found in Yemen, Saudi Arabia, Egypt, and Oman, with a tiny number in the United Arab Emirates, Turkey, and Qatar.

The Houthis took possession of Yemen's capital city in 2014, sparking a civil conflict and hunger. According to human rights organizations, a contentious Saudi-led intervention in Yemen began in June 2019 and resulted in a wave of arbitrary arrests, torture, and enforced disappearances.

The Houthi-aligned threat actor was identified by "application lures, exfil data, targeting, and the C2 infrastructure location," according to the report.

The Origins

According to Lookout, the spying tool is named after a fragment of source code that persists on an infected device. In addition to collecting images and documents, the study stated that it can "coordinate data files related to marked locations, routes, and tracks," as well as identify an infected device's location, model, cellular service carrier, and Wi-Fi setup.

GuardZoo can also download and install "arbitrary applications on the device," implying it can offer more destructive abilities once the gadget is infected," according to the paper.

Technical Details

According to Lookout, the spyware has been detected primarily in military-themed applications, with distribution and infections originating primarily in WhatsApp, WhatsApp Business, and browser downloads. In a few other cases, victims were enticed by content with a religious-themed prayer app or an e-book theme.

Researchers initially found GuardZoo in October 2022. Lookout claims the tool is based on Dendroid RAT, a "commodity spyware" that has been in use for at least a decade.

Capabilities

After infecting a device, GuardZoo communicates to the command and control server and sends four commands to each new victim, including deactivating local logging and uploading metadata for all files.

"These extensions are related to maps, GPS and markings showing waypoints, routes and tracks," according to Lookout's findings.

GuardZoo's lures were originally general, but they've evolved to include military themes with titles like "Constitution Of The Armed Forces" and "Restructuring Of The New Armed Forces." Military apps used as a lure featured emblems from numerous Middle Eastern countries, including Yemen and Saudi Arabia.

Operational Impact

After infecting a device, GuardZoo communicates to the command and control server and sends four commands to each new victim, including deactivating local logging and uploading metadata for all files.

"These extensions are related to maps, GPS and markings showing waypoints, routes and tracks," according to Lookout's findings.

GuardZoo's lures were originally general, but they've evolved to include military themes with titles like "Constitution Of The Armed Forces" and "Restructuring Of The New Armed Forces." Military apps used as a lure featured emblems from numerous Middle Eastern countries, including Yemen and Saudi Arabia.
Read more »
User Security
Apple MacOS Data Privacy Info Stealer malware Spyware User Security

New Cuckoo Malware Targeting macOS Users to Steal Sensitive Data

 

Cybersecurity experts have identified a new information stealer targeting Apple macOS computers that is intended to establish persistence on compromised hosts and function as spyware.

Kandji's malware, dubbed Cuckoo, is a universal Mach-O binary that can execute on both Intel and Arm Macs. The exact distribution vector is currently unknown, but there are indications that the binary is hosted on sites such as dumpmedia[.]com, tunesolo[.]com, fonedog[.]com, tunesfun[.]com, and tunefab[.]com, which claim to provide free and paid versions of applications for ripping music from streaming services and converting it to MP3 format. 

The disk image file downloaded from the websites is responsible for spawning a bash shell to collect host data and ensuring that infected machines are not located in Armenia, Belarus, Kazakhstan, Russia, Ukraine.

The malicious binary is executed only if the locale check is successful. It also achieves persistence through the use of a LaunchAgent, a strategy previously employed by other malware families such as RustBucket, XLoader, JaskaGO, and a macOS backdoor that bears similarities with ZuRu.

Cuckoo, like the MacStealer macOS stealer malware, uses osascript to create a fake password prompt, luring users into entering their system passwords for privilege escalation. "This malware queries for specific files associated with specific applications, in an attempt to gather as much information as possible from the system," researchers Adam Kohler and Christopher Lopez stated. 

It can execute a sequence of commands to gather hardware data, capture currently running processes, search for installed apps, take screenshots, and collect data from iCloud Keychain, Apple Notes, web browsers, cryptocurrency wallets, and apps such as Discord, FileZilla, Steam, and Telegram. 

"Each malicious application contains another application bundle within the resource directory," the researchers added. "All of those bundles (except those hosted on fonedog[.]com) are signed and have a valid Developer ID of Yian Technology Shenzhen Co., Ltd (VRBJ4VRP).” 

The news comes nearly a month after Apple's device management company revealed another stealer spyware called CloudChat, which masquerades as a privacy-oriented messaging programme and can compromise macOS users whose IP addresses do not geolocate to China. The spyware harvests cryptocurrency private keys transferred to the clipboard as well as data linked with wallet extensions installed in Google Chrome.
Read more »
Subscribe to: Posts (Atom)