Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label spyware and malware. Show all posts

Pegasus: Spyware Attacks Targets Journalists and Activists

 

Phones of at least two journalists and a human life defender have been hacked and accessed with the Pegasus spyware, between 2019 and 2021 during the term of current President Andres Manuel Lopez Obrador, despite the government guaranteeing that it would no longer be using the spyware technology.
 
The findings were made at Citizen Lab, a digital watchdog group based at the University of Toronto’s Munk School of Global Affairs and Public Policy. It was detected that the spyware in fact belonged to Israel’s NSO Group. Reportedly, Pegasus broke into victims’ phones, providing the actors access to their devices, which were then traded with the government and law enforcement. 
 
President Lopez, in a statement made in 2021 said there was “no longer any relation” with Pegasus.  In addition, Mexico’s financial crime chief stated that the administration had not signed contracts with companies that procured the spyware.
 
“This new report definitively shows that Mexico’s President Andrés Manuel López Obrador can no longer hide behind blaming his predecessor for widespread use of Pegasus in Mexico [...] Mexican authorities must immediately and transparently investigate the use of Pegasus and other spyware to target journalists during his administration, as well as push for more regulations to end the use of this technology against the press once and for all,” stated CPJ’S Mexico representative, Jan-Albert Hootsen.
 
The President’s statement promising that the country would not use the spyware was followed by a dozen media organizations revealing that the phone numbers of at least 50 people linked to the Mexican president were leaked. These people, popularly known as Amlo, included his wife, children, and doctor, with their leaked database at the heart of the Pegasus Project, an investigation into NSO.
 
The phone of an anonymous journalist of an online outlet Animal Politico was infected by the spyware in 2021, Journalist Ricardo Raphael, a columnist at news magazine Proceso and newspaper Milenio Diario who was previously infected in 2016 and 2017, was attacked with Pegasus in October, and December 2019 and December 2020, at least three times. 

While Citizen Lab reported that the recent attacks differ in numerous ways from the previous ones, including the use of zero-click attacks instead of malicious e-mails and messages with an intention of tricking the targets into clicking on links, triggering the infections. 
 
In regards to the recent attacks, Citizen Lab stated, “These latest cases, which come years after the first revelations of problematic Pegasus targeting in Mexico, illustrate the abuse potential of mercenary spyware in a context of flawed public accountability and transparency. Even in the face of global scrutiny, domestic outcry, and a new administration that pledged to never use spyware, the targeting of journalists and human rights defenders with Pegasus spyware continued in Mexico.”

Every Tenth Stalking and Espionage Attack in the World is Directed at Android Users from Russia

 

According to analysts at ESET (an international developer of antivirus software headquartered in Slovakia), commercial developers who openly offer spyware to control spouses or children are gaining popularity. 

"ESET global telemetry data for the period from September to December 2021 shows an increase in spyware activity by more than 20%. At the same time, every tenth stalking and espionage attack in the world is directed at Android users from Russia," the company's press service reported. 

ESET threat researcher Lukas Stefanko reported that unwanted stalking software, according to him, in most cases is distributed by attackers through clones of legal applications downloaded from unofficial stores. 

Alexander Dvoryansky, Director of Special Projects at Angara Security, confirms that Android spyware is very common and continues to gain popularity. According to him, it is advantageous for attackers to develop malicious software for this operating system because of its widespread use. Android smartphones accounted for 84.5% of total device sales in 2021. 

According to Lucas Stefanko, it is not uncommon for stalker software to be installed on smartphones to track them in case they are stolen or lost. Despite Google's ban on advertising stalker apps, there are apps available on Google Play that are positioned as private detective or parental control tools. In 2018, the Supreme Court allowed the acquisition and use of spy equipment to ensure their own security, so the demand for software promoted as "monitoring one's mobile devices" has increased. But many install it covertly on the phones of relatives or employees for espionage. 

If the program is installed on the phone openly and with the consent of a person, then there will be nothing illegal in tracking geolocation, as well as obtaining other information, says lawyer KA Pen & Paper by Alexander Kharin. However, secretly installing a spyware program on a phone can result in a penalty of up to two years in prison, and for a developer, the term can be up to four years. But so far, criminal cases on the fact of stalking are rarely initiated. 

Earlier, CySecurity News reported that the exact location of any Russian on the black market can be found for about 130 dollars.

To Disseminate Malware, Hackers are Increasingly Relying on DaaS Platforms

 

According to cybersecurity specialists, malware authors are increasingly depending on dropper-as-a-service (DaaS) platforms to propagate their malicious inventions. Sophos recently published a report detailing the rise of DaaS platforms that infect victims who visit piracy websites in search of cracked versions of major business and consumer software. 

A dropper is a programme that, when run, executes malicious code as a payload. The dropper is similar to a trojan, and it may have additional functions, but its primary goal is to get malware onto a victim's computer, which can be downloaded over the internet or unpacked from data within the dropper.

A customer pays for a dropper-as-a-service to deliver their malware to these systems through droppers. Typically, the DaaS employs a network of websites to transmit droppers to victims' computers, which then install and execute the customer's malware. Droppers could be camouflaged as legitimate or cracked software that netizens are fooled into installing. 

“During our recent investigation into an ongoing Raccoon Stealer (an information-stealing malware) campaign, we found that the malware was being distributed by a network of websites acting as a “dropper as a service,” serving up a variety of other malware packages,” Sophos researchers Sean Gallagher, Yusuf Polat shared in a joint blog post. 

The Sophos duo, who were assisted by Anand Ajjan and Andrew Brandt, dubbed this part of the "malware-industrial complex," saying that such services made it "very inexpensive for would-be cybercriminals with limited expertise to get started" in the criminal underworld. For 1,000 virus installs using droppers, some of these firms charge as little as $2. 

The researchers point out that DaaS frequently bundles a variety of unrelated malware in a single dropper, including click-fraud bots, information stealers, and even ransomware.

The Raccoon Stealer campaign was not the only one that used DaaS, according to the researchers. Sophos continued to see more malware and other dangerous information transmitted over the same network of sites even after the campaign had stopped. “We discovered multiple networks using the same basic tactics in our research. All of these networks use search engine optimization to put a “bait” webpage on the first page of results for search engine queries seeking “crack” versions of a variety of software products,” said the researchers.

iPhones of Al Jazeera Journalists Being Snooped On Via Israeli Firm's Spyware

 

iPhones of around 36 Journalists at Al Jazeera news organisation have been hacked by nation-sponsored hackers who sent malware laden iMessages. The attackers who are suspected to be backed by the governments of the United Arab Emirates and Saudi Arabia, exploited a zero-day vulnerability in iMessage which was later fixed by Apple. 

In a technical report, experts have stated that the Journalists' iPhones were snooped on by attackers who employed NSO's Pegasus software to deploy spyware onto the iPhones of 36 journalists, executives and producers at the news agency, Al Jazeera. 

Pegasus is a modular malware developed by the Israeli firm NSO which is used for surveillance purposes and has also been linked to surveillance abuse at multiple occasions. The spyware allows hosts to remotely monitor and exploit devices. Reportedly, the attack took place invisibly and it didn't require the attackers to trick the victims into clicking on a malicious link – as opposed to conventional ways of deploying malware. 

While examining one of the victim's device, researchers discovered that spyware was deployed secretly through iMessage and was able to take images using iPhone's camera, access passwords, and victim's location. Besides, it's likely that the spyware was also recording phone calls and microphone.  

As per the researchers at Citizen Lab, a total of four operators belonging to Pegasus were observed to have assisted the hack. Two of the operators namely SNEAKY KESTREL and MONARCHY are suspected to be having links with the governments of Middle Eastern countries; to the UAE and Saudi Arabia, respectively.  

According to the reports by Citizen Lab, "In July and August 2020, government operatives used NSO Group’s Pegasus spyware to hack 36 personal phones belonging to journalists, producers, anchors, and executives at Al Jazeera. The personal phone of a journalist at London-based Al Araby TV was also hacked." 

"The phones were compromised using an exploit chain that we call KISMET, which appears to involve an invisible zero-click exploit in iMessage. In July 2020, KISMET was a zero-day against at least iOS 13.5.1 and could hack Apple’s then-latest iPhone 11." 

"We do not believe that KISMET works against iOS 14 and above, which includes new security protections. All iOS device owners should immediately update to the latest version of the operating system," the report further read.

Skygofree Malware: One of Most Advanced Spyware Ever Seen

Russian cybersecurity lab, Kaspersky, has found out a new advanced Android spyware having “never before seen” features that lets hackers carry out advanced surveillance on Android phones, such as location-based audio recording, WhatsApp message theft, and connecting an infected device to Wi-Fi networks controlled by cybercriminals.

The malware, dubbed as “Skygofree,” was reportedly found on malicious websites in Italy. According to Kaspersky, the malware is most likely an offensive security product sold by an Italy-based IT company that markets various surveillance wares.

More information including, Skygofree's commands, indicators of compromise, domain addresses, and device models targeted, can be found in their blog post on Securelist.

The spyware functions by tricking the “Accessibility” feature present in Android to help users with disabilities access their apps. Using this, the spyware can read the messages displayed on the screen, even those sent by the user.

Skygofree is also capable of taking pictures and video, recording audio and noise according to the location specified by the hacker, record Skype conversations, seizing call records, geolocation data, and other sensitive data.

Kaspersky believes that, just like an earlier hack in 2015 by Hacking Team, an Italy-based spyware developer, Skygofree was also developed by Italians.

Skygofree has allegedly been active since 2014 and has been targeting select individuals, who are all from Italy. The spyware has been undergoing regular development since then and as many as 48 commands were found in the latest version.

#Eurograbber Campaign - Trojan steals $47 Million from 30k European Bank accounts

Eurograbber Banking Trojan

A highly sophisticated cybercriminal campaign , dubbed as "Eurograbber" , enabled criminals to steal more than $47 million (€36 million) from more than 30,000 bank accounts belong to corporate and individuals across Europe.

The finding comes from a case study published by Security firm Check Point and online fraud prevention solutions provider Verasafe .

According to the case study, the attack began in Italy, and soon after, tens of thousands of infected online bank customers were detected in Germany, Spain and Holland.

The campaign starts when a victim unknowingly clicks a malicious link in a spam email or possibly through general web surfing. Clicking on the link directs them to a site that attempts to drop the Banking Trojan - a malware that steals Bank login credentials.

The next time the victim logs in to their bank account , the Trojan intercepts the session and displays fake banking page that informs the customer of the “security upgrade” and instructs them on how to proceed.

The page recommend user to input their smartphone OS and phone number. Once victim gave the phone details, the Eurograbber Trojans sent SMS with a link to a fake "encryption software"- in fact, it is "Zeus in the mobile" (ZITMO) virus.

Once the Eurograbber are installed on the victims' PC and smartphone, the trojan lays dormant until the next time the customer accesses their bank account. When victim log in , immediately it transfers victim's money to criminals' account.

The Trojan then intercepts the confirmation text message sent by the bank, forwarding it to C&C server via a relay phone number. The server uses the message to confirm the transaction and withdraw the money.