Cyware Daily Threat Intelligence, December 03, 2019

Share Blog post

Distributing malware through legitimate-looking fake apps and software has always been a go-to attack vector for threat actors. In the past 24 hours, security experts came across two cybersecurity incidents that involved the distribution of a spyware and an information-stealing trojan. While the spyware called CallerSpy was disseminated through apps like ‘Chatrious’ and ‘Apex App,’ the information-stealing trojan used a fake PDF editing program dubbed ‘PDFreader’ for propagation.

Apart from malware attacks, the past 24 hours also saw a new vulnerability affecting 36 Android apps. Dubbed StrandHogg, the flaw is being actively abused in the wild. Once exploited, it can allow malicious apps to camouflage legitimate apps to trick users into handing over sensitive information such as banking or login credentials via screen overlays. The pilfered data can include users’ private photos, GPS locations, contact lists, phone conversations, SMS messages, and phone logs.

Top Breaches Reported in the Last 24 Hours

Magecart attack
The website of American gunmaker Smith & Wesson was hacked late last month with an aim to steal customers’ payment card details. The attackers planted a payment skimmer on the website to capture personal and financial information entered by users on the checkout page. It is said that the attackers exploited a known Magento vulnerability to hack the website.

Tuft and Needle’s data breach
Mattress and bedding giant Tuft & Needle has exposed more than 236,400 shipping labels due to an unprotected Amazon Web Services storage bucket. The shipping label included customers’ names, addresses, and phone numbers. The exposed labels were created between 2014 and 2017.

Top Malware Reported in the Last 24 Hours

AndroidOS_CallerSpy.HRX
A new spyware family called AndroidOS_CallerSpy.HRX has been found being distributed via Android apps. Initially, the malware was propagated through a chat app called ‘Chatrious.’ However, in October, the malware was disguised as a different app called ‘Apex.’ The purpose of this spyware is to steal users’ personal information. It sets various scheduling jobs to collect call logs, SMSes, contacts, and files on the device.

Fake PDF editing program
Attackers are using a fake PDF editing program called ‘ PDFreader’ to distribute an information-stealing trojan. The trojan is used to steal Facebook and Amazon session cookies as well as sensitive data from the Facebook Ads Manager.

PyXie RAT
PyXie RAT is a newly discovered Python-based trojan malware used in a sophisticated cybercriminal operation targeting healthcare and education organizations. The malware includes keylogging, credential harvesting, recording video, cookie theft capabilities. It can also be used to perform MITM attacks.

Microsoft warns about spear phishing
Microsoft has issued a warning to alert organizations of the dangers behind spear phishing attacks. Spear-phishing is unlike the traditional phishing campaigns and is highly targeted and personal. They are so targeted that sometimes it is referred to as ‘laser’ phishing. Such campaigns are focused on tech-savvy executives and other senior managers. Therefore, organizations should educate their workers to detect phishing messages and signs of a phishing email as well.

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft OAuth 2.0’s flaw fixed
A vulnerability discovered in some OAuth 2.0 applications has been fixed by Microsoft. The flaw could allow an attacker to hijack Azure accounts. The issue arises when Microsoft application undergoes the OAuth 2.0 authorization flow in certain third-party domains and subdomains that are not registered by Microsoft.

StrandHogg vulnerability
Nearly 36 Android apps are impacted by a new StrandHogg vulnerability. The vulnerability can be abused to let malicious apps hijack legitimate apps and perform malicious operations on their behalf. The vulnerability can also be used to show fake login pages when taping on a legitimate application. The vulnerability has already been exploited in the wild by malware gangs.

DLL hijacking flaws
Several DLL hijacking flaws spotted in Kaspersky Secure Connection, Trend Micro Maximum Security, and Autodesk Desktop Application could be exploited by hackers for DLL preloading, code execution, and privilege escalation. Earlier, similar DLL hijacking flaws were found affecting security solutions from McAfee, Symantec, Avast, and Avira.

Top Scams Reported in the Last 24 Hours

NDB warns its customers
The New Development Bank (NDB) has warned its customers about an email scam that involves criminals posing as bank employees. The purpose of the scam is to defraud unsuspecting individuals. A typical plot includes scammers sending an email to users. The email appears to come from a bank or other trustworthy source and asks personal information such as identity documents, driver’s licenses, passports, payslips, addresses, and contact details. Users have been urged to be cautious of emails from unsolicited sources that ask them to share their personal information.


 Tags

androidos callerspyhrx
magecart attack
dll hijacking flaws
pyxie rat

Posted on: December 03, 2019



More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.