Introduction
It's another week, and it's time for another review. Welcome everyone, I hope that you had a wonderful week, and you're looking forward to a great weekend.
In this week's edition, the articles that we'll review are about malware and phone security.
Let's begin.
Malicious PyPI package with 37,000 downloads steals AWS keys
Call me paranoid, but sometimes I am even worried when I am downloading apps from "official" sources, and this article is proof of that. Here, the attackers uploaded a typo-squatted version of a popular package, and it got thousands of downloads. To make it worse, it has been uploaded since, wait for it, 2021.
The following is how the malicious package works on Linux and Windows:
On Linux, it sets up a hidden directory at ‘~/.local/bin/vscode’ to store encoded shell scripts split into multiple files, which are retrieved from an external server (89.44.9[.]227).
On Windows, fabrice downloads an encoded payload (base64) that is a VBScript (p.vbs) created to launch a hidden Python script (d.py).
Hackers now use ZIP file concatenation to evade detection
Up until the time of writing, I have never heard of the term Zip file concatenation. This is my first time learning about it. The idea behind the attack is that the attackers create multiple zip files and hide malicious code in one of them.
The article contains more technical details and no excerpt will do justice to the information covered in the article. I encourage you to read it all.
Cybercriminals Use Excel Exploit to Spread Fileless Remcos RAT Malware
To say the least, it is scary. The end goal? Harvesting user's personal information from clipboard to screen recording. The excerpt below is the starting point of the attack, like the previous article, I encourage you to read it all. Promise?
The starting point of the attack is a phishing email that uses purchase order-themed lures to convince recipients to open a Microsoft Excel attachment.
The malicious Excel document is designed to exploit a known remote code execution flaw in Office (CVE-2017-0199, CVSS score: 7.8) to download an HTML Application (HTA) file ("cookienetbookinetcahce.hta") from a remote server ("192.3.220[.]22") and launch it using mshta.exe.
Hackers use macOS extended file attributes to hide malicious code
It's fascinating the way humans come up with ways to use legitimate software for malicious purposes. The excerpt below is a summary of the attack and a possible attribution of the attacks.
The new technique is similar to how the Bundlore adware in 2020 hid its payloads in resource forks to hide payloads for macOS. It was discovered in a few malware samples in the wild by researchers at cybersecurity company Group-IB.
Based on their analysis and because they could not confirm any victims, the researchers attribute the samples to the North Korean threat actor Lazarus with moderate confidence. They believe that the attacker may be experimenting with a new malware delivery solution.
New Apple security feature reboots iPhones after 3 days, researchers confirm
It's an interesting read. But now that the story is out, authorities know that they have less than 72 hours to get into an iPhone before it reboots, making their job more difficult.
I refuse to give you an excerpt for this one. Go and read it. You'll learn a lot.
Fraud network uses 4,700 fake shopping sites to steal credit cards
If you're planning to shop on Black Friday, double-check the address bar and think twice before you enter your credit card details. You have been warned.
Here is why:
When users attempt to purchase from those sites, they are redirected to a payment page that prompts them to enter their credit/debit card number, expiration date, and CVV code. A phone number is also requested at the final step.
Apart from stealing the money for the order by abusing the Stripe service, the phishing kit also sends the entered card details to an attacker-controlled server.
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, and I'll see you next time.
Top comments (0)