Introduction
We have a full house today, meaning we are going to review seven articles (it's been a while since we have seven articles to review!). Unlike most of the articles that we review, we have two deep-dive research in this edition. One is about reverse engineering iOS 18 Inactivity Reboot, and the other is what's dubbed the first-of-its-kind Linux bootkit.
And the others, well, you should not be surprised. Malware, phishing, and backdoor. The latter cost some of the affected parties lots of money.
Well, I think that's it for the introduction. Or maybe I missed something? I don't know. Let's get on with it.
Reverse Engineering iOS 18 Inactivity Reboot
First, it's a long read. Second, it's an interesting long read. Why include it? Interestingly, someone took the time to do this and it's also commendable. This feature in question, the Inactivity Reboot, as the author concludes, is a good security feature that protects your data from thieves in case of theft (provided that your is updated).
Meanwhile, law enforcement will have to adjust their processes to get any data out of the iPhone within the timeframe before it reboots.
Here is a key highlight from the article:
The time measurement and triggering of the reboot is in the SEP, which communicates with the SEPKeyStore kernel extension to perform the reboot. Likely, using an external time source provided over the Internet or cellular networks to tamper with timekeeping will not influence the 3-day timer.
Security-wise, this is a very powerful mitigation. An attacker must have kernel code execution to prevent an inactivity reboot. This means that a forensic analyst might be able to delay the reboot for the actual data extraction, but the initial exploit must be run within the first three days.
Bootkitty: Analyzing the first UEFI bootkit for Linux
Boot and Kitty. A nice combination for security research. Turns out, it's a POC from cybersecurity students from South Korea who are participating in a competition called Best of the Best (BoB). This shows us what's possible and that bootkit can also target Linux and not just Windows.
Like the previously reviewed article, this is also a long read. Meanwhile, the excerpt should be enough as a TL;DR for you.
Bootkitty currently supports only a limited number of systems. The reason is that to find the functions it wants to modify in memory, it uses hardcoded byte patterns.
While byte-pattern matching is a common technique when it comes to bootkits, the authors didn’t use the best patterns for covering multiple kernel or GRUB versions; therefore, the bootkit is fully functional only for a limited number of configurations.
SpyLoan Android malware on Google Play installed 8 million times
Eight million installations is quite a lot for malware on Google Play. I mean how did it get through security checks? What's more, the malware targets specific countries like Mexico, Indonesia, and Senegal.
Reading the article, it's evident individuals behind this campaign are exploiting human hastiness. I mean it might take a while for you to get a loan. However, they promise a fast-track approach. Anyone who needs money fast can fall for such an app. Nonetheless, stay safe and most importantly, stay calm.
The following is an excerpt from the article:
Once the victims install those apps, they are validated via a one-time password (OTP) to ensure they're based in the target region. Then they are requested to submit sensitive identification documents, employee information, and banking account data.
Additionally, the apps misuse their permissions on the device to collect extensive sensitive data, including access to the user's contact lists, SMS, camera, call log, and location, to use in the extortion process.
Novel phishing campaign uses corrupted Word documents to evade security
When I read the article's title, I am, once again, left speechless by the ingenuity cybercriminals will resolve to just compromise your computer system or trick you into handing out your login credentials. I mean a corrupted Word document? Who would think it's malicious? Most will innocently recover the file thinking it's a mistake on their part.
Here is an excerpt from the article:
These phishing documents are corrupted in such a way that they are easily recoverable, displaying a document that tells the target to scan a QR code to retrieve a document.
Scanning the QR code will bring the user to a phishing site that pretends to be a Microsoft login, attempting to steal the user's credentials.
While the ultimate goal of this phishing attack is nothing new, its use of corrupted Word documents is a novel tactic used to evade detection.
Solana Web3.js Library Backdoored in Supply Chain Attack
Attacks like this are mostly financially motivated, and this one is not an exception. Based on the report from Arstechnica, whoever was behind this attack drained about 155 thousand US dollar from the affected wallets.
Here is how it all happened. Take note that the "Tuesday" mentioned in the excerpt below is December 2, 2024.
The incident was disclosed on Tuesday, after two malicious versions of the library were available for download for roughly five hours through the official repository.
The backdoored iterations, namely versions 1.95.6 and 1.95.7, contained code that allowed the attackers to steal private key material and drain funds from dapps, the project’s maintainers noted in web3.js 1.95.8 release notes.
New DroidBot Android malware targets 77 banking, crypto apps
I marvel at developers who sit down and code applications that can destroy people's lives. Imagine this malware stealing a victim's entire life savings or retirement money. The effect is unthinkable.
The malware itself is offered as a $3000/Month Malware as a Service (MaaS) and authors provide "affiliates" the tools to carry out attacks.
Here is an excerpt from the article:
A key aspect of DroidBot's operation is the abuse of Android's Accessibility Services to monitor user actions and simulate swipes and taps on behalf of the malware. Therefore, if you install an app that requests strange permissions, like the Accessibility Services, you should immediately become suspicious and deny the request.
$1 phone scanner finds seven Pegasus spyware infections
Most in the cybersecurity world will know Pegasus, no doubt. Contrary to popular beliefs that Pegasus spyware is used against journalists and activists, this article has proven otherwise. The victims include business leaders and those working in governments.
Here is an excerpt from the article:
Seven out of 2,500 scans may sound like a small group, especially in the somewhat self-selecting customer base of iVerify users, whether paying or free, who want to be monitoring their mobile device security at all, much less checking specifically for spyware.
But the fact that the tool has already found a handful of infections at all speaks to how widely the use of spyware has proliferated around the world.
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, and I'll see you next time.
Top comments (0)