FluBot is distributed via SMS and can eavesdrop on incoming notifications, initiate calls, read or write SMSes, and transmit the victim’s contact list to its control center. It infects Android devices by posing as FedEx, DHL, Correos, and Chrome applications and forces the unsuspecting user to change the Accessibility settings on the device so as to maintain persistence on the device. It leverages fake login screens of prominent banks. Once the user enters their login details on these phony pages, the data is immediately sent to the malware operator’s control center. Which the malware operators easily exploit. It intercepts all banking-related OTPs by replacing the default SMS app on the targeted device. Thus, it receives access keys sent via SMS. Furthermore, it sends similar SMSes to other contacts, on the target device, to lure them into downloading the fake app.
A total of 19 Android applications that posed as utility apps and system tools like password managers, money managers, app launchers, and data saving apps as been reported to contain the rooting functionality of the malware. The apps are said to have been prominently distributed via third-party stores such as the Amazon Appstore and the Samsung Galaxy Store, as well as other lesser-known marketplaces like Aptoide and APKPure. The apps includes, All Passwords, Anti-ads Browser, Data Saver, Lite Launcher, My Phone, Night Light, Phone Plus, etc.
Rooting malware although rare, is very dangerous. By using the rooting process to gain privileged access to the Android operating system, the threat actor can silently grant themselves dangerous permissions or install additional malware — steps that would normally require user interaction. Elevated privileges also give the malware access to other apps' sensitive data, something not possible under normal circumstances.
Lyceum's initial attack vectors include credential stuffing attacks and brute-force attacks. So, once a victim’s system is compromised, the attackers conduct surveillance on specific targets. In this attack, Lyceum will attempt to deploy two different kinds of malware: Shark and Milan (known together as James). Both are backdoors; Shark, a 32-bit executable written in C# and .NET, generates a configuration file for DNS tunneling or HTTP C2 communications, whereas Milan - a 32-bit Remote Access Trojan (RAT) retrieves data. Both are able to communicate with the groups' command-and-control (C2) servers. The APT maintains a C2 server network that connects to the group's backdoors, consisting of over 20 domains, including six that were previously not associated with the threat actors.
Most rootkits open a backdoor on victims' systems to introduce malicious software including viruses, ransomware, keylogger programs or other types of malware or to use the system for further network security attacks. Rootkits often attempt to prevent detection of malicious software by deactivating endpoint anti malware and antivirus software. Rootkits are a type of malware that is designed to remain undetected on your computer. But, even if you don't notice them, they're there to allow Cybercriminals to remotely control your computer. Rootkits can include a variety of tools, from programs that allow hackers to steal your passwords to modules that make it simple for them to steal your credit card or online banking information. Rootkits can also enable hackers to circumvent or disable security software and track the keys you press on your keyboard, making it easier for criminals to steal your personally identifiable information (PII).
Rootkits are installed through the same common vectors as any malicious software, including by email phishing campaigns, executable malicious files, crafted malicious PDF files or Microsoft Word documents, connecting to shared drives that have been compromised or downloading software infected with the rootkit from unsafe websites. You may open an email and download a file that appears to be safe but is in fact a virus. You could also unintentionally download a rootkit via an infected mobile app.
This type of vulnerability involves gaining unauthorized access to elated rights or privileges that are not intended or entitled to. The "InstallerFileTakeOver" proof-of-concept (PoC) exploit replaces any executable file on the system with an MSI installer file by overwriting the discretionary access control list (DACL) for Microsoft Edge Elevation Service, allowing an attacker to run code with SYSTEM privileges. An attacker with administrative privileges could then exploit the vulnerability to gain complete control of the compromised system. SYSTEM privileges are the highest user rights available to a Windows user and make it possible to perform any operating system command.
Log4j is a widely used open-source logging library for Java applications. Log4j provides additional logging capabilities, like log levels (fatal, error, warn, etc), mechanisms to write to different log files, log rolling patterns, and more. The critical remote code execution (RCE) vulnerability discovered in Log4j is affecting versions between 2.0-beta9 to 2.14.1. The vulnerability allows a remote unauthenticated actor to execute arbitrary code on an affected device. Due to the Log4j library’s widespread use in popular frameworks, many third-party apps may also be vulnerable to exploitation. In addition, Log4j is often used in enterprise Java software and is also included in several Apache frameworks including but not limited to: Apache Struts2, Apache Solr, Apache Druid, Apache Flink and Apache Swift. Other Java frameworks also include it in their libraries, including but not limited to: Netty, MyBatis and the Spring Framework.
