Weekly Cyber Reports

This Week in Cyber 02nd August 2024

Latest news and views from our Cyber Analysts

Written by

Team Nucleus

Content
Written on

1st August, 2024

SHARE ARTICLE


Analyst Insight


The past week we have seen a rise of threat actors targeting Android mobile devices, for example the sophisticated Mandrake spyware capable of covertly stealing device data. The BingoMod malware which drains bank accounts and wipes the device to obscure evidence from a potential investigation. Threat actors prefer targeting mobile devices due to the amount of personal data held on them (Bank accounts, authenticators, emails) and how valuable that personal data is.

 

It was also discovered this week that earlier in the year a $75 million ransom was paid out by a Fortune 50 company. This is breaking the previous record of $40 million in 2021 by a major U.S. insurance company. The average ransom is $2 million according to Sophos. Microsoft also experienced an outage on Tuesday, triggered by a DDoS attack impacting all major Microsoft services.

 


New Mandrake Spyware Remains Undetected On Google App Store For Two Years


“Mandrake” a sophisticated Android spyware found in five apps on the Google Play Store has been evading detection for two years. The malware collects information in several stages, first by gathering information about the device. Then if the victim is of interest, executing the main component of the malware which is capable of advanced functionality such as enabling networking, remote access and gaining access to user accounts and credentials. Demonstrating a high level of expertise from the attackers.

 

Not all users who installed the app were a target. The attacker specifically targeted people in certain countries and demographics indicating the financial and strategic motivation behind the malware. The names of apps affected with number of downloads include:

 

  • AirFS (30,305)
  • Astro Explorer (718)
  • Amber (19)
  • CryptoPulsing (790)
  • Brain Matrix (259).

 

To combat this issue, mobile app stores must be vigilant in improving their screening protocols for obfuscated malware within new mobile apps. A Google spokesperson stated, “Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services.” showing Google’s awareness to the current threats surrounding mobile apps, and how they are proactively protecting Android users from malware.

 


Threat Actor Utilises Google Ads to Spread Malware Infected Authenticator


Google Ads is a digital advertising platform that allows businesses to target tailored advertisements to their users within the Google search engine and other services. Although this is not the only use of the platform, threat actors may utilise the service for malicious intent including phishing scams, brand impersonation and spreading misinformation.

 

July 30th 2024 we see an example of this, where threat actors impersonate the Google Authenticator brand to trick unsuspecting users into installing malware onto their devices. The fraudulent site chromeweb-authenticators[.]com has an identical copy of Google’s Safety Center website instructing the user to download the authenticator. Once downloaded and run, the malware "DeerStealer” allows the attacker to steal personal data from the device. (Source: Malwarebytes)

 

This type of attack relies on Social Engineering in order to infect a device. Ensuring what is a real and fake advertisement is, only downloading from trusted sources and having an up-to-date anti-virus will protect you and your users from this kind of attack.

 


DDoS Attack Causes Nine-Hour Outage on Microsoft Services


Microsoft confirms the outage on Tuesday 30th was caused by a distributed denial-of-service (DDoS) attack. The outage lasted for nine-hours and impacted Microsoft 365, Entra, Purview and Azure services, and a specific threat actor has not been found to be responsible yet.

 

“While the initial trigger event was a Distributed Denial-of-Service (DDoS) attack, which activated our DDoS protection mechanisms, initial investigations suggest that an error in the implementation of our defences amplified the impact of the attack rather than mitigating it” Microsoft said.

 

This case shows the true impact of DDoS attacks on organisations, and why proactive defence against this type of attack is paramount. Not only impacting Microsoft, but the many customers using 365, Entra, Purview and Azure.

 


Record Breaking $75 Million Ransom Paid By Fortune 50 Company


An unknown Fortune 50 company paid a record-breaking ransom payment to the “Dark Angels” ransomware group. According to Sophos, in 2024 the average ransom payment is $2 million. Zscaler ThreatLabz used chain analysis to discover a victim in early 2024, who paid the Dark Angels $75 million in Bitcoin, this is to date the largest ever ransomware payout.

 

The Dark Angles have a history of targeting single organisations with advanced capabilities, utilising the “Big Game Hunting” strategy. This strategy involves targeting high-value companies only that can provide large payouts. This is not the case for most ransomware groups, as they target smaller companies to get multiple ransom payouts. Any organisation can be a victim to ransomware, so staying vigilant of the emerging threats will avoid the cost, downtime and loss of reputation from an incident.

 


French Authorities Launch Operation to Remove PlugX Malware from Infected Systems


French judicial authorities, in collaboration with Europol, have initiated a comprehensive "disinfection operation" to eradicate the PlugX malware from compromised systems. The initiative, led by the Paris Prosecutor's Office, began on July 18 and is expected to extend over several months. Already, around a hundred victims across France, Malta, Portugal, Croatia, Slovakia, and Austria have benefited from the cleanup efforts. This action follows French cybersecurity firm Sekoia's successful sinkholing of a PlugX command-and-control server, revealing that nearly 100,000 unique public IP addresses have been sending PlugX requests daily to the seized domain.

 

PlugX, a remote access trojan (RAT) used predominantly by Nation-state threat actors since 2008, is known for its ability to execute arbitrary commands, upload and download files, and harvest sensitive data. It has evolved to include a wormable component that spreads via infected USB drives, bypassing air-gapped networks. Sekoia has developed a solution to delete PlugX from compromised workstations and USB devices, but due to legal complexities, the final decision on deploying this solution rests with national CERTs, law enforcement agencies, and cybersecurity authorities.

NUCLEUS

Recommended Posts

Subscribe to Nucleus blog updates.

Subscribe to our newsletter and stay updated.

Subscribe to Nucleus