This Week in Cyber 2nd September

Previously Undocumented Threat Actor Delivered Backdoor and Trojans Via Fake Amazon Gift Cards

Between March and June 2022, 3 related campaigns have been spotted delivering a variety of malware, including ModernLoader, RedLine Stealer and cryptocurrency miners onto victim systems. Cisco Talos put together a report and deduced that the threat actors used the premise of fake Amazon gift cards to deliver the malware. The threat actors also allegedly used obfuscation to change the checksums of each file to make it more difficult for anti-malware software to detect and quarantine it. ModernLoader acts a backdoor to victim’s systems which allows the attacker to steal data, ‘drop’ malware onto it, and connect the system to a wider botnet.

According to Vanja Svajcer, a researcher at Cisco Talos, "The actors use PowerShell, .NET assemblies, and HTA and VBS files to spread across a targeted network, eventually dropping other pieces of malware, such as the SystemBC trojan and DCRat, to enable various stages of their operations". This starts with a HTML file that runs a Powershell script on the command-and-control (C2) server before deploying the additional malware. The intended targets appeared to be eastern European countries, Bulgaria, Poland, Hungary and Russia, with the threat actor themselves appearing to be Russian.

1.4 Million Users Running Malicious Google Chrome Extensions

Users of Google Chrome over the last few years have been increasingly targeted by threat actors using phony browser extensions to install malware or track user activity. In March 2022, Google removed 13 extensions that were found to exfiltrate user information. These were available to users in the US, Europe, and India. 5 more have recently been spotted that have a combined total of 1.4 million downloads. 2 of the browser extensions are titled ‘Netflix Party’ which allows users to watch Netflix shows together, and these are apparently still available to download. These 2 have a combined download total of 1.1 million, making it the majority by far. The other 3 are: FlipShope (80,000 downloads), Full Page Screenshot Capture (200,000 downloads) and AutoBuy Flash Sales (20,000 downloads).

These extensions use a JavaScript setup to log websites that the user visits and inject malicious code into e-commerce sites, allowing the attackers to make money from purchases that the user makes. This JavaScript code also makes sure that nothing malicious is carried out on the user system for 15 days from the date of install, in an effort to evade detection. Spotting something like this as a user can be tricky but reading user reviews and running a search on the specific extension should be able to tell you whether it is legitimate, or a fake.

Apple Releases Updates to Patch Critical Security Flaw

On Wednesday, tech giant Apple released an essential update for older iPhones, iPads, and the iPod touch to mitigate a critical software vulnerability (CVE-2022-32893) that has been actively exploited by threat actors in the wild. With an 8.8/10 CVSS score, CVE-2022-32893 is a critical flaw described as an out of bounds write issue that allows threat actors to process maliciously crafted web content and in turn, allows arbitrary code execution. For software version 12.5.6, build number 16H71 appears to fix this issue by improving the bounds checking within the operating system. An anonymous researcher was credited by Apple for discovering and reporting the issue. This update comes a couple of weeks after the companies more recent tech was updated to iOS 15.6.1 to fix the same issue. Apple have also recently announced a new ‘bug bounty’ program to reward researchers who find flaws in their technology. The rewards vary between $100 to $31,337 per bounty.