Anatsa, a persistent Android banking trojan, has taken part in a new mobile device malware campaign. In November of 2021, the same Anasta trojan participated in a different campaign. This campaign was located on Google Play and imitated a number of downloadable apps. These apps, such as PDF scanners, QR scanners, Adobe Illustrator apps, and fitness tracker apps were downloaded over 300,000 times. The launch of the new Anatsa campaign back in March of 2023 targeted online banking payments and users in the United States, United Kingdom, Austria, Germany, and Switzerland.
Now, attackers’ are altering their approach by starting malicious advertising via Google Play. They are listing harmful apps within the office or productivity category targeting everyday professionals, such as Anatsa PDF Viewer, an editing app, and an office suite. While Google has taken down many of these malicious apps, Anatsa has continued to get around them. They post new apps with legitimate codes that are then altered once uploaded to the app store. If a user downloads the malicious app, a pop-up alert appears and asks to allow a secondary host on GitHub. Once users accept, the infected code is released on their device but appears as an additional add-on on the app.
Utilizing Anatsa, this campaign is able to retrieve all users’ financial information such as bank credentials and credit card information. The trojan has been successful in retrieving this information by placing phishing pages when users switches to their banking app. Money mules are sent the stolen information once it is converted into cryptocurrency. Currently, Anatsa is targeting over 600 banks, including E*TRADE, J.P. Morgan, Capital One, Schwab, and more.
Pilot Credentials, a company used to recruit pilots in Texas, has had a data breach of more than 8,000 Southwest and American Airlines applicants. The breached database contains information such as social security numbers, passport numbers, and driver and pilot license numbers. The breach was discovered on May 3rd, but had occurred a few weeks prior. Neither have seen any fraudulent activity, but are moving their operation process internally as a direct method to the airline.
Security experts say this type of information enables attackers to perform identity theft, financial fraud, and phishing attacks. This isn’t the first time airlines have been under attack by threat actors. In 2022, American had a phishing attack against their employees’ emails which left customer’s sensitive data vulnerable. Because of attackers’ newly drawn attention to this industry, Transportation Security Administration (TSA) is enforcing new cybersecurity regulations in airports as well as the operating software on the plane.
Process injection, a type of arbitrary code execution used by attackers, enables hackers to execute harmful codes in a trusted software system without being noticed. In most cases, actors use Window API calls to alter system’s authorization and start threads or allocate memory in the program. Typically, security tools can see this behavior and flag it. However, Mockingjay, a new form of this attack method, allows attackers’ to find an alternative route into these systems. Compromising them without alerting any endpoint detection and response (EDR) security measures. Instead, the threat actors that use Mockingjay are able to insert malicious code into remote systems. This is achievable by reading, writing, and producing sections in the dynamic link library, which doesn’t alert EDR.
In the quest to devise this new technique and dynamic link library, researchers used a pre-existing RWX section and utilized its system memory protections to bypass any EDR hooks that were placed. This method allows researchers to alter the code and conduct two different injection methods. The first was self-injection. With different Windows API calls, the infected dynamic link library was loaded into the researchers’ custom application, nightmare.exe. This allowed access to the RMW section without any memory or permission actions needed. NTDLL.DLL is used to clean the system by removing syscall numbers and utilizing Hell’s Gate’s EDR unhooking approach, allowing the shellcode to run without any flags. The second method was remote process injection to insert a payload on the ssh.exe remote process as a child process with msys-2.0.dll in the TWX section. Using ssh.exe, it unlocks target processes, enabling the malicious code to transfer onto the RMW memory section of the DLL. The injected shellcode is deceived by the DLL file, MyLibrary.dll, a reverse shell. Researchers found that this attack bypasses EDR measures without generating any processes.
In July 2020, the European government agency Europol shut down EncroChat, a network for encrypted communication. Subscribers on this network had very durable encryption that kept users hidden. The platform had features such as a service data wipe and tamper-proof booting tools for security. On Tuesday, law enforcement officials made public that this successful operation has led to over 6,500 arrests worldwide and obtaining 900 million euros ($982 million) from their underground schemes. In the arrests, nearly 200 of the suspects were involved in high level organized crime groups. The criminals’ proceeds were split into revenue and then spent on teaming up with other attackers’ campaigns.
Through further investigation, authorities uncovered over 115 million conversations through 60,000 subscribers on the communication provider. Furthermore, beyond the company’s financial gain, government agencies have seized over 30 million chemical drug pills, 270 tons of other illegal substances, 1,365 criminal operational homes, vehicles, boats, and planes, and over thousands of weapons and other equipment.
Following this majorly successful operation, unarrested members have switched to a different encryption company, Sky ECC, which was carefully observed and dismantled. European, French, Dutch, and United States government agencies intervened as this platform was utilized globally and hosted 27 million messages between attackers’ in numerous different gangs to communicate.
LetMeSpy is an Android phone tracking app that was created for parents to control what’s on and how often their children use their device, and for companies to limit employee device time. This app stores texts, calls and user locations.
On July 21st, the deep level of information on this app led to attackers’ hacking into the system and obtaining data on users all the way until 2013. The company affirms that their system automatically deletes data after two months of an inactive user account; however, this is not the case. A security research team identified this breach and alerted the device tracking app. Yet, the unknown threat actor replied back to the message and stated the takeover of the app’s domain. As of now, the threat actors’ are known to have compromised over 13,000 devices, not releasing much information about what they have obtained publicly. Law enforcement and security data agencies are carefully monitoring this and are trying to capture as much information as the gang will share.