Security News

The lifespan of phishing attacks in H2 2019 has grown considerably and resulted in the tremendous increase in the number of phishing websites blockages, says Group-IB's Computer Emergency Response Team. In H2 2019 CERT-GIB blocked a total of 8, 506 phishing web resources, while in H2 2018, the figure stood at 2,567.

Researchers have analysed a new strain of Android malware that does not yet exist in the wild. EventBot asks the user for permission to use accessibility services, a powerful feature since these services require extensive permissions in order to work, including acting as a keylogger, for example, and running in the background.

Aimed at students and faculty at colleges in the US, this phishing campaign tried to infect machines with the Hupigon remote access trojan, says security provider Proofpoint. In a new campaign discovered by Proofpoint, scammers used adult dating photos as a way to infect people at colleges with malware.

"While our team has seen earlier versions of this trojan, which only featured a basic SMS stealer, new, and more elaborate, feature of the overlay malware capability - a tactic common to most Android banking malware." "Abusing the Accessibility service on the device, a relatively common way for Android malware apps to keep tabs on which app is running in the foreground, [Banker.BR] waits for a match with the goal of launching overlay screens at the right time and context to fool the user into tapping their credentials into the overlay," said researchers.

The Zeus Sphinx banking trojan is back after being off the scene for nearly three years. First seen in August 2015, Sphinx is a modular malware based on the leaked source code of the infamous Zeus banking trojan, the researchers explained.

IBM and FireEye have spotted a campaign that relies on fake "COVID-19 Payment" emails to deliver the Zeus Sphinx banking trojan to people in the United States, Canada and Australia. The emails have the subject line "COVID-19 payment" and they carry malicious documents named "COVID 19 relief."

The TrickBot malware has added a new feature: A module called rdpScanDll, built for brute-forcing remote desktop protocol accounts. TrickBot is a malware strain that has been around since 2016, starting life as a banking trojan.

The trojans are designed to gain control of Facebook user accounts by capturing browser cookies in Android, says Kaspersky. This trojan captures root rights on an Android device, thus allowing it to steal cookies from the browser and from Facebook and transfer them to the server of the cybercriminals behind it.

Their tastes however can run to a different sort of cookie, as evidenced by a fresh strain of Android malware that may be implanted prior to users purchasing a device. Appropriately dubbed "Cookiethief" by the Kaspersky researchers who discovered it, the trojan has a straightforward goal: "Its main task was to acquire root rights on the victim device, and transfer cookies used by the browser and Facebook app to the cybercriminals' server," explained Kaspersky researchers Anton Kivva and Igor Golovin, in an analysis on Thursday.

The latest wave of attacks are highly personalized and, unlike previous campaigns, target victims' mobile banking apps as an extra step to evade detection when making fraudulent transfers. "Some observations from the campaigns are that the adversary operating CamuBot handpicks potential victims and remains as targeted as possible, likely to keep the attack's TTPs on low profile and their team from attracting the attention of local law enforcement," said IBM X-Force researchers Chen Nahman and Limor Kessem, in an analysis this week.