September 2, 2019 By David Bisson 3 min read

Last week in security news, researchers came across a new variant of TrickBot that arrived with new features allowing it to target U.S. mobile users. Speaking of mobile threats, analysts spotted several Android Trojans, including one that potentially infected up to 100 million users on the Google Play store. Security researchers detected plenty of other malware attacks as well. In one case, they succeeded in shutting down a worm by cooperating with law enforcement overseas.

Top Story of the Week: TrickBot’s New Features

Last week, Secureworks discovered that the GOLD BLACKBURN threat group had modified TrickBot’s dynamic webinjects to target Verizon Wireless, T-Mobile and Sprint. Those features enabled the malware to intercept a server response whenever a victim decided to navigate to the websites of one of those U.S. mobile carriers. At that point, TrickBot proxied the response through its command-and-control (C&C) server.

The threat’s C&C server in turn injected HTML and JavaScript into the webpage, code that, when rendered in a victim’s browser, added a field for users to supply their PIN codes. With this information, attackers could perpetuate port-out or SIM swap fraud against their victims.

Source: iStock

Also in Security News

  • China Chopper Still Relevant After Nine Years: Cisco Talos found that the China Chopper web shell has remained relevant nine years after it was first spotted. Researchers attributed this ongoing relevance to the fact that several threat groups staged their own China Chopper attack campaigns over the previous two years.
  • New Ares ADB Botnet Targeting Android-Based Internet of Things (IoT) Devices: While investigating Android set-top boxes, WootCloud Labs uncovered the botnet targeting Android-based IoT devices. Researchers specifically witnessed the botnet leveraging the Android Debug Bridge (ADB) interface to discover additional Android devices and installing other malicious payloads.
  • 100 Million Users Potentially Exposed to Trojan via Google Play: Kaspersky Lab examined CamScanner – Phone PDF Creator and found that the app used an advertising library containing the malicious dropper Trojan-Dropper.AndroidOS.Necro.n. Based on researchers’ analysis, this Trojan might have affected more than 100 million users who downloaded the app from the Google Play store.
  • Dropper Earns Spot on Top 10 List of Mobile Malware: Over the summer, Malwarebytes Labs witnessed a dropper, dubbed Android/Trojan.Dropper.xHelper, earn a spot on its list of the top 10 most detected mobile malware strains. Researchers took a closer look and determined that the Trojan came in semi-stealth and full-stealth modes; in either case, the malware avoided creating an icon and shortcut on an infected device.
  • Joint Effort Shuts Down Retadup Worm: Avast revealed that it first began actively monitoring the Retadup worm in March 2019. This investigation uncovered a design flaw in the threat’s C&C protocol, which the security firm then leveraged in collaboration with the French National Gendarmerie to neutralize 850,000 infections and shut down the malware.
  • Nemty Ransomware Shows No Kindness to Antivirus Industry: A deep dive into the code of Nemty ransomware revealed several hidden messages. In particular, Bleeping Computer found that the threat used a strongly worded message directed at the antivirus industry as the name for its key that decodes base64 strings and creates URLs.
  • Attackers Leverage Two Remote Access Trojans (RATs) to Target Various Sectors: Near the end of August, Cisco Talos revealed that it had spotted attackers using RevengeRAT and Orcus RAT to target government entities, financial services organizations and other companies. Researchers observed the malware using persistence mechanisms typical of fileless attacks along the way.

Security Tip of the Week: Defending Against Mobile Malware

In its analysis of Android/Trojan.Dropper.xHelper, Malwarebytes Labs emphasized how important it is for organizations to leverage best practices in the fight against mobile malware:

“If confirmed to be true, our theory highlights the need to be cautious of the mobile websites you visit. Also, if your web browser redirects you to another site, be extra cautious about click anything. In most cases, simply backing out of the website using the Android’s back key will keep you safe.”

For added protection, security professionals should leverage mobile security solutions that can account for context and correlate it with facts to deter mobile threats. Organizations should do this in tandem with a unified endpoint management (UEM) platform that monitors all endpoints and automatically flags instances of suspicious activity.

More from

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI). The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous. Meanwhile, the magnitude of…

Generative AI security requires a solid framework

4 min read - How many companies intentionally refuse to use AI to get their work done faster and more efficiently? Probably none: the advantages of AI are too great to deny.The benefits AI models offer to organizations are undeniable, especially for optimizing critical operations and outputs. However, generative AI also comes with risk. According to the IBM Institute for Business Value, 96% of executives say adopting generative AI makes a security breach likely in their organization within the next three years.CISA Director Jen…

Q&A with Valentina Palmiotti, aka chompie

4 min read - The Pwn2Own computer hacking contest has been around since 2007, and during that time, there has never been a female to score a full win — until now.This milestone was reached at Pwn2Own 2024 in Vancouver, where two women, Valentina Palmiotti and Emma Kirkpatrick, each secured full wins by exploiting kernel vulnerabilities in Microsoft Windows 11. Prior to this year, only Amy Burnett and Alisa Esage had competed in the contest's 17-year history, with Esage achieving a partial win in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today