Light Dark
September 2, 2019 By David Bisson 3 min read

Last week in security news, researchers came across a new variant of TrickBot that arrived with new features allowing it to target U.S. mobile users. Speaking of mobile threats, analysts spotted several Android Trojans, including one that potentially infected up to 100 million users on the Google Play store. Security researchers detected plenty of other malware attacks as well. In one case, they succeeded in shutting down a worm by cooperating with law enforcement overseas.

Top Story of the Week: TrickBot’s New Features

Last week, Secureworks discovered that the GOLD BLACKBURN threat group had modified TrickBot’s dynamic webinjects to target Verizon Wireless, T-Mobile and Sprint. Those features enabled the malware to intercept a server response whenever a victim decided to navigate to the websites of one of those U.S. mobile carriers. At that point, TrickBot proxied the response through its command-and-control (C&C) server.

The threat’s C&C server in turn injected HTML and JavaScript into the webpage, code that, when rendered in a victim’s browser, added a field for users to supply their PIN codes. With this information, attackers could perpetuate port-out or SIM swap fraud against their victims.

Source: iStock

Also in Security News

  • China Chopper Still Relevant After Nine Years: Cisco Talos found that the China Chopper web shell has remained relevant nine years after it was first spotted. Researchers attributed this ongoing relevance to the fact that several threat groups staged their own China Chopper attack campaigns over the previous two years.
  • New Ares ADB Botnet Targeting Android-Based Internet of Things (IoT) Devices: While investigating Android set-top boxes, WootCloud Labs uncovered the botnet targeting Android-based IoT devices. Researchers specifically witnessed the botnet leveraging the Android Debug Bridge (ADB) interface to discover additional Android devices and installing other malicious payloads.
  • 100 Million Users Potentially Exposed to Trojan via Google Play: Kaspersky Lab examined CamScanner – Phone PDF Creator and found that the app used an advertising library containing the malicious dropper Trojan-Dropper.AndroidOS.Necro.n. Based on researchers’ analysis, this Trojan might have affected more than 100 million users who downloaded the app from the Google Play store.
  • Dropper Earns Spot on Top 10 List of Mobile Malware: Over the summer, Malwarebytes Labs witnessed a dropper, dubbed Android/Trojan.Dropper.xHelper, earn a spot on its list of the top 10 most detected mobile malware strains. Researchers took a closer look and determined that the Trojan came in semi-stealth and full-stealth modes; in either case, the malware avoided creating an icon and shortcut on an infected device.
  • Joint Effort Shuts Down Retadup Worm: Avast revealed that it first began actively monitoring the Retadup worm in March 2019. This investigation uncovered a design flaw in the threat’s C&C protocol, which the security firm then leveraged in collaboration with the French National Gendarmerie to neutralize 850,000 infections and shut down the malware.
  • Nemty Ransomware Shows No Kindness to Antivirus Industry: A deep dive into the code of Nemty ransomware revealed several hidden messages. In particular, Bleeping Computer found that the threat used a strongly worded message directed at the antivirus industry as the name for its key that decodes base64 strings and creates URLs.
  • Attackers Leverage Two Remote Access Trojans (RATs) to Target Various Sectors: Near the end of August, Cisco Talos revealed that it had spotted attackers using RevengeRAT and Orcus RAT to target government entities, financial services organizations and other companies. Researchers observed the malware using persistence mechanisms typical of fileless attacks along the way.

Security Tip of the Week: Defending Against Mobile Malware

In its analysis of Android/Trojan.Dropper.xHelper, Malwarebytes Labs emphasized how important it is for organizations to leverage best practices in the fight against mobile malware:

“If confirmed to be true, our theory highlights the need to be cautious of the mobile websites you visit. Also, if your web browser redirects you to another site, be extra cautious about click anything. In most cases, simply backing out of the website using the Android’s back key will keep you safe.”

For added protection, security professionals should leverage mobile security solutions that can account for context and correlate it with facts to deter mobile threats. Organizations should do this in tandem with a unified endpoint management (UEM) platform that monitors all endpoints and automatically flags instances of suspicious activity.

 |  |  |  |  |  |  |  |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

July 26, 2024

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

July 25, 2024

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

July 24, 2024

Crisis communication: What NOT to do

4 min read - Read the 1st blog in this series, Cybersecurity crisis communication: What to doWhen an organization experiences a cyberattack, tensions are high, customers are concerned and the business is typically not operating at full capacity. Every move you make at this point makes a difference to your company’s future, and even a seemingly small mistake can cause permanent reputational damage.Because of the stress and many moving parts that are involved, businesses often fall short when it comes to communication in a crisis.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature