Apple removes malicious iOS apps infected with clicker trojan

More than a dozen iOS apps infected with clicker trojan malware were found to be distributed via Apple’s App Store. These apps were used to perform ad fraud tasks for their developers. Discovered by researchers from Wandera, the group of 17 infected apps covers different categories including productivity, platform utilities, and travel. Once downloaded, the malicious apps infect victims’ devices with a clicker trojan. The trojan carries out fraud and ad-related malicious activities in the background, including continually opening web pages and clicking links without any user interaction. Additionally, it also drains the budget of a competitor by artificially inflating the balance owed to the ad network. Wandera researchers confirmed that the C2 server used by this iOS clicker trojan is similar to the one used in a recent Android ad fraud discovered by researchers at Dr. Web. Dr.Web researchers had reported a very similar clicker trojan campaign affecting Android users. The malware was dubbed as Android.Click.312.origin and Android.Click.313.origin. These trojans were available in over 33 apps distributed through the Google Play Store. Apple has taken down all the compromised apps, except for two - My Train Info – IRCTC & PNR and Easy Contacts Backup Manager. It will continue to monitor the activities of these apps.

 

Companies are Misusing VirusTotal and Exposing Confidential Data, Research Finds

Security researchers from OTORIO have uncovered that companies are unintentionally exposing data including factory blueprints and intellectual property by misusing Alphabet’s virus scanner. VirusTotal is a virus scanner, which is owned by Alphabet’s cybersecurity subsidiary Chronicle. VirusTotal makes scanned documents available to companies for the detection of malware. However, some companies are misusing the virus scanner and are exposing sensitive documents. Researchers said that they’ve discovered thousands of unprotected files from companies across the pharmaceutical, industrial, automotive and food sectors, as part of a project to research the malware logged by VirusTotal. These files contained information ranging from blueprints, supply chains to building entry points. VirusTotal’s online terms of service state that users agree to only upload documents that they wish to publicly share and warn them to not to submit any files that contain confidential, commercially sensitive, or personal data without permission. The company acknowledged the findings and agreed that there was a need to raise awareness about how the service works and how security applications should be configured.

 

New ‘CPDoS’ Web Cache Poisoning Attack Impacts Content Delivery Networks (CDN)

Researchers from the Technical University of Cologne (TH Koln) have detailed a new class of web cache poisoning attacks named ‘Cache-Poisoned Denial of Service (CPDoS)’ that impacts Content Delivery Networks (CDNs). CPDoS attack can block and disable any web resource that is distributed through Content Distribution Networks (CDNs) via an HTTP request with a malicious header. An attacker sends a simple HTTP request containing a malicious header against the target resource provided by some web server. This request is processed by the intermediate cache, while the malicious header remains idle. Upon which, the intermediate cache forwards the request to the origin server. At the origin server, the HTTP request shows an error due to the malicious header it contains. As a consequence, the origin server returns an error page that gets stored by the cache instead of the requested resource. Legitimate users trying to obtain the target resource with subsequent requests will get the cached error page instead of the original content. The researchers noted that the CDNs operate across large geographical locations and the error page generated by a CPDoS attack can reach multiple cache server locations. However, they determined that not all edge servers are affected by this threat and some clients will still receive the valid pages from the origin server. During their research, an attack coordinated from Germany (Frankfurt) against a target in the same country (Cologne), impacted cache servers across Europe and some parts of Asia. A Web Application Firewalls (WAF) can also be deployed to mitigate CPDoS attacks. However, WAFs must be placed in front of the cache in order to block malicious content before they reach the origin server. WAFs that are placed in front of the origin server can be exploited to provoke error pages that get cached either.

 

Raccoon Stealer Malware Gains Popularity in Underground Forums

A new information-stealing malware dubbed Raccoon Stealer has been identified to be quite popular among malicious actors. Researchers have monitored this malware from April 2019 and have published a detailed analysis about it. Thousands of devices have been hit by this malware, in spite of it being fairly new to the threat landscape. Raccoon is an information stealer that harvests credit card details, cryptocurrency wallets, mail clients, and browser-related data. This malware also goes by Racealer or Mohazo, and has been featured as one of the bestselling underground malware. Security experts say that this malware was probably developed by Russian attackers because it was initially promoted in Russian-speaking forums. It is sold as malware-as-a-service (MaaS) with several features in English-speaking forums as well now. Raccoon malware is delivered through multiple methods, including exploit kits, bundled malware, and phishing. After infecting systems, the malware collects sensitive data and stores it in the ‘Temp’ folder. It captures screenshots, harvests system and browser information, extracts Outlook account details, and steals cryptocurrency wallets. This data may be used for blackmail or for financial gain in underground forums. All the stolen data is packed as a ZIP file and sent to the command-and-control server. Then, it wipes its binary from the machine using the delete command. Although it is not known for innovative techniques, Raccoon seems to be quite popular among malicious actors. This may indicate a growing trend in providing malware-as-a-service, instead of directly being involved in the crime. Researchers expect this trend to continue in 2020 as well.

 

Avast Vulnerability Potentially Allows DLL Hijacking

Researchers discovered a vulnerability in all editions of Avast Antivirus and AVG Antivirus. Avast Software maintains the AVG Antivirus and Avast Antivirus. Tracked as CVE-2019-17093, the vulnerability allows an attacker to load a malicious DLL file to bypass defenses and escalate privileges. The attacker requires administrative privileges to exploit this bug. Once exploited, the vulnerability allows the loading of malicious DLL in multiple processes. Owing to self-defense mechanisms, even administrators are not allowed to write DLL to the AM-PPL (Anti-Malware Protected Process Light). However, this restriction can be bypassed by writing the DLL file to an unprotected folder from which components are loaded by the application. Researchers present two root causes behind the vulnerability. During their analysis, they discovered that there was a lack of safe DLL loading. Another cause is that code integrity is not enforced in the AM-PPL process. Avast has reportedly disabled code integrity in its implementation. When exploited, the vulnerability may result in one of the following scenarios. An attacker may load and execute malicious payloads using multiple signed services. This may allow the malicious actor to perform Application Whitelisting Bypass. The self-defense mechanism of the antivirus may be bypassed. This mechanism allows the monitoring and prevention of changes in the Antivirus directory. The vulnerability can also be exploited to load and execute payloads in a persistent way by an attacker. This means that once a malicious DLL has been injected, malicious code will be loaded by the services on every restart. The vulnerability was reported to Avast in August this year. The team acknowledged the vulnerability in September and released version 19.8 for AVG and Avast. Because all versions below 19.8 are impacted by this vulnerability, it is recommended that users update Avast Antivirus and AVG Antivirus software to the latest version.

 

Edited and compiled by cyber security specialist James Aguilan.