This week, a fresh malspam campaign that appears to be aimed at enterprise IT decision-makers made its way back into the threat landscape. On August 23, Bitdefender Antispam Labs learned about the email campaign delivering the notorious Snake Keylogger. It seems to mostly be aimed towards US users. The attack, which originated from IP addresses in Vietnam, has already affected thousands of inboxes, according to Bitdefender telemetry.

Threat actors in this attack leverage the business portfolio of a reputed Qatari IT provider of cloud storage and security solutions to dupe potential victims into opening a malicious ZIP archive.

In the archive (ba8e072f51e1b944bfa3466da15cefa3), the software COMPANY PROFILE.exe (9df140013f2b8627f7ea911d9767acdc) installs the Snake Keylogger payload onto the system host of the victims. Data recorded is exfiltrated using SMTP.

Snake Keylogger, also known as 404 Keylogger, is a data thief that can record keystrokes from infected PCs, take screenshots, and copy data from clipboards. Additionally, it can monitor keyboard usage. The infamous credential-stealing software may be purchased on message boards and dark web marketplaces for just a few hundred dollars or less, depending on the level of service the consumer requires.

The majority of snake bites are financially motivated, and victims may also be subjected to other crimes including identity theft and fraud. The credential-stealing malware also poses a serious security concern for enterprises because of its ability to collect data and act as a spy tool. Threat actors might get access to high-level accounts as a result and carry out more harmful attacks on a company.

In the past, PDFs and Microsoft Office documents (Word and Excel) have been used in Snake assaults, making them particularly potent social engineering methods.

Cybercriminals running the campaign run the risk of putting their victims at major security and privacy risk, like data ransom and financial data exfiltration.

Use security tools to help protect yourself and your company from keylogger attacks, and always verify the origin and legality of correspondence before clicking any links or attachments. Install a security program on their devices, and make sure that two-factor (2FA) or multi-factor (MFA) authentication processes are used to safeguard accounts. These measures will prevent hackers from accessing accounts if your system is hacked.

Users of Bitdefender are shielded from the snake virus. Both the Bitdefender spam filter and the Bitdefender anti-spam technology have identified this spam campaign.

Our enterprise and consumer solutions both classify the attachment as a Trojan. GenericKD.61435093, and forbid its opening.

With Bitdefender Total Security and XDR, users and businesses receive the best anti-malware protection, threat detection, and response against e-threats across all major operating systems. Bitdefender security solutions provide real-time protection against e-threats like keyloggers or spyware, viruses, worms, Trojan horses, ransomware, and zero-day exploits to protect you and your data.

The post US IT firms with New Malspam are being targeted by Snake Keylogger appeared first on The Tech Outlook.

The Android banking Trojan SOVA has returned with improved functionality, and a brand-new version with a ransomware module is now being created.

Researchers at Cleafy, who saw the resurgence of SOVA, believe that Version 4 of SOVA targets more than 200 mobile applications, including banking apps and cryptocurrency exchanges/wallets. After the US and the Philippines, Spain appears to be the country that the malware is targeting most frequently.

The SOVA v4 virus is included in fake Android applications that bear the logos of well-known services like Chrome and Amazon. The most recent version includes a refactored and improved cookie-stealer approach that can now specify a list of targeted Google services and other applications. The update also gives the malware the ability to protect itself by detecting and preventing users’ attempts to uninstall the program.

The command-and-control (C2) interface in more current SOVA versions also allows attackers to seize control of specified targets. This increases the malware’s ability to adjust to a variety of attack scenarios. It also has tools that enable attackers to record instructions, capture screenshots, and run them. An attacker now has the chance to look for opportunities to switch to possibly more valuable systems or applications.

“The most fascinating component is connected to the [virtual network computing] capabilities,” the report claims. The fact that threat actors have been adding new features and functionalities to the malware since September 2021 is strong evidence that they are doing so. This capacity has been on the SOVA roadmap since that time.

Additionally, the Cleafy team found evidence that malware version 5, which will include a ransomware module that was first indicated in a September 2021 development plan, is currently under development.

The post New ransomware is added to the Advanced SOVA Android Banking Trojan appeared first on The Tech Outlook.

This malware first appeared this month, according to cybersecurity researchers at ThreatFabric, who dubbed it ‘Xenomorph’ due to links to another trojan called Alien. The malware is intended to steal usernames and passwords in order to gain access to bank accounts and other sensitive personal information.

The malware, like many other types of Android malware, appears to be able to circumvent security measures and infiltrate smartphones via apps in the Google Play Store. One of the apps discovered was a cleaner app that promised to help a device speed up by removing unused clutter: the app has been downloaded over 50,000 times.

The app appeared to provide the functionality advertised, but it also delivered malware, which steals usernames and passwords via fake overlays that activate when the victim attempts to log in to banking apps. Because the overlay replaces the actual login screen, any information entered is sent to the attackers. Banks in Spain, Portugal, Italy, and Belgium are currently under attack. The malware also includes overlays capable of stealing passwords for email accounts and cryptocurrency wallets.

Xenomorph can intercept SMS and app notifications to help steal authentication needed to bypass multi-factor authentication. Researchers have linked Xenomorph to another Android trojan malware, Alien, because of design similarities. Both forms of malware use the same HTML resource page to trick victims into granting access to accessibility services. The researchers note that the malware still appears to be in the early stages of development as many commands present in the code aren’t active yet.

The post This Android malware hid inside an app downloaded 50,000 times from Google Play Store appeared first on The Tech Outlook.