Security Intelligence

JexBoss Exploit Scan

Summary

Wapack Labs observed multiple attempts to exploit JBoss Application Servers using the JexBoss Exploit Tool staring in November of 2018.  Research into these incidents shows most of these scans originate in China.  In addition to scanning for JBoss, the scans attempt to exploit Tomcat management pages, PHP Weathermap, Microsoft Windows Server 2003 and Apache Hadoop YARN Resource Manager.  Wapack Labs provides details on Jexboss, the IP’s used to scan for…

Read more…

Virtual Chief Trust Officer (vCTO) Program

In a recent blog by Nitzan Daube, CTO of NanoLock¸ he provides an explanation regarding the importance of security focus on both IT hardware, physical security and cyber security consequences.  Wapack Labs agrees whole heartedly, and is providing solutions.

Wapack Labs participated in a recent lecture at the October 2018 ASIS Conference, held in Las Vegas NV.  Our joint lecture specifically addressed hardware compromise, adherence to physical security and the psychology of…

Read more…

Blockchain for the Supply Chain

The Air Force Institute of Technology[1] (AFIT) has releases free “Blockchain for Supply Chain” tools for supply chain professionals to learn about and use the power of block chain technology.  AFIT recently published a live blockchain application that can be accessed from any computer or smart phone, along with a complementary series of tutorial videos that presents blockchain simulation.  These videos can be used as a stand-alone…

Read more…

Cyber security professionals often get focused on dangers which appear inside their networks or within company messages, sometimes overlooking physical threats.  Laptops and devices routinely leave the confines of network cyber security parameters.  In this circumstance, a hacker can easily get physically next to a vulnerable laptop, which may permit firewall rules and DNS Security inoperable to a bad guy hacking into “your” laptop.…

Read more…

Triout Spyware Framework

Researchers at Bitdefender have identified a new Android malware titled, Triout which acts as a framework for turning legitimate applications into spyware.  It is used to inject extensive surveillance capabilities into seemingly benign applications.  Triout is found bundled with a repackaged app; with capabilities including recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates. Then broadcasting all of that back to an attacker-controlled C2 (command and control) server.  The sample’s first appearance seems to be 15 May 2018, when it was uploaded to VirusTotal.

Capabilities

 

The malware has a vast array of advanced capabilities including:

  • Recording every call taking place on the phone
  • Uploads recorded phone calls to a remote server
  • Steals call log data
  • Collect and steals SMS messages which include both incoming and outgoing messages
  • Sends phone's GPS coordinates to a remote server
  • Uploads a copy of every picture taken with the phone's cameras to a remote server
  • Ability to take remote photos and videos from both front and back cameras
  • Advanced stealth capabilities that allow it to hide from the target user

Command and Control (C2) Server

Infection Technique

 

It is bundled with legitimate applications thus making users unaware of its presence. The malware was first observed lurking in an app and repackaged to look identical to a legitimate Android app called “Sex Game.”  As with both versions, they have identical icons and capabilities.

As the above screenshots indicate, both applications are similar in functionality.  The malware application is almost identical to the original app, both in code and functionality, except for the malicious payload.  Starting from the app’s icon to the in-app screens, the malicious version seems to keep all original functionality potentially so as not to arouse any suspicion from its victim.1

 

The C2 server, to which the application is sending the collected data, is operational and the campaign is ongoing, according to researchers.  It is believed to be a highly targeted attack against a set of people, most probably in Israel.  The researchers also presume that this application targets several key victims for espionage or data collection purposes.

 

Prevention Techniques

 

The best way to protect yourself from such malicious apps is to always download applications from trusted sources, like Google Play Store, and stick only to verified developers.

Think twice before granting any app permission to read your messages, access your call logs, your GPS coordinates, and any other data obtained via the Android's sensors. Common mitigation techniques are:

 

  • Consider before granting a permission to any application.
  • Download applications from trusted sources like Google Play Store.
  • Keep your phone and applications up to date.
  • Encrypt your devices.
  • Make frequent backups of important data
  • Install anti-malware on their devices.

___________________

 

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance

Email me when people reply –