sharkbot - X-Industry - Red Sky Alliance2024-03-28T17:55:08Zhttps://redskyalliance.org/xindustry/feed/tag/sharkbotAvoid these Antivirus and Cleaner Appshttps://redskyalliance.org/xindustry/avoid-these-antivirus-and-cleaner-apps2022-09-14T18:10:06.000Z2022-09-14T18:10:06.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}10812254669,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10812254669,RESIZE_400x{{/staticFileLink}}" width="225" alt="10812254669?profile=RESIZE_400x" /></a>The Android banking trojan known as SharkBot has once again made an appearance on the Google Play Store by masquerading as antivirus and cleaner apps. This new dropper does not rely on Accessibility permissions to automatically install the dropper Sharkbot malware. This new version asks the victim to install the malware as a fake update for the antivirus to stay protected against threats.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/don-t-get-bitten-by-sharkbot">https://redskyalliance.org/xindustry/don-t-get-bitten-by-sharkbot</a></p>
<p>The apps in question, Mister Phone Cleaner and Kylhavy Mobile Security have over 60,000 installations between them and are designed to target users in Spain, Australia, Poland, Germany, the U.S., and Austria.</p>
<ul>
<li>Mister Phone Cleaner (com.mbkristine8.cleanmaster, 50,000+ downloads)</li>
<li>Kylhavy Mobile Security (com.kylhavy.antivirus, 10,000+ downloads)</li>
</ul>
<p>The droppers are designed to drop a new version of SharkBot, dubbed V2 by Dutch security firm ThreatFabric, which features an updated command-and-control (C2) communication mechanism, a domain generation algorithm (DGA), and a fully refactored codebase. Researchers discovered a newer version, 2.25, on 22 August 2022, that introduces a function to siphon cookies when victims log in to their bank accounts while removing the ability to automatically reply to incoming messages with links to the malware for propagation.</p>
<p>By avoiding the Accessibility permissions for installing SharkBot, the development highlights that the operators are actively tweaking their techniques to avoid detection, not to mention find alternative methods in the face of Google's newly imposed restrictions to curtail the abuse of the APIs.</p>
<p>Additional notable information stealing capabilities include injecting fake overlays to harvest bank account credentials, logging keystrokes, intercepting SMS messages, and carrying out fraudulent fund transfers using the Automated Transfer System (ATS). Sharkbot malware poses an evolving and universal threat. Despite continued efforts by Apple and Google, app stores are vulnerable to unknowingly being abused for distribution, with the developers trying every trick in the book to dodge security checks. SharkBot's developers seem to have been focusing on the dropper to keep using Google Play Store to distribute their malware in the latest campaigns.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p></div>Weekly Cyber Intel Report - All Sector 09 09 2022https://redskyalliance.org/xindustry/weekly-cyber-intel-report-all-sector-09-09-20222022-09-09T12:07:15.000Z2022-09-09T12:07:15.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><h2><span style="font-size:12pt;"><a href="{{#staticFileLink}}10807323087,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10807323087,RESIZE_400x{{/staticFileLink}}" width="250" alt="10807323087?profile=RESIZE_400x" /></a>Activity Summary - Week Ending on 9 September 2022:</span></h2>
<ul>
<li>Red Sky Alliance identified 22,128 connections from new IP’s checking in with our Sinkholes</li>
<li>storeiq[.]eu in Poland hit 24x</li>
<li>Analysts identified 2,085 new IP addresses participating in various Botnets</li>
<li>Samsung Hack</li>
<li>Samsung’ Rebuttal</li>
<li>SharkBot</li>
<li>3rd Party Vulnerabilities</li>
<li>AI Lessons</li>
<li>Eni in Italy</li>
<li>US – LA School District Hit</li>
</ul>
<p>Link to full report: <a href="{{#staticFileLink}}10807324058,original{{/staticFileLink}}">IR-22-252-001_weekly252.pdf</a></p></div>Don't get Bitten by SharkBothttps://redskyalliance.org/xindustry/don-t-get-bitten-by-sharkbot2021-11-23T13:22:19.000Z2021-11-23T13:22:19.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}9837181474,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9837181474,RESIZE_400x{{/staticFileLink}}" width="250" alt="9837181474?profile=RESIZE_400x" /></a>A new Android banking trojan has been discovered targeting international banks and cryptocrrency services from the United Kingdom, Italy and the US. Twenty-two instances have been reported so far. The malware, first detected at the end of October 2021, appears to be new and is still being developed. It was discovered by Cleafy, an Italian fraud detection and prevention firm. Cleafy calls it ‘SharkBot’, named after the frequency of the word ‘sharked’ in its binaries.</p>
<p>SharkBot is not found in Google’s official marketplace which means it must be sideloaded by delivering the APK to the device and ensuring it is manually loaded. In a technical analysis of the malware that it poses as a legitimate application using common names and icons. If the attack succeeds and the malware is installed, it immediately attempts to enable Android’s Accessibility Services by delivering fake pop-ups to the victim such as ‘Allow Media Player to have full control of your device.’ If this is successful, SharkBot takes over all the permissions.<a href="#_ftn1">[1]</a></p>
<p>Once accepted the malware can enable keylogging (to steal typed credentials), intercept SMS messages (to circumvent MFA), deliver overlay attacks (to steal login credentials and credit card information) and remotely control the device because permissions were granted via the fake pop-up. “Basically the malicious Accessibility Services can read anything a user can read and can recreate any action a user can on the device” says WatchGuard Technologies.</p>
<p>SharkBot also attempts a relatively unique technique known as an Automatic Transfer Systems (ATS) attack. “This technique has been seen recently from other banking trojans, such as Gustuff,” explains Cleafy. “ATS is an advanced attack technique (fairly new on Android) which enables attackers to auto-fill fields in legitimate mobile banking apps and initiate money transfers from the compromised devices.”</p>
<p>In the past, malware families like ZeuS and SpyEye used Webinject files to modify the websites of targeted organizations such as banks. A Webinject file is basically a text file with JavaScript and HTML code that contains the code the attacker wants to insert into the targeted websites. With ATS, however, attackers have taken things to the next level. Instead of merely passively stealing information, ATSs allow cybercriminals to instantly carry out financial transactions that could deplete users’ bank accounts without their knowledge. No longer needing user intervention to key in user names and passwords, ATSs allow cybercriminals to automatically transfer funds from victims’ accounts to their own ones without leaving traces of their presence.</p>
<p>The ATS functionality is contained in a module downloaded separately from the C2. “Given its modular architecture,” comments Cleafy, “we don't exclude the existence of botnets with other configurations and targets.” The assumption is that ATS is used by SharkBot to bypass the behavioral detection measures used by many financial institutions. If ATS is used on what is a trusted device, a ‘new device enrollment’ phase is not necessary, SMS-based MFA can be bypassed, and behavioral biometrics are not effective.</p>
<p>Although relatively few instances of SharkBot have been discovered in the wild, Cleafy suspects that the SharkBot threat will grow. This is partly because it is new, and apparently still being developed. “The implications of becoming infected with SharkBot could be severe, so it's important,” says Nachreiner, “to avoid being infected altogether.” This is not yet easy. The malware is new and not well detected by existing detection means. Apart from the DGA for its C2s, it also uses anti-analysis techniques including obfuscated strings and emulator detection. The best solution is to avoid side-loading religiously. Without 100% certainty in the authenticity of the application and the validity of its source, the easy button here is: simply do not install it. </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/new-%E2%80%98sharkbot%E2%80%99-android-banking-malware-hitting-us-uk-and-italy-targets">https://www.securityweek.com/new-%E2%80%98sharkbot%E2%80%99-android-banking-malware-hitting-us-uk-and-italy-targets</a></p></div>