Episode 62: June 26 2023
Links
https://www.hackread.com/swing-vpn-android-app-ddos-botnet/
https://www.androidpolice.com/malware-android-vpn-ddos-botnet/
https://securityaffairs.com/147788/intelligence/unsolicited-smartwatches-us-army.html
https://www.hackread.com/hackers-send-malware-infected-usbs-best-buy-gift-cards/
https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/
https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
Popular Swing VPN Android App as DDoS Botnet
- Discovered by lecromee.
- Security researcher
- cannot confirm this claim.
- Generic Dangers
- Malware
- Data Theft
- Remote Control
- Swing VPN
- Android Version
- over 5 million installations
- June 2023
- Discovery
- Lecromme’s Friend
- Unusual traffic on phone
- Sent requests to website every 10 seconds.
- Lecromme thought Malware/Virus
- Discovered coming from Swing VPN app.
- requests were sent to the same site.
- Pcapdroid
- Look at the traffic flow.
- making requests to the Turkmenistan Airlines website
- uniquely crafted URL
- mitmproxy
- capture the data.
- Lecromme’s Friend
- What was found?
- app figures out the real IP address.
- after installation, language selection, and accepting the Privacy Policy.
- It then sends a request to Bing and Google with the query “What is my IP?”
- app parses the returned HTML and identifies IPs from the responses.
- Then sends requests to two different config files.
- stored in the developer’s personal Google Drive account.
- files are requested from specific personal servers.
- several GitHub repositories, or Google Drive accounts.
- app then set off connecting to an ad network to load ads.
- finally stores data in a local cache before proceeding to a DDoS site.
- stored in the developer’s personal Google Drive account.
- app figures out the real IP address.
- Turkmenistan Airlines (turkmenistanairlines.tm).
- the request payload contained specific data.
- the endpoint of the requests was using the site’s resources.
- by sending one request every 10 seconds.
- Since flight search is a quite intensive task
- Lacromme said “it is clear that the goal is to stress the server out of resources so that normal users won’t be able to access it when needed,”
- Lacromme said “it is clear that the goal is to stress the server out of resources so that normal users won’t be able to access it when needed,”
US Military warns of unexpected smart watches
- The U.S. Army’s Criminal Investigation Division
- reported that service members across the military.
- received smartwatches unsolicited in the mail.
- Danger
- Upon using these smartwatches
- the devices automatically connected to Wi-Fi.
- Began connecting to cell phones unprompted.
- Allowing it access to a huge quantity of user data.
- Upon using these smartwatches
- The military investigation division
- that the smartwatches may also contain malware
- spy on the soldiers
- Malware may be present which accesses both voice and cameras, enabling actors access to conversations and accounts tied to the smartwatches.
- steal sensitive data.
- malware that would grant the sender access to saved data to include banking information, contacts, and account information such as usernames and passwords.
- spy on the soldiers
- that the smartwatches may also contain malware
- Brushing
- sending products, often counterfeit, unsolicited to random individuals.
- allow companies to use the receiver’s name to write positive reviews.
- US Military personnel that have received the devices are recommended to do not turn the device on
- report it to their local counterintelligence, or security manager.
- Previous Attacks
- Makes me think of
- Best Buy Themed March 2020
- $50 BestBuy Giftcard/USB
- USB was really a HID (keyboard)
- Arduino microcontroller ATMEGA32U4
- downloads and runs a JavaScript backdoor.
- GRIFFON malware
- USB was really a HID (keyboard)
- Reported Trustwave SpiderLabs
Latest Mirai Campaign Leveraging Multiple IoT Exploits
- Unit 42
- Palo Alto Security Researchers
- 2 campaigns (on-going)
- Started March 14
- April and June explosion in activity
- Started March 14
- Attack
- First exploit one of the following affected products.
- D-Link
- Nagios
- Arris
- Zyxel
- TP-Link
- SolarView
- Nortek
- Tenda
- MediaTek
- Using one of 22 different vulnerabilities
- Connects to shell script downloader.
- 185.225.74[.]251
- Different Linux architectures
- 185.225.74[.]251
- Connects to cover tracks.
- 185.44.81[.]114 (From Aug. 15, 2022, to March 24, 2023)
- 185.225.74[.]251 (After March 25, 2023)
- Connects to Miria Botnet
- Botnet discovered 2016.
- Devices used in a part of DDOS attacks.
- First exploit one of the following affected products.
- Protection
- Keep devices from direct access to internet.
- Make sure they have all security patches installed.
- Check updates when change clocks.
- Keep on a different network.
- Block
- zvub[.]us
- 185.225.74[.]251
- 185.44.81[.]114
- 193.32.162[.]189
Self-Propagating Malware Inadvertently Affects Networked Storage Devices
- Check Point Incident Response Team (CPIRT)
- Early 2023
- investigated a malware incident at a European healthcare institution.
- Attributed to Camaro Dragon
- AKA Mustang Panda/Luminous Moth
- Chinese-based espionage threat actor
- Usually operate in
- Attack
- through an infected USB drive
- contained WispRider.
- bypass for SmadAV
- using HopperTick launcher
- contained WispRider.
- gained access to the healthcare institution.
- malware also performs DLL-side-loading.
- creates a backdoor
- searches for newly connected drives to spread when connected.
- through an infected USB drive
- Things to know.
- While Camera Dragon operates in Asia
- Employee of European medical company
- Visit a conference in Asia.
- Shared his presentation to others via USB.
- Someone else was infected and transferred to him once plugged in.
- When he came back to work used infected USB on network