Links

https://thehackernews.com/2025/03/new-android-trojan-crocodilus-abuses.html

https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices

https://thehackernews.com/2025/03/coffeeloader-uses-gpu-based-armoury.html

https://www.securityweek.com/firefox-affected-by-flaw-similar-to-chrome-zero-day-exploited-in-russia

https://nvd.nist.gov/vuln/detail/CVE-2025-2783 – Chrome

https://nvd.nist.gov/vuln/detail/CVE-2025-2857 – Mozilla

New Android Trojan Stealing Banking and Crypto Credentials

• new Android banking malware called Crocodilus
  • target users in Spain and Turkey
  • designed for device takeover
    • conduct fraudulent transactions
  • pretends to be google chrome
    • quizzical.washbowl.calamity
• Attack
  • Once Installed requests access to Android’s accessibility services
    • Reaches back to C2C server
    • enabling it to monitor app launches
    • display overlay attacks to intercept credentials
    • capture all on-screen elements
  • No fake login pages
    • alert message urging victims to back up their seed phrases within 12 hours
      • else risk losing access to their wallets.
    • Trick users to go to their seed phrases
      • series of 12 to 24 random words that acts as the master key to your cryptocurrency wallet
    • Which they then use the extra permissions to steal
      • Giving them access to the wallets
  • Extra features
    • Launch specified application
    • Self-remove from the device
    • Post a push notification
    • Send SMS messages to all/select contacts
    • Retrieve contact lists
    • Get a list of installed applications
    • Get SMS messages
    • Request Device Admin privileges
    • Enable black overlay
    • Update C2 server settings
    • Enable/disable sound
    • Enable/disable keylogging
    • Make itself a default SMS manager
• Protect
  • Avoid Sideloading Apps
    • Don’t install apps from outside the Play Store (unless you really know what you’re doing).
    • Crocodilus disguises itself as Chrome—but comes from third-party sources.
  • Scrutinize App Permissions
    • If an app wants accessibility services, SMS, or to draw over other apps, that’s a red flag
    • Ask yourself: Why would a calculator need to control your screen and read your messages?
  • Use Mobile Security Tools
    • Consider using mobile security apps from reputable vendors (e.g., Bitdefender, Kaspersky, Norton).
    • They can flag suspicious behavior like overlays or keylogging attempts.
  • Turn On Google Play Protect
    • It’s built into Android and scans apps for malware.
    • Go to: Settings → Security → Google Play Protect and make sure it’s active.
  • Protect Your Seed Phrase
    • Never type it into anything but your official wallet app.
    • Never screenshot it. Never store it in Notes. Never email it to yourself.
    • Use hardware wallets (like Ledger or Trezor) for long-term storage, they don’t expose the seed to your phone.

CoffeeLoader Evades EDR and Antivirus Detection

• Emergence
  • First identified around September 2024
  • deliver second-stage malware payloads while avoiding detection by security solutions
    • Not the threat itself, but what the threat comes in
• Tactics
  • GPU-Based Packer (“Armoury”): Utilizes the system’s GPU to execute code, complicating analysis in virtual environments. This packer impersonates ASUS’s legitimate Armoury Crate utility. ​
  • Call Stack Spoofing: Forges call stacks to mask the origin of function calls, hindering detection by security software that analyzes call stack traces. ​
  • Sleep Obfuscation: Encrypts its code and data during inactive periods, decrypting only during execution to evade memory scans. ​
  • Windows Fibers: Employs lightweight user-mode threading to implement sleep obfuscation, further evading detection by some Endpoint Detection and Response (EDR) systems. ​
  • Establishes persistence via scheduled tasks, configured to run upon user logon with elevated privileges or at regular intervals, ensuring continued operation after system reboots
  • Command and Control (C2) uses HTTPS and implements certificate pinning to prevent interception. If primary C2 channels are unreachable, it employs a domain generation algorithm (DGA) as a fallback.
    • Certificate Pinning: security technique used in apps (usually mobile or web clients) to hard-code a specific SSL/TLS certificate that the app will trust when connecting to a server over HTTPS.
• Protection
  • Use Advanced Endpoint Protection (EPP + EDR)
    • CoffeeLoader uses tricks like call stack spoofing, sleep obfuscation, and GPU-based unpacking, which can bypass basic antivirus tools.
    • Use EDR solutions with behavioral detection and memory analysis capabilities (like CrowdStrike, SentinelOne, Microsoft Defender for Endpoint).
  • Monitor for Suspicious Scheduled Tasks
    • CoffeeLoader uses scheduled tasks for persistence. Regularly audit task scheduler entries.
    • Watch for tasks that:
      • Launch from suspicious directories (like %AppData%)
      • Use random or unusual names
      • Don’t match any known software
  • Secure DNS and Block DGAs
    • CoffeeLoader uses a Domain Generation Algorithm (DGA) as a fallback if the main C2 servers fail.
    • Use DNS firewalls (like Cisco Umbrella or Cloudflare Gateway) to detect and block algorithmically generated domains.
      

Hackers Abuse MailChimp via Phishing, and Social Engineering Tactics

• Tactic
  • Exploiting Mailchimp accounts to distribute malware and conduct further social engineering attacks.
• Targeted Sectors
  • Hackers have focused on organizations in education, marketing, technology, and retail
• Compromised Accounts
  • Researchers identified over 1,200 newly infected devices with stolen Mailchimp credentials, indicating active, ongoing breaches.
• Geographic Concentration
  • The attacks are notably prevalent in Brazil, France, and India
• Multi-Factor Authentication Bypass
  • Attackers employ infostealers like RedLine, Raccoon, and Lumma to extract authentication cookies from browsers.
    • This method allows them to hijack user sessions without triggering MFA protocols, rendering traditional MFA ineffective.
• Recommendations for Organizations:
  • Review Account Access
    • Monitor and analyze account access patterns for anomalies.
  • Implement Session Timeouts
    • Enforce policies that automatically terminate inactive sessions to reduce the risk of session hijacking.
  • Enhance Endpoint Protection
    • Deploy advanced endpoint security solutions capable of detecting and preventing infostealer malware before it can exfiltrate sensitive data.

Firefox Affected by Flaw Similar to Chrome Zero-Day Exploited in Russia

• CVE-2025-2783 – Chrome
  • CVSS Score: 8.3/10
  • reported by cybersecurity firm Kaspersky
    • observed its exploitation in attacks against Russian media outlets, educational institutions, and government organizations.
  • Google announced a Chrome update that patches
  • dubbed Operation ForumTroll
  • used fake invitations to a scientific forum as lures. ​
• Mozilla Discovery of Vulnerability
  • Mozilla developers identified a critical flaw in Firefox’s inter-process communication (IPC) code
    • similar to the Chrome zero-day vulnerability (CVE-2025-2783) exploited in attacks targeting Russian organizations.
  • Mozilla tracked as CVE-2025-2857
  • CVSS Score 10/10
    • impacts Firefox for Windows.
      • released patches in versions 136.0.4, 128.8.1 (ESR), and 115.21.1 (ESR) to address the issue. ​
• Details
  • involves an incorrect handle that allows a compromised child process to cause the parent process to “return an unintentionally powerful handle,”
    • Simply this leads to a sandbox escape. ​
• Tor Browser
  • Tor Browser, based on Firefox, has also been updated