Fake Telegram apps infect 10 million users with spyware

SISA Weekly Threat Watch - 18 September 2023

In the past week, a range of significant cybersecurity threats and attacks have been observed, underscoring the ongoing challenges faced by individuals and organizations worldwide. These threats include nation-state actors exploiting vulnerabilities in widely used software, the proliferation of sophisticated malware affecting multiple operating systems, cybercriminals exploiting legitimate tools for cryptocurrency mining, and counterfeit Telegram apps infecting millions of Android users. Vigilance, proactive security measures, and user education continue to be essential in mitigating these evolving cybersecurity threats.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Nation-state hackers exploit Fortinet and Zoho vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI and Cyber National Mission Force (CNMF), issued a joint alert warning of multiple nation-state actors exploiting security vulnerabilities in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus. These vulnerabilities, including CVE-2022-47966 and CVE-2022-42475, were exploited to gain unauthorized access, establish persistence, and move laterally within networks.

CVE-2022-47966 allowed unauthenticated attackers to achieve remote code execution, granting root-level access, enabling the download of additional malware, collecting administrative user credentials, and potentially compromising additional systems. CVE-2022-42475 was utilized as an initial access vector, enabling attackers to breach the organization’s firewall device, deploy web shells, initiate encrypted data transfer sessions, and evade detection by disabling administrative credentials and deleting logs on critical servers. Organizations must take immediate action to patch and secure their systems, bolster monitoring and detection capabilities, and adhere to best practices to safeguard against advanced persistent threats.

2. Spyware in fake Telegram apps infects over 10 million users

Counterfeit versions of Telegram were discovered on the Google Play Store, masquerading as legitimate apps but secretly collecting sensitive data from compromised Android devices. These fraudulent apps, before being removed by Google, amassed millions of downloads and were found to gather information like names, user IDs, contacts, phone numbers, and chat messages, sending it to a server controlled by malicious actors.

Notably, the malicious package names used typosquatting tactics, incorporating variations like “wab,” “wcb,” and “wob,” to deceive users into thinking they were genuine Telegram apps. This discovery follows the disclosure of the BadBazaar malware campaign, which also exploited a counterfeit Telegram version to collect chat backups and had capabilities including tracking device location, stealing call logs, recording calls, and more. It is recommended to be extremely cautious when considering alternative clients or modified versions of popular messaging apps. Additionally, pay attention to the permissions requested by apps during installation and install reliable antivirus and anti-malware software on all your Android devices to protect your sensitive personal data.

3. Malicious AMOS Stealer targets macOS users in new malvertising campaign

A new iteration of the Atomic macOS Stealer (AMOS), known as OSX.AtomStealer, has surfaced in a malicious advertising (malvertising) campaign targeting macOS users seeking TradingView software on Google. Malicious actors manipulate Google search results to display malicious ads at the top, diverting users to phishing sites where they unknowingly download the malware. To evade detection from Google’s ad quality checks, some of these ads use Unicode characters to mimic real domain names, making it challenging for users to distinguish them from genuine ads.

Once executed, the malware exfiltrates sensitive user data, posing a significant threat. It leverages ad-hoc signing, making it challenging for Apple to revoke access, and initiates data exfiltration, including wallet addresses, passwords, and cookies. The malware also employs “bulletproof” servers for data transfer, emphasizing its sophistication. The stolen credentials and personal information are then transmitted to the attacker’s servers, putting the victim’s privacy and security at risk. To protect against such threats, users are advised to exercise caution when downloading software, validate the source’s authenticity, and maintain robust antivirus protection with real-time scanning.

4. BlueShell malware expands its reach across Windows, Mac, and Linux OS

A recent report by security researchers has exposed a concerning rise in the utilization of BlueShell malware by threat actors targeting Windows, Mac, and Linux systems in Korea and Thailand. This sophisticated backdoor malware, coded in Go since 2020, employs advanced tactics like TLS (Transport Layer Security) encryption to evade detection and is associated with the Dalbit Group, a Chinese-based threat actor. BlueShell’s cross-platform capabilities and encrypted communication with its Command-and-Control server make it exceptionally elusive.

The malware’s configuration parameters enable attackers to maintain control, while its linkage to the Dalbit Group underscores its versatility and the group’s focus on exploiting vulnerable servers, demanding ransoms, and potentially customizing the malware for regional targets, with a possible connection to a Chinese-speaking developer or threat actor. By prioritizing regular updates, deploying effective intrusion detection systems, fortifying server security, and educating users, organizations can significantly reduce their vulnerability to such malware attacks.

5. Advanced Installer Tool exploited by cybercriminals for cryptocurrency mining

Since November 2021, cybercriminals have been exploiting the legitimate Windows tool Advanced Installer to distribute cryptocurrency-mining malware. They package well-known software installers like Adobe Illustrator and Autodesk 3ds Max with hidden malicious scripts, using Advanced Installer’s Custom Actions feature to execute them discreetly. Primarily targeting French-speaking users in industries requiring high GPU power, such as 3-D modeling and graphic design, the attacks have been traced to France and Switzerland, with occasional incidents reported globally.

The malware payloads include M3_Mini_Rat for remote administration, PhoenixMiner for Ethereum mining, and lolMiner for simultaneous mining of multiple virtual currencies, collectively turning victims’ systems into cryptocurrency-mining hubs. The use of search engine optimization tactics suggests attackers manipulate search results to deliver malicious downloads, widening the campaign’s reach. To thwart such attacks, it is recommended to employ robust antivirus and anti-malware solutions, train employees to recognize phishing attempts, and implement network monitoring tools to detect unusual traffic patterns.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider