Vultur Android banking Trojan returns with advanced features

Last week witnessed a surge in cyber threats across various fronts, including password-spraying attacks on VPN services, a critical backdoor discovered in XZ Utils, the resurgence of Vultur Android banking malware, a campaign targeting PyPI, and the expansion of the Mispadu Trojan’s reach to Europe. These incidents underscore the escalating complexity and diversity of cyber threats, emphasizing the significance of implementing robust security measures, prompt updates, and comprehensive mitigation strategies in the face of evolving risks.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Cisco issues alert: Password-spraying strikes remote access VPN services

Cisco has released recommendations to mitigate password-spraying attacks targeting Remote Access VPN (RAVPN) services on Cisco Secure Firewall devices, as observed by Talos. These attacks, affecting both Cisco and third-party VPN concentrators, can result in account lockouts resembling Denial of Service (DoS) incidents, likely tied to reconnaissance activities.

Cisco’s response includes a mitigation guide with indicators of compromise (IoCs) for detection, such as VPN connection failures using Cisco Secure Client (AnyConnect) and abnormal authentication request surges in system logs. Recommended measures entail enhancing incident analysis capabilities, safeguarding default VPN profiles, employing TCP shun functionality, establishing control-plane ACLs, and adopting certificate-based authentication for RAVPN, offering stronger security against such threats.

2. XZ Utils library infected with secret backdoor posing risk to major Linux distros

RedHat issued a critical security advisory after discovering malicious code embedded in XZ Utils versions 5.6.0 and 5.6.1, posing a severe threat by enabling unauthorized remote access to systems. The compromise involves the manipulation of the liblzma build mechanism, leading to the alteration of specific functions within the liblzma code, particularly targeting the sshd daemon process associated with SSH.

Immediate action is recommended, including identifying affected systems, executing detection commands like ‘xz -V,’ and promptly downgrading to earlier versions lacking the malicious code, such as version 5.4.6 Stable. Users are advised to discontinue the use of affected distributions until the xz version is downgraded, engaging information security teams for further guidance and mitigation measures.

3. Vultur Android banking malware strikes back with refined remote control abilities

The Android banking Trojan Vultur has resurfaced with enhanced functionalities and advanced evasion techniques, enabling remote manipulation of mobile devices and data exfiltration. The latest version encrypts communication channels, uses dynamically decrypted payloads, and hides malicious activities within seemingly legitimate applications. Initiated by deceptive SMS alerts, victims are coerced into installing tampered versions of McAfee Security, containing the ‘Brunhilda’ malware dropper.

Vultur, once installed, exploits Accessibility Services to trigger remote control systems and establish contact with the command-and-control server, retaining functionalities like screen recording, keylogging, and remote access while introducing refined file management capabilities and evasion tactics. Android users are urged to exercise caution, downloading apps exclusively from reputable sources, scrutinizing messages for suspicious content, and verifying caller identities to mitigate the risk of infection.

4. PyPI responds to threat: Halts sign-ups over malicious uploads surge

The Python Package Index (PyPI) has temporarily halted user registrations and new project creations to combat a persistent malware campaign targeting the platform. Threat actors have uploaded 365 counterfeit packages resembling legitimate projects, embedding malicious code in their ‘setup.py’ files. This code, encrypted with the Fernet module, fetches additional payloads from remote servers upon installation, resulting in info-stealers with persistent data theft capabilities.

Notably, attackers have released numerous variations for popular packages, employing typosquatting tactics and unique maintainer accounts to evade detection. This incident highlights the necessity for rigorous vetting of open-source components and emphasizes measures such as verifying package sources, monitoring dependencies, and implementing code reviews to mitigate risks effectively.

5. Mispadu Trojan targets Europe, thousands of credentials compromised

The Mispadu malware, previously targeting Latin America and Spanish-speaking populations, has expanded its reach to include Italy, Poland, and Sweden, with an ongoing campaign spanning various sectors. Initially focused on financial institutions in Brazil and Mexico, Mispadu employs deceptive tactics like fake pop-up windows to steal credentials, utilizing advanced functionalities such as screenshot capture and keystroke logging.

Recent attacks exploit a patched Windows SmartScreen security flaw, initiating with invoice-themed emails containing malicious PDF attachments. Upon opening, recipients are directed to download a ZIP archive containing a VBScript loader for the Mispadu payload. This malware utilizes heavy obfuscation and Anti-VM checks, employing two command-and-control servers for payload delivery and credential exfiltration. Microsoft has taken steps to block malicious extensions within OneNote files used for malware delivery. Mitigation strategies include robust email filtering, regular security training, software patching, and endpoint protection deployment.