Hacks

WhatsApp, the world's most popular end-to-end encrypted messaging application, patched an incredibly frustrating software bug that could have allowed a malicious group member to crash the messaging app for all members of the same group, Just by sending a maliciously crafted message to a targeted group, an attacker can trigger a fully-destructive WhatsApp crash-loop, forcing all group members to completely uninstall the app, reinstall it, and remove the group to regain normal function. Since the group members can't selectively delete the malicious message without opening the group window and re-triggering the crash-loop, they have to lose the entire group chat history, indefinitely, to get rid of it. Discovered by researchers at Israeli cybersecurity firm  Check Point , the latest bug resided in the WhatsApp's implementation of XMPP communication protocol that crashes the app when a member with invalid phone number drops a message in the group. "When we attempt ...

A well-known APT Hackers group “OceanLotus” breach the automobile giant BMW network, and successfully installed a hacking tool called “Cobalt Strike” which help them to spy and remotely control the system. Security experts from BMW spotted that hackers penetrate the company network system and remain stayed active since March 2019. The OceanLotus APT group believed to be active on behalf of the State of Vietnam, and they mainly focus on the automobile industry. GBHackers previously  reported  various high profile malware attacks involved by the OceanLotus APT group around the globe since 2014, and the threat group targets private sectors across multiple industries, foreign governments. Last weekend, security experts from BMW take down the hacked computers and blocked the path that was used by hackers to penetrate the network. Florian Roth @cyb3rops BMW hacked by # OceanLotus in spring 2019 - used CobaltStrike - no evidence that they had acces...

Researchers discovered a  newly patched Windows Zero-day vulnerability  exploit already used in Operation WizardOpium attacks along with Chrome Zero-day exploit in last month. The attack was initially observed by Kaspersky researchers who have already uncovered a Google Chrome 0-day exploit that was used in the part of the attack. Further detailed investigation revealed that the exploit for Google Chrome embeds a 0-day EoP exploit ( CVE-2019-1458 ) that is used to gain higher privileges on the infected machine and also escape the Chrome process sandbox. Researchers observed the 2 different stages in EoP exploit, one is a tiny PE loader and another one is an actual exploit. Kaspersky products detect this exploit with the verdict PDM: Exploit.Win32.Generic. EoP exploit indicates that the vulnerability it used belongs to the win32k.sys driver and that the EoP exploit was the 0-day exploit, and it was confirmed by the researchers when they have tested with an exp...

Cyberespionage group known as BlackTech who behind the Waterbear malware campaign that has been targeted at various industries several years return to attack Government and technology companies. Researchers recently uncovered a brand new piece of Waterbear payload with sophisticated hiding capability in the network from a specific security product by API hooking techniques.  API hooking is a technique used to modify or hide the  API Calls  behavior and flow to evade detection of its activities in run time. If the attacker knowing which specific APIs to hook in their attack, it means that they are familiar with how certain security products gather information on their clients’ endpoints and networks. Researchers excited that this is the first time seen Waterbear attempting to hide its backdoor activities, and the attackers are very knowledgeable of the victim’s environment. Waterbear Malware Behaviour There is some modular approach that was observed t...

TrickBot is one of the top  modular banking malware  that primarily targets financial information of users’ and also it acts as a dropper for other malware. The malware was first spotted in 2016 and it was mostly distributed via malvertising campaign, it evolves from a small banking trojan to an Access-as-a-Service model. Trickbot New Malware Campaign Unit 42 security researchers observed a new distribution campaign that delivered through phishing emails that has the subject lines as payroll or annual bonuses. The campaign includes embedded links points to the legitimate Google Docs document which contains links to download the malicious file from Google drive. For further obfuscation email delivered through SendGrid. According to Unit 42  research , “the email appeared to be originated from individuals at .edu email addresses and then attackers used SendGrid’s EDS to distribute the malware.” The email contains the attractive text and links, once the user...

Researchers discovered a new malicious activity that involved by Russian APT hackers to attack Government and Military officials in Ukrainian entities. The attacker’s targets are not limited but they also infect various individuals who is part of the government and Law enforcement, Journalists, Diplomats, NGO and the Ministry of Foreign Affairs. Researchers believe that the campaign attributed to Gamaredon activity in which attackers using Dynamic Domain Name Server as C2 server, VBA macro, and VBA script as a part of this attack. Threat actors using weaponized DOCX files during the intelligence collection in the target and its distributed via spearphishing emails. Gamaredon is using weaponized documents, sometimes retrieved from legitimate sources as the initial infection vector. Researchers observed the malicious sample that reveals the APT activity from at least September 2019 to November 25, 2019. Malware infection Process Researchers observed some of the lure do...

Researchers discovered a new Trojan family called “Venus” resides in the Google play store infected at least 285,000 Android users around the world. There are 8 apps involved with the malicious activities in Android user’s device and it is mainly targeting the carrier billing and advertising area. 8 Malicious apps list Threat actors developed these apps to interact with Ads and subscribe the user to premium services without any sort of notification, and it also bypasses the Google Play protect and malware detection system. There are several countries were targeted by this malware campaign including Belgium, France, Germany, Guinea, Morocco, Netherlands, Poland, Portugal, Senegal, Spain, and Tunisia. Malware Infection Process via Malicious App Researchers observed that most of the data consumed by an application called “Quick scanner” which is protected by a library that encrypts and hides files.  According to Evina  research , “The ap...