Threat Intel Digest

March 2020

Android Malware Disguised as Treatment

One of the most alluring traps is a mobile app that professes to cure us. Not just heal us, but heal us for free! What else can we ask for?

Most of the time, if it is too good to be true, it's not true. The "Treatment for Diabetes" app is malicious. Although the app provides facts about diabetes and information about symptoms and disease diagnosis, the information is a facade that tricks you into thinking it is a helpful app. Having no advertisements also helps the app appear legitimate. But, all the free information is overshadowed by the many bills you will receive. The malware acts as a dialer Trojan, and its main goal is to connect to a premium SMS service to steal your money. Always be careful when downloading apps to your mobile devices.


Stealing Cryptocurrencies

Cryptocurrencies, such as bitcoins, Monero, Ethereum, and others, can be mined using your personal computer. It will just take a long time to generate a single coin. The electricity bill is most often not worth the mining.

This truth is also known to malware authors. A quick way to mine cryptocoins is crowdsourcing, which infects several machines and turns them into mining botnets. By infecting several computers for mining, the electricity bill is distributed among many unsuspecting users. Several strategies are used to mine maliciously: the malware can install mining scripts that make the infected machines operate as mindless miners, or the malware can steal the coin's hash values generated by the infected computers that are already mining. ViperSoftX trojan is doing the latter trick. The trojan replaces the crypto wallet address by intercepting the content of the clipboard. If the clipboard content matches a crypto wallet pattern, the malware replaces it with its own wallet address. It assumes that a cryptocoin's hash value is to be added to the crypto wallet. If you suspect that your electricity bill jumps over your average usage, it can be because of the winter season, or some of your computers are mining for the bad guys.


The Power of a Shell

Most of the tools used by researchers are also used by attackers. PowerShell tops the list, and it is used both by good and bad actors.

PowerShell is one of the favorite tools used by both sides of the fence because of its easy-to-use scripting capability, cross-platform availability, and power. It's powerful enough to perform most of the operating system's functionalities, and it has complete access to the computer's file system and memory. On the good side, PowerShell is used mostly to maintain the efficiency of the machine and perform daily automated tasks to manage the operating system. But on the bad side, the attacker uses it to download, install, and execute malicious payloads to victim machines. A malicious document macro can easily be created to generate an obfuscated PowerShell script that can be used to perform a variety of attacks. It can be used to deliver the payload while evading computer defenses. PowerShell can do so much more to the computer system on either side. Your imagination is the only limitation.